Jump to content

metoometoo

Members
  • Content Count

    3
  • Joined

  • Last visited

Community Reputation

0 Neutral

About metoometoo

  • Rank
    Newbie
  1. Yes I admit, I am way over my head in this one, I know enough as to get in deep trouble , BUT I am using amavisd-new tied to spamassassin and Clamav, and the recommended selection is to D_DISCARD spam and viruses. Really do not know why that is, but is the way it works. Me thinks it has to do with the messages already being accepted for delivery, and later realizing it contains spam or viruses. BTW, it's impressive how fast the Bounce Bombers fix their servers once they realize they are on a Black List. Before adding the DNSBL (ips.backscatterer.org) no amount of reporting would make them even consider a fix. Now after two days the mail logs on my servers do not show a single hit from them ... I am a very happy camper indeed.
  2. Yes turetzsr, I stand corrected, I should have better explained what I am doing, but you are partially right, when you say all dubious messages should be rejected with a 5xx code during handshake. The problem is that this proposition is not valid for all conditions, such as stopping spam or abuse in the form of a DDOS attack. In the case of massive abuse or attacks from well established sources, the customary procedure is to have the email server configured to issue 554 (Service unavailable) such as is the case with rejects used at entry point to your email servers by using DNSBL services. On the other hand when it comes to spam and viruses identified by such programs as Antiviruses and Antispammers, is better to issue a Drop or Discard, since if you do not do this then you will be flooding someone else's server with Bounced Emails (Bounce Bombing), and you could easily become part of the problem, not the solution. Remember that there is no easy way to determine the legitimacy of the return address, which is often forged. IMO, The beauty of using a anti-backscatter BL such as "ips.backscatterer.org" is that you are only using rejects to servers that are well known to be active Mass Bounce Bombers, and additionally the inclusion of their IPs on the black Lists is temporary; after 4 weeks the offending IPs are automatically removed from the list, unless the problem persists. A few bounced emails here and there do not grant automatic inclusion in their BL, so you still get back legitimate bounces. This service I think also gives oneself and others some flexibility, in case (god forbid) one's servers temporarily become the "active" source of such attacks, the fact of not being permanently added to a Black List somewhere, gives some peace of mind. The keyword here is temporarily, since these sort of attacks do not stay localized at determined IPs or servers for very long, nor do the owners of such servers are willfully involved in these activities.
  3. First I am not affiliated in any way with the producers of the tool listed below, just a user that got "Bounce Bombed" to its knees during the past weeks, and could not find any other practical solution to stop the attack. If you are on the wrong end of one of these attacks you know how destructive it can be. It can bring down your server to a halt beacuse is a form of DDOS attack. I recommend you configure DNSBL on your email servers to query: "ips.backscatterer.org" ASAP. See Backscatterer.org for more information. In may case it just stopped the attack on its tracks, and they also seem to test (not sure) any IP addresses submitted for this vulnerability, so it really works, and it's FAST. As you may well know, "Bounce Bombs" (aka: backscatter) is a technique used by spammers and/or email harvesters, to take advantage of poorly configured email servers and virus scanners by including the email addresses of the victims (YOUR EMAIL ADDRESSES), as the return address on the emails they send, thus causing an enormous amount of bounced emails back to your servers when the (poorly configured) system fails to direct the emails to valid users. Simply put "poorly configured" systems in this case, means email servers and virus scanners set to reject ALL invalid emails back to the forged return addresses. To configure email servers and virus scanners not behave this way is as simple as having them DROP invalid emails, and to never bounce or soft-bounce. Yes you may say this (rejecting) is the standard protocol, and you are doing nothing wrong by issuing rejects, BUT that comes from a time when the email systems worked on the assumption that this feature will never be abused as it is these day. Hope someone will find this information useful, and please forgive my ignorance, or lack of technicality of some of the terms used.
×