undeliverable mail

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Dec 20 02:03:26 PST 2006


Beastie MRA wrote:
> On Dec 20, 2006 02:00 PM, Matthew Seaman
> <m.seaman at infracaninophile.co.uk> wrote:
> 
>> Beastie MRA wrote:
>>> On Dec 20, 2006 10:31 AM, Bill Vermillion <bv at wjv.com> wrote:
>>>
>>>> It's Wed, Dec 20, 2006 at 09:26 . I'm in a small dim room with
>>>> doors labeled "Dungeon" and "Forbidden". There is noise, the door
>>>> marked Dungeon flies open and Beastie MRA SHOUTS:
>>>>
>>>>> Dear All.
>>>>>
>>>>> For past few days, my MX receive thousand of undeliverable message
>>>>> destinated for my non existent user at my domain.
>>>>> This message source come from valid and well configured (almost)
>>>>> smtp
>>>>> server on internet.
>>>>> I'ts waste my internet b/w, cause my MX will reject with non
>>>>> existent
>>>>> user message.
>>>>> I'll try spamd on my firewall and greylist on my MX (postfix), but
>>>>> still
>>>>> no effective, and i cannot block undeliverable
>>>>> message as RFC rules
>>>>>
>>>>> Is there any way i can fix this ?
>>>>> Please help
>>>> I use the virtusertable in sendmail, and I have my valid addresses,
>>>> such as bv at wjv.com bv and then for after that is
>>>> a line of @wjv.com nouser.
>>>>
>>>> And nouser is defined in aliases as nouser: /dev/null
>>>>
>>>> On one of the mail servers I maintain I just checked and I
>>>> had 260,000+ messages routed to "*file*" in the maillog - which
>>>> shows up as mailer=*file* in the logs. That maillog rotates
>>>> every night at midnight.
>>>>
>>>> Is not really a freebsd-net problem so I removed that from the
>>>> reply to line.
>>>>
>>>> Bill
>>>>
>>>> --
>>>> Bill Vermillion - bv @ wjv . com
>>> Thanks for response...
>>>
>>> but this virtusertable will not stop SMTP server in internet to keep
>>> send you undeliverable message.
>>> I assume someone doing nasty with forged and use my domain email to
>>> send
>>> his spam message to non existing user.
>>> and i got undeliverable message.
>>> Is there any clue ??
>>> Oh.. i forget to mention i use 4.11-STABLE for my MX
>> Hmmm... SPF records are a good tool against this sort of thing.
>> Perhaps if you change from:
>>
>> mra.co.id. "v=spf1 mx "
>>
>> to
>>
>> mra.co.id. "v=spf1 mx -all"
>>
>> That means that SPF compliant mail servers should refuse to accept
>> messages (ie. a hard fail) from any machine other than the MXes for
>> mra.co.id See http://www.openspf.org/SPF_Record_Syntax for the full
>> story on SPF records.
>>
>> It's not a 100% solution and it will take the spammers some time to
>> realise that forging your address in their e-mails is much less
>> effective. On the positive side, it will mean that many mailservers
>> reject the incoming spam during the SMTP dialog so you'll get fewer
>> bounce messages.
>>
>> This problem exposes an architectural flaw in many e-mail server
>> setups. Either all of the MXes for a domain have to be able to verify
>> addresses on incoming e-mails and reject any non-existent destinations
>> during the SMTP dialog, or (like Bill does above) once a message has
>> been accepted by any of the mail servers for your domain, it should
>> never be bounced back to the (probably forged) mail address in the
>> headers because the recipient doesn't exist. Bouncing for other
>> reasons,
>> (like eg. mailbox over quota) does not generally add to the overall
>> spam
>> load. Normally a very simple site with just one server will get that
>> right,
>> but a more complex site with several MXes and various SMTP routers etc.
>> internally will frequently not.
>>
>> Cheers,
>>
>> Matthew
>>
>> --
>> Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
>> Flat 3
>> PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
>> Kent, CT11 9PW
> 
> Thanks...
> 
> i have problem with SPF record in dns , because i have serveral mobile
> users and off site users
> that use SMTP provide by internet provider. and i cant list it one by
> one in spf record. :(

The usual solution to that is to set up authentication on your mail
server and require your mobile users to submit new messages via that
machine.  Most mail clients are capable of dealing with several mail 
accounts with different SMTP server fairly readily.

Enabling SASL in the stock system sendmail under FreeBSD is also fairly
simple and described in the handbook.  Works for me -- I'm writing this at 
work and sending it through my home mail server.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       Flat 3
                                                      7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW, UK

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20061220/bc1520c9/signature.pgp


More information about the freebsd-questions mailing list