On Wed, 29 Oct 2008, Chris Arnold wrote:

> We use zimbra OSS on SLES10 SP1. Zimbra has spamassassin built-in. At the
> present time, my mailbox is filled with backscatter; getting around 10 a
> minute since 4:30 today. I have postfix backscatter rules in postfix of
> zimbra, http://www.postfix.org/BACKSCATTER_README.html#real but still getting
> pounded. Here is the header from on such mail:
>
> This message was created automatically by mail delivery software.
>
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
>
> marykiev@tm.odessa.ua
> SMTP error from remote mail server after RCPT TO::
> host relay1.tm.odessa.ua [195.66.204.50]: 511 sorry, no mailbox here by
> that name (#5.1.1 - chkuser)


Your domain was used as the spoofed 'from' address, so it's technically
not backscatter, but rather bounced email sent to an invalid address.
Since you are the spoofed 'from' address, you are the lucky recipient of
all their bad email addresses. In other words, the spammer got sold a bad
list of email addresses. Too bad for them, worse for you. You could use an
iptables rule (if you are *nix) that would block that domain for a time:

iptables -I INPUT -s 89.74.205.165 -j DROP

but with all the different domains the bounces are probably coming from,
that might be much too tedious to get all of them, unless they targeted
just chello.pl accounts...


>
> ------ This is a copy of the message, including all the headers. ------
>
> Return-path:
> Received: from chello089074205165.chello.pl ([89.74.205.165])
> by wifi-router.tm.odessa.ua with esmtp (Exim 4.69 (FreeBSD))
> (envelope-from )
> id 1KvJP6-000Eho-L0
> for marykiev@tm.odessa.ua; Thu, 30 Oct 2008 00:20:42 +0200
> Message-ID: <000701c93a14$03bd0ac0$c9377bbf@weuwrbe>
> From: =?koi8-r?B?4c3X0s/Tycog4czT2c7Cwco=?=
> To:
> Subject: =?koi8-r?B?5dfSz9DFytPLwdEgzsXExczRIMvB3sXT1NfB?=
> Date: Wed, 29 Oct 2008 20:30:54 +0000
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0004_01C93A14.03BA381D"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2720.3000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0004_01C93A14.03BA381D
> Content-Type: text/plain;
> charset="koi8-r"
> Content-Transfer-Encoding: quoted-printable
>
> Can someone please help me stop this? A while back, there was a thread that
> pointed to a website, backscatter.org or something like that, that we used
> that since the upgrade did a wonderful job. Anyone remember that web site?
>


---
_/ _/ _/ _/_/_/ ____________ __o
_/ _/ _/ _/ _/ ____________ _-\\<._
_/_/ _/ _/_/_/ (_)/ (_)
_/ _/ _/ _/ ......................
_/ _/ arl _/_/_/ _/ earson KarlP@ourldsfamily.com
---
http://consulting.ourldsfamily.com
---
"Our Constitution was made only for a moral and religious people.
It is wholly inadequate to the government of any other."
--John Quincy Adams
---
"To mess up your Linux PC, you have to really work at it;
to mess up a microsoft PC you just have to work on it."
---