Re: Getting hammered by backscatter

Chris Arnold wrote:[color=blue]
> We use zimbra OSS on SLES10 SP1. Zimbra has spamassassin built-in. At
> the present time, my mailbox is filled with backscatter; getting around
> 10 a minute since 4:30 today. I have postfix backscatter rules in
> postfix of zimbra,
> [url]http://www.postfix.org/BACKSCATTER_README.html#real[/url] but still getting
> pounded. Here is the header from on such mail:
>
> This message was created automatically by mail delivery software.
>
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
>
> [email]marykiev@tm.odessa.ua[/email]
> SMTP error from remote mail server after RCPT
> TO:<marykiev@tm.odessa.ua>:
> host relay1.tm.odessa.ua [195.66.204.50]: 511 sorry, no mailbox here
> by that name (#5.1.1 - chkuser)
>
> ------ This is a copy of the message, including all the headers. ------
>
> Return-path: <email@moderated.com>
> Received: from chello089074205165.chello.pl ([89.74.205.165])
> by wifi-router.tm.odessa.ua with esmtp (Exim 4.69 (FreeBSD))
> (envelope-from <email@moderated.com>)
> id 1KvJP6-000Eho-L0
> for [email]marykiev@tm.odessa.ua[/email]; Thu, 30 Oct 2008 00:20:42 +0200
> Message-ID: <000701c93a14$03bd0ac0$c9377bbf@weuwrbe>
> From: =?koi8-r?B?4c3X0s/Tycog4czT2c7Cwco=?= <email@moderated.com>
> To: <marykiev@tm.odessa.ua>
> Subject: =?koi8-r?B?5dfSz9DFytPLwdEgzsXExczRIMvB3sXT1NfB?=
> Date: Wed, 29 Oct 2008 20:30:54 +0000
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0004_01C93A14.03BA381D"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2720.3000
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300
>
> This is a multi-part message in MIME format.
>
> ------=_NextPart_000_0004_01C93A14.03BA381D
> Content-Type: text/plain;
> charset="koi8-r"
> Content-Transfer-Encoding: quoted-printable
>
> Can someone please help me stop this? A while back, there was a thread
> that pointed to a website, backscatter.org or something like that, that
> we used that since the upgrade did a wonderful job. Anyone remember that
> web site?
>
>[/color]


you could try

smtpd_restriction_classes =
...
reject_backscatter

smtpd_data_restrictions =
check_sender_access pcre:/etc/postfix/bounce_access

reject_backscatter =
reject_rbl_client ips.backscatterer.org

== bounce_access
/^$/ reject_backscatter
/^mailer\-daemon/ reject_backscatter
/^postmaster@/ reject_backscatter

the check is done at DATA stage to avoid blocking (the abusive) SAV
probes (CBV, callout verification, ... or whatever you name it).


note that this will reject "legitimate" bounces if they are sent from a
client listed on backscatterer.

PS. don't think SPF will help. this has been discussed here and
elsewhere before.