Icheb
Verified User
Adding bounce spam rejection
I've talked this over with Jeff already, but we'd like to have the opinion of the rest of you.
For a while now, our servers, and servers I manage, are being bombarded by the result of 'joe jobs', where the spammer places a from in each message like:
<random>@<domainhostedbyme>
Most of my customers use catchall.
So this caused the problem of bounces from other legitimate mailservers being send to my servers. The problem is that this isn't just one or two messages, not more along the lines of 10.000 to 20.000 messages per day.
This causes server overloads as Spam Assassin is unable to process these amounts of spam at the same time.
Until some time ago we've been able to block it by creating mail blackholes. But it's too much nowadays. So we implemented the following;
1. Add a signature to every outbound e-mail.
2. When there's an incoming e-mail, try to find out if it's a bounce message.
3. If 2 is true, check the bounce key.
4. If the bounce key is valid, accept the message, otherwise just deny it.
The patch essentially exists of:
1. Add bounce_id and bounce_secret variables (each server has to be different)
(like this:
2. Find:
Below that, add the following:
Find
Below, add:
(The italic parts indicate something I added today, hasn't been tested yet, to allow certain messages to pass without going through the check, this however will have to be finetuned a bit more ).
This will block every mail that doesn't contain the right bounce key. That way, bounces that are generated without having come from your server at first, will not be allowed.
What do you guys think?
I've talked this over with Jeff already, but we'd like to have the opinion of the rest of you.
For a while now, our servers, and servers I manage, are being bombarded by the result of 'joe jobs', where the spammer places a from in each message like:
<random>@<domainhostedbyme>
Most of my customers use catchall.
So this caused the problem of bounces from other legitimate mailservers being send to my servers. The problem is that this isn't just one or two messages, not more along the lines of 10.000 to 20.000 messages per day.
This causes server overloads as Spam Assassin is unable to process these amounts of spam at the same time.
Until some time ago we've been able to block it by creating mail blackholes. But it's too much nowadays. So we implemented the following;
1. Add a signature to every outbound e-mail.
2. When there's an incoming e-mail, try to find out if it's a bounce message.
3. If 2 is true, check the bounce key.
4. If the bounce key is valid, accept the message, otherwise just deny it.
The patch essentially exists of:
1. Add bounce_id and bounce_secret variables (each server has to be different)
(like this:
(note these values aren't the values we're using at the moment)BOUNCE_ID = anubis.sebsoft.nl-178
BOUNCE_SECRET = 0b0b8c637a9548f25bdada44f6d36ffb
2. Find:
# ACL that is used after the DATA command
check_message:
Below that, add the following:
accept
regex = [dD]isposition.*:::.*disposition-notification.*
deny senders = :
condition = ${if ! eq{$recipients_count}{1}{1}}
message = Bounces must have only a single recipient
deny senders = :
! condition = ${if match \
{$message_body $message_body_end} \
{[xX]-bounce-key:\\s*BOUNCE_ID;${rxquote:${lc:$recipients}};(\\d+);(\\w+)} \
{${if eq {$2} \
{${length_8:${md5:BOUNCE_ID;${lc:$recipients};$1;BOUNCE_SECRET}}} \
{${if <{${sg{${eval:$tod_epoch-$1}}{-}{}}}{864000}{1}}}}}}
message = Bounce does not contain a valid X-bounce-key signature so not accepting message
Find
# This transport is used for delivering messages over SMTP connections.
remote_smtp:
driver = smtp
Below, add:
headers_add = ${if eq{$return_path}{}{}{X-bounce-key: BOUNCE_ID;${lc:$return_path};$tod_epoch;${length_8:${md5:BOUNCE_ID;${lc:$return_path};$tod_epoch;BOUNCE_SECRET}};}}
(The italic parts indicate something I added today, hasn't been tested yet, to allow certain messages to pass without going through the check, this however will have to be finetuned a bit more ).
This will block every mail that doesn't contain the right bounce key. That way, bounces that are generated without having come from your server at first, will not be allowed.
What do you guys think?