Possibilities for advanced bounce mail filtering?

[miek]

As others on this forum, our server has been receiving massive amounts of bounce spam in the last 72 hours. And because some of us love our catch-all accounts, closing them is not an option.

The problem seems to be that the spammers send e-mails with fake headers with someone's domain in the domain section. Bouncing back to catch-all gets it into your inboxes and spamfilters apparently don't stop it cause exim 'likes' the bounces.

Anyway, i've been contemplating the following (i'm not a servergenious, so correct me if i'm wrong);
The server probably logs mails that went out succesfully. So in general that should keep a log with e-mailaddresses in it. Isn't there a possibility to create a filter that crossreferences the bounce e-mails with the e-mailaddresses succesful mails were sent to - let's say the past hour?

Because if this crossreference is possible, you can whitelist these bounce e-mails and blacklist all the others deep into oblivion.

Your thoughts and comments please...

 

[nobaloney]

As others on this forum, our server has been receiving massive amounts of bounce spam in the last 72 hours. And because some of us love our catch-all accounts, closing them is not an option.

The two options are spam or closing your catchall accounts. Catchall accounts just don't work on today's Internet. Not only do they have this problem with improper bounces, but also with dictionary attacks.

The problem seems to be that the spammers send e-mails with fake headers with someone's domain in the domain section. Bouncing back to catch-all gets it into your inboxes and spamfilters apparently don't stop it cause exim 'likes' the bounces.

Exim is required to accept all legitimate email to legitimate addresses. It really doesn't have an option unless you block the sending server.

Anyway, i've been contemplating the following (i'm not a servergenious, so correct me if i'm wrong);

You're wrong.

The server probably logs mails that went out succesfully. So in general that should keep a log with e-mailaddresses in it. Isn't there a possibility to create a filter that crossreferences the bounce e-mails with the e-mailaddresses succesful mails were sent to - let's say the past hour?

Because if this crossreference is possible, you can whitelist these bounce e-mails and blacklist all the others deep into oblivion.

Then you'll lose legitimate bounces from bad addresses that your users send email to using their ISPs email server to send the mail (many of them probably do).

And if you're not careful as to how you define a bounce message (you'll have to scan for it during the smtp dialog) you may lose lots of legitimate email as well. HINT: look at the sender.

It's not a bad idea. I wish it would work.

Jeff

 

[artichoke]

You will need to implement the algorithm below. I don't think any of the common MTAs do this, so this will be a first.

In each outgoing message, specify an encoded envelope sender during SMTP. One way of encoding the envelope sender is to encrypt the local part of the original envelope sender with a secret key.

In any incoming email, if the SMTP sender is null (i.e., <>) or a common bounce sender such as MAILER-DAEMON, this must be a bounce. Accept the message only if the recipient is an encoded address from the previous paragraph. Otherwise reject the message during SMTP.

Rahul

 

[nobaloney]

It won't work if the sender uses any other mail server to send his email. For example, many ISPs won't you let send email from any other server but their own.

AOL redirects port 25 traffic; no matter what mailserver you think you're using while connecting through AOL, you're really using theirs.

Jeff

 

[artichoke]

When encoded envelope senders are in use as I described, users should be asked to send, preferably using authenticated SMTP, via the server that generates the encoded envelope sender.

Some users may be unwilling or unable to do this. For such users, it will be desirable to let them bypass the encoding and use unencoded envelope senders. They can set their catch-all address to "fail", or they can live with the spam bounces.

Rahul