Am Mittwoch, den 26.03.2008, 05:12 -0700 schrieb Craig White:
That account has likely been 'Joe Jobbed' and you are seeing
the
backscatter. Google 'Joe Job' or find it on Wikipedia for an
explanation.
Great. Seems precisely the problem.
My first 'defense' is greylisting, run as a policy in
postfix.
The same, I have greylistings activated sometime ago. Works great.
Except for bounces, which usually come from real and valid servers.
My second defense is to use rbl's (abuseat / spamhaus / dsbl) to
otherwise block KNOWN blacklisted sources
Already activated.
My third defense is to require:
- reverse DNS of sender
- fqdn of sender
- valid hostname
- valid recipient
Ok. I will try these.
Once I have accepted e-mail, it is shuffled to 'MailScanner'
which is a
wrapper program that sends e-mail through clamav and then through
spamassassin, where it is cleaned and scored.
I have the same. The problem is that I received so many mails to that
account, until /var/spool/mqueue.in became flooded.
Finally, I have 'sieve' rules for all users which puts high
spam score
e-mails into a users 'SPAMBOX' folder of which everything that is older
than 7 days is automatically cleaned out.
Thanks a lot, you gave us a lot of lights on how to approach the
problem. We are working on finding a pattern to filter the emails, but
until now, nothing. You can see the word* files from a lot of messages
here (trying to find IPs and so on):
http://www.padep.org.bo/log20080325/log/
:)
----------------------------------------------
Rodolfo Alcazar - rodolfo.alcazar(a)padep.org.bo
otbits.blogspot.com /
counter.li.org: #367962
----------------------------------------------
"Solange Menschen denken, dass Tiere nicht fühlen; müssen Tiere fühlen,
dass Menschen nicht denken."
- Unbekannter Autor