Any exim experts here?
It's recently come to my attention that we may be getting nailed with NDS Bounced messages/backscatter spam. Our site has shown up on two blacklists recently, and this is the only way I can think of that we'd be showing up.
What I need to figure out is an easy way to configure exim to check at SMTP and deny, rather than accept the message and then bounce it. I've been pouring through countless forums and scripts, but a lot of it is fairly old (2 years or older) and at this point, I'm just plain frazzled.
Any assistance would be appreciated. Danke!
a user at my company was the victim of a backscatter attack. it is still on going but this individual doesn't see it. we enforced watermarking, using mailscanner.
So mailscanner is my suggestion.
Not sure this is going to fix our issue.
Originally Posted by scathefire
With NDS Bounce spam, the spammer targets a "bad" address on the server, but spoofs the return address with a known good address. So when the mail server accepts the message, attempts to deliver it and finds the recipient is not a valid address, it bounces the message back to the spoofed address, effectively delivering the spam for the spammer without going through the spam filters.
What I need is a rule set for exim that checks at SMTP and rejects back to the original sender instead of accepting it and bouncing after SMTP.
pretty sure its going to accept NDR messages, per some RFC compliance. the only way we eliminated the problem was by use of watermarking. with watermarking every message that the server sends out is tagged. therefore when a bogus NDS comes back, mailscanner sees no watermark and adds 100 to the spam score.
Spam assassin sees this, and messages labeled as high-spam are deleted on our systems.
What SMTP server are you using?
We're using exim and courier.
Perhaps I'm not understanding the specific order of things here.
1. Spammer sends message to bogus address on my domain. Message also has a spoofed return address which IS valid.
2. Message hits server and is passed through for delivery. Determines that address is not a valid address and bounces a NDR to return address.
It's my understanding that this is happening before it hits Spam Asssassain, and that Spam Assassain is the last check before it's actually delivered to the final addressee on the server.
If this is the case, installing another "check" program isn't going to do me any good unless it checks as it hits the server. Because once it's accepted, I'm screwed as far as this type of spam is concerned.