Hi there,
We have a client who hosts their website elsewhere. We proxy their email
to an Exchange server. For a while now we have been getting a large
amount of backscatter from Russian IP addresses.
The web developer has checked their MTA logs and says their IP must be
being spoofed as they can't see anything in the logs. I suspect a dodgy
script has gotten onto the web server that is running direct SMTP
connections and bypassing the MTA. It would need a fairly substantial
sustained spoofing attack to run against a large number of different
hosts would it not?
I'm trying to figure out how best to block these messages as the web
server does send legitimate mail from the domain in question.
I have just noticed one thing. I have DoBackSctr set to block yet it
looks to be scoring:
089 X-Assp-Message-Score: 10 (IP: 62.109.25.237 is listed by [CACHE]
ips.backscatterer.org)
083 X-Assp-IP-Score: 10 (IP: 62.109.25.237 is listed by [CACHE]
ips.backscatterer.org)
One thing that all these messages have in common is that the claimed
sender address under our domain does not exist. Normally ASSP would call
Exim, Exim would then call Exchange and verify the recipient during the
SMTP session. I presume that this is bypassed because it is detected as
a bounce message and redlisted.
At the moment the only way I can see round this is clearing out
BounceSenders so that all mail is treated equal but hopefully someone
know of some better settings?
All the best,
Colin.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
