Re: [exim] Seeking advice how to deal with spam faked to appear ascoming from my domain

[ams]

Many thanks, I'll make use of it.

-a
-- 
Aaron Stromas          |     "Tik-tik-tik!!!... ja, Pantani is weg..."
mailto:[EMAIL PROTECTED]  |                          BRTN commentator
+1 (301) 493 4933      |                          L'Alpe d'Huez
http://www.izoard.com  |                          1995 Tour de France



> "Alan J. Flavell" wrote:
>> On Mon, 14 Nov 2005, Cliff Pratt wrote:
>>
>> > On 11/14/05, Aaron Stromas <[EMAIL PROTECTED]> wrote:
>> >
>> > > Some S.O.B. is sending spam faking the sender to be from my domain,
>> > > izoard.com <http://izoard.com>, so the postmaster get all that mail
>> > > bounced by spam filters
>> > > (see below). Is there anything I can do about it?
>> [...]
>>
>> > No, there is nothing that you can really do about it.
>>
>> I don't know about that. If I was on the receiving end of such stuff,
>> and there wasn't *too* much of it, I think I would configure our
>> spamassassin to rate the rejection reports as spam and reject them.
>>
>> If the situation was too bad for that (as it has sometimes been for
>> antivirus rejection reports when the virus was faking our domain as
>> sender) then I'd blacklist the envelope sender address of the reports,
>> to avoid putting too much load on our spamassassin.
>
> Well, the times that this has happened to me or at least the times
> that I've noticed, It would have been far too expensive to run the
> mail through SpamAssassin.  I've seen millions of bounces over a
> day or two.
>
> This little ACL snippet helped:
>
> acl_smtp_rcpt:
>       deny    message = This domain is Joe Job victim
>               senders = :
>               condition = ${if < {eval:$tod_epoch - \
>                               ${lookup{$domain} \
>                                   lsearch{<config path>/domains.joe-jobbed} \
>                                       {$value}{0}}} \
>                               {eval:3 * 86400} {yes}{no}}
>
> This just blocks DSNs to the particular domain for 3 days.  I know
> that's not always ideal, but in this situation it's the smaller of
> two evils.  The timeout is beacause I normally forget to remove the
> block.
>
> It doesn't stop incoming DSNs from even more badly configured that
> send DSNs with a non null reverse path.
>
> Ian
>
> --
> Ian Freislich
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>


-- 
## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/