I'm helping a mail cleaner company save the MX of one of his clients
who's being joe-jobbed since last Wednesday. 3 - 4 million joe-job msgs / day.
Looking at our MX rejects of unknown recipients to the victim domain,
we see which MXs are NOT participating in the joe job by probing our
MX with a sender that is apparently identified as an SAV sender,
rather than a real message:
138 from=<[EMAIL PROTECTED]>
104 from=<[EMAIL PROTECTED]>
93 from=<[EMAIL PROTECTED]>
81 from=<[EMAIL PROTECTED]>
50 from=<[EMAIL PROTECTED]>
50 from=<[EMAIL PROTECTED]>
44 from=<[EMAIL PROTECTED]>
41 from=<[EMAIL PROTECTED]>
40 from=<[EMAIL PROTECTED]>
31 from=<[EMAIL PROTECTED]>
28 from=<[EMAIL PROTECTED]>
19 from=<[EMAIL PROTECTED]>
15 from=<[EMAIL PROTECTED]>
11 from=<[EMAIL PROTECTED]>
9 from=<[EMAIL PROTECTED]>
8 from=<[EMAIL PROTECTED]>
8 from=<[EMAIL PROTECTED]>
8 from=<[EMAIL PROTECTED]>
7 from=<[EMAIL PROTECTED]>
7 from=<[EMAIL PROTECTED]>
7 from=<[EMAIL PROTECTED]>
7 from=<[EMAIL PROTECTED]>
6 from=<[EMAIL PROTECTED]>
5 from=<[EMAIL PROTECTED]>
4 from=<[EMAIL PROTECTED]>
4 from=<[EMAIL PROTECTED]>
3 from=<[EMAIL PROTECTED]>
3 from=<[EMAIL PROTECTED]>
3 from=<[EMAIL PROTECTED]>
2 from=<[EMAIL PROTECTED]>
2 from=<[EMAIL PROTECTED]>
2 from=<[EMAIL PROTECTED]>
2 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
1 from=<[EMAIL PROTECTED]>
============
postfix default is:
address_verify_sender = [EMAIL PROTECTED]
... which is generic and anonymous, and could be interpreted as anything.
I suggest you change that to something like:
address_verify_sender = [EMAIL PROTECTED]
address_verify_sender = [EMAIL PROTECTED]
and btw, when your SAV probes themselves get SAV'd, your MX must
verify your SAV sender as good, eg, in your mx1.mydomain.com should have:
local_recipient_maps = /etc/postfix/to_local_recipients.map
should contain:
[EMAIL PROTECTED] ok
[EMAIL PROTECTED] ok
[EMAIL PROTECTED] ok
etc
Len
