Steve Martin wrote: > I'm trying to figure out the route this took to get to me.... > > My guess is... > > Some trojan/whetever sent an email to a nonexistent address > ([EMAIL PROTECTED]) > The return address was spoofed as one of my addresses ([EMAIL PROTECTED]) > Their brain-dead mailer daemon then sent the failure back to me.
That's not really all that brain-dead. Of course, they'd be smarter to check the recipient domain at delivery time, instead of queuing then bouncing later, but VERY few mailservers check this kind of thing. The other thing they could do would be to check the return-path at delivery time and refuse to relay mail that doesn't have a return-path for their local domain. (in addition to checking that the source host is allowed to relay, not instead of). However, very few sites check this when then source is a local machine. Most will relay anything sent by their own users, regardless of return path. > > I've gotten a few of these today from "mailhub.intercaf.ru", one was > even a bounce of an attempt to deliver an email to my domain that was > blocked by an RBL lookup in postfix. Nothing like blocking something > only to have it bounce back to me. > > Any suggestions on the best way to block this or have it detected as spam? Tell postfix to refuse mail from 83.102.221.67? That's generally what I do with joe-job bounces. I block the affected server for 24 hours with a 550 explaining they've got an infected local user. This way the messages double-bounce and ends up in their postmaster box.
