Mailing List Archive

MTA needs to allow specific mail server
Hi,

I have an email account that receives thousands of emails to non-existent
mailboxes on the same domain.

I resolved the problem by routing the incoming mail though a service that
only allows specified mailboxes through (they don't do any other filtering).
The only trouble is now my SPF filter is being triggered thus labeling the
email as spam. How can I exempt this server from SPF checks?

I'm running:
Ubuntu 8.04
Postfix
Amavisd-new
Spamassassin

Thanks for any help you can provide.

Eric



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: MTA needs to allow specific mail server [ In reply to ]
On 16-Jun-10, at 2:08 PM, Eric Biondi wrote:

> I have an email account that receives thousands of emails to non-
> existent
> mailboxes on the same domain.

I'm guessing that the wording of this statement isn't exactly as you
intended so I can only say, why are you accepting email for non-
existing mailboxes?

Do you mean that you are receiving email *from* non-existant mail
accounts? If so, Postfix Address Verification is a way to solve this.

http://www.postfix.org/ADDRESS_VERIFICATION_README.html


> I resolved the problem by routing the incoming mail though a service
> that
> only allows specified mailboxes through (they don't do any other
> filtering).
> The only trouble is now my SPF filter is being triggered thus
> labeling the
> email as spam. How can I exempt this server from SPF checks?
>
> I'm running:
> Ubuntu 8.04
> Postfix
> Amavisd-new
> Spamassassin
>


Since you've decided to use a service for this the best way to solve
this problem is to whitelist the mail server(s) of this service. How
exactly you do that depends on how your mail server is configured and
merely listing what software you are using doesn't quite cut it.

Basically, what you need to do is whitelist the mail server(s) of the
service you are using so it by-passes SPF checks. You may need to do
that in Postfix and/or possibly Spamassassin depending on where SPF
checks are implemented.

If, on the other hand, this service you are using is already doing SPF
checks then you can turn that feature off on your own server.


--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: MTA needs to allow specific mail server [ In reply to ]
Eric Biondi wrote:
> Hi,
>
> I have an email account that receives thousands of emails to non-existent
> mailboxes on the same domain.

This is called a catch-all account and is a good way to receive a lot of
spam. ;)

>
> I resolved the problem by routing the incoming mail though a service that
> only allows specified mailboxes through (they don't do any other filtering).

Can you just disable the catch-all account and create accounts/aliases
for the specific addresses for which you want to receive mail? Then you
wouldn't need to route mail through this other service.

> The only trouble is now my SPF filter is being triggered thus labeling the
> email as spam. How can I exempt this server from SPF checks?
>
> I'm running:
> Ubuntu 8.04
> Postfix
> Amavisd-new
> Spamassassin

I'm afraid I don't know enough about this implementation to answer your
question.

>
> Thanks for any help you can provide.
>
> Eric
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: MTA needs to allow specific mail server [ In reply to ]
At 19:08 16/06/2010 Wednesday, Eric Biondi wrote:
>Hi,
>
>I have an email account that receives thousands of emails to non-existent
>mailboxes on the same domain.

and should reject them all at rcpt time if it dosn't its misconfigured

>I resolved the problem by routing the incoming mail though a service that
>only allows specified mailboxes through (they don't do any other filtering).
>The only trouble is now my SPF filter is being triggered thus labeling the
>email as spam. How can I exempt this server from SPF checks?

you pretty much have to turn off spf checking
as no mail can be checked for spf after its been received by your first mailserver {the service}
as the first receiving server is where ALL rejection {thus AV recipient filtering RBL spamassasin etc.} MUST occur
any rejection after this time IS abusive as it will cause the 'innocent' service provider to have to send NDR {non-delivery reports} back to the {mainly forged} senders {backscatter-abuse} and will cause them to get blacklisted {for the abuse} and/or abuse the innocent forged-senders


>I'm running:
>Ubuntu 8.04
>Postfix
>Amavisd-new
>Spamassassin

so why not just configure them properly?? reject on recipients that are undeliverable, reject on spf fail, and other obvious ones like rbls etc, reject on AV check fail, reject on spamassasin fail

postfix is more than capable of all of the above

thus no abuse {backscatter} as no mail {except that which passes your tests} is accepted thus no NDR's created by anyone but the senders, thus no abuse of innocents


>Thanks for any help you can provide.
>
>Eric
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: MTA needs to allow specific mail server [ In reply to ]
At 19:40 16/06/2010 Wednesday, Gino Cerullo wrote:
>On 16-Jun-10, at 2:08 PM, Eric Biondi wrote:
>
>>I have an email account that receives thousands of emails to non- existent
>>mailboxes on the same domain.
>
>I'm guessing that the wording of this statement isn't exactly as you
>intended so I can only say, why are you accepting email for non- existing mailboxes?
>
>Do you mean that you are receiving email *from* non-existant mail
>accounts? If so, Postfix Address Verification is a way to solve this.
>
>http://www.postfix.org/ADDRESS_VERIFICATION_README.html

I would strongly advise against it sender verification callbacks are considered abusive and WILL get your server on several rbls quickly {yes less abusive than backscatter but still wasting other largely forged innocents resources}
{checking for a valid PTR/MX/SPF/CSA etc are all fine but connecting to the forged{90%} senders MX's IS abuse}

{that tech is only considered non-abusive when used for recipient address verification callforwards, as in on a backup MX to check the primary MX before accepting the rcpt}



>>I resolved the problem by routing the incoming mail though a service
>>that
>>only allows specified mailboxes through (they don't do any other
>>filtering).
>>The only trouble is now my SPF filter is being triggered thus
>>labeling the
>>email as spam. How can I exempt this server from SPF checks?
>>
>>I'm running:
>>Ubuntu 8.04
>>Postfix
>>Amavisd-new
>>Spamassassin
>
>
>Since you've decided to use a service for this the best way to solve
>this problem is to whitelist the mail server(s) of this service. How
>exactly you do that depends on how your mail server is configured and
>merely listing what software you are using doesn't quite cut it.
>
>Basically, what you need to do is whitelist the mail server(s) of the
>service you are using so it by-passes SPF checks. You may need to do
>that in Postfix and/or possibly Spamassassin depending on where SPF
>checks are implemented.
>
>If, on the other hand, this service you are using is already doing SPF
>checks then you can turn that feature off on your own server.
>
>
>--
>Gino Cerullo
>
>Pixel Point Studios
>21 Chesham Drive
>Toronto, ON M3M 1W6
>
>416-247-7740
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: MTA needs to allow specific mail server [ In reply to ]
I'm sorry, you are correct, I wasn't very precise. I meant to say some
spammer is sending to about 3000 emails per day to non-existent mailboxes
and my server is rejecting them. The purpose of this service I'm using is to
reduce the load on my equipment.

I just want to whitelist the mail server. I normally whitelist email
addresses or domains in amavisd.conf, but SPF is implemented in spamassassin
in the local.cf file.

I have many domains and only send this one through that service to get
cleaned up.

It doesn't matter to me if I whitelist the server in terms of SPF or SPAM
filtering altogether (as I can turn on their spam filtering.

Thanks for your reply.

-----Original Message-----
From: Gino Cerullo [mailto:gcerullo@pixelpointstudios.com]
Sent: Wednesday, June 16, 2010 2:40 PM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] MTA needs to allow specific mail server

On 16-Jun-10, at 2:08 PM, Eric Biondi wrote:

> I have an email account that receives thousands of emails to non-
> existent mailboxes on the same domain.

I'm guessing that the wording of this statement isn't exactly as you
intended so I can only say, why are you accepting email for non- existing
mailboxes?

Do you mean that you are receiving email *from* non-existant mail accounts?
If so, Postfix Address Verification is a way to solve this.

http://www.postfix.org/ADDRESS_VERIFICATION_README.html


> I resolved the problem by routing the incoming mail though a service
> that only allows specified mailboxes through (they don't do any other
> filtering).
> The only trouble is now my SPF filter is being triggered thus labeling
> the email as spam. How can I exempt this server from SPF checks?
>
> I'm running:
> Ubuntu 8.04
> Postfix
> Amavisd-new
> Spamassassin
>


Since you've decided to use a service for this the best way to solve this
problem is to whitelist the mail server(s) of this service. How exactly you
do that depends on how your mail server is configured and merely listing
what software you are using doesn't quite cut it.

Basically, what you need to do is whitelist the mail server(s) of the
service you are using so it by-passes SPF checks. You may need to do that in
Postfix and/or possibly Spamassassin depending on where SPF checks are
implemented.

If, on the other hand, this service you are using is already doing SPF
checks then you can turn that feature off on your own server.


--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: MTA needs to allow specific mail server [ In reply to ]
On 16-Jun-10, at 3:00 PM, alan wrote:

> At 19:40 16/06/2010 Wednesday, Gino Cerullo wrote:
>> On 16-Jun-10, at 2:08 PM, Eric Biondi wrote:
>>
>>> I have an email account that receives thousands of emails to non-
>>> existent
>>> mailboxes on the same domain.
>>
>> I'm guessing that the wording of this statement isn't exactly as you
>> intended so I can only say, why are you accepting email for non-
>> existing mailboxes?
>>
>> Do you mean that you are receiving email *from* non-existant mail
>> accounts? If so, Postfix Address Verification is a way to solve this.
>>
>> http://www.postfix.org/ADDRESS_VERIFICATION_README.html
>
> I would strongly advise against it sender verification callbacks are
> considered abusive and WILL get your server on several rbls quickly
> {yes less abusive than backscatter but still wasting other largely
> forged innocents resources}
> {checking for a valid PTR/MX/SPF/CSA etc are all fine but connecting
> to the forged{90%} senders MX's IS abuse}
>
> {that tech is only considered non-abusive when used for recipient
> address verification callforwards, as in on a backup MX to check the
> primary MX before accepting the rcpt}

Hey, I never said it was ideal but in this case it may be since the OP
said they were all coming from one domain and you can configure
Address Verification to check only one domain.

But, then again, I'm not sure this is the OP's problem as the wording
of his first statement seemed incorrect.

Then again SPF was developed to address just this kind of problem. If
everyone would just implement SPF most of this would be moot.


--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: MTA needs to allow specific mail server [ In reply to ]
Thanks Alan, you probably read my responses to other replies so need to
repeat it here.

-----Original Message-----
From: alan [mailto:spfdiscuss@alandoherty.net]
Sent: Wednesday, June 16, 2010 2:45 PM
To: spf-help@v2.listbox.com; spf-help@v2.listbox.com
Subject: Re: [spf-help] MTA needs to allow specific mail server

At 19:08 16/06/2010 Wednesday, Eric Biondi wrote:
>Hi,
>
>I have an email account that receives thousands of emails to
>non-existent mailboxes on the same domain.

and should reject them all at rcpt time if it dosn't its misconfigured

>I resolved the problem by routing the incoming mail though a service
>that only allows specified mailboxes through (they don't do any other
filtering).
>The only trouble is now my SPF filter is being triggered thus labeling
>the email as spam. How can I exempt this server from SPF checks?

you pretty much have to turn off spf checking as no mail can be checked for
spf after its been received by your first mailserver {the service} as the
first receiving server is where ALL rejection {thus AV recipient filtering
RBL spamassasin etc.} MUST occur any rejection after this time IS abusive as
it will cause the 'innocent' service provider to have to send NDR
{non-delivery reports} back to the {mainly forged} senders
{backscatter-abuse} and will cause them to get blacklisted {for the abuse}
and/or abuse the innocent forged-senders


>I'm running:
>Ubuntu 8.04
>Postfix
>Amavisd-new
>Spamassassin

so why not just configure them properly?? reject on recipients that are
undeliverable, reject on spf fail, and other obvious ones like rbls etc,
reject on AV check fail, reject on spamassasin fail

postfix is more than capable of all of the above

thus no abuse {backscatter} as no mail {except that which passes your tests}
is accepted thus no NDR's created by anyone but the senders, thus no abuse
of innocents


>Thanks for any help you can provide.
>
>Eric
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: MTA needs to allow specific mail server [ In reply to ]
At 20:09 16/06/2010 Wednesday, Eric Biondi wrote:
>I'm sorry, you are correct, I wasn't very precise. I meant to say some
>spammer is sending to about 3000 emails per day to non-existent mailboxes
>and my server is rejecting them. The purpose of this service I'm using is to
>reduce the load on my equipment.

in that case then yes you need to whitelist this host in postfix for all checks if possible
{otherwise the you risk causing them to be blacklisted for backscatter}

obviously if you don't care about them you can just configure their ip in spamassasins section for listing your upstream MX's {as this is what they are} and this will stop all spf and rbl checks against their ip

>I just want to whitelist the mail server. I normally whitelist email
>addresses or domains in amavisd.conf, but SPF is implemented in spamassassin
>in the local.cf file.

there is more than one file to spamassasin
{also you are supposed to implement spf checks in postfix {at rcpt time, before the email is received to reduce load}}
as checking spf after receiving the full mail makes little sense from a load reduction standpoint
and postfix is more than capable of checking spf correctly long before the mail gets recieved

>I have many domains and only send this one through that service to get
>cleaned up.
>
>It doesn't matter to me if I whitelist the server in terms of SPF or SPAM
>filtering altogether (as I can turn on their spam filtering.

i would say it would be kinder to the service provider to entirely whitelist them
{but this assumes you can also turn on spamfiltering on their system {where it should be always done, at the entry point to 'your' receiving hosts}


>Thanks for your reply.
>
>-----Original Message-----
>From: Gino Cerullo [mailto:gcerullo@pixelpointstudios.com]
>Sent: Wednesday, June 16, 2010 2:40 PM
>To: spf-help@v2.listbox.com
>Subject: Re: [spf-help] MTA needs to allow specific mail server
>
>On 16-Jun-10, at 2:08 PM, Eric Biondi wrote:
>
>> I have an email account that receives thousands of emails to non-
>> existent mailboxes on the same domain.
>
>I'm guessing that the wording of this statement isn't exactly as you
>intended so I can only say, why are you accepting email for non- existing
>mailboxes?
>
>Do you mean that you are receiving email *from* non-existant mail accounts?
>If so, Postfix Address Verification is a way to solve this.
>
>http://www.postfix.org/ADDRESS_VERIFICATION_README.html
>
>
>> I resolved the problem by routing the incoming mail though a service
>> that only allows specified mailboxes through (they don't do any other
>> filtering).
>> The only trouble is now my SPF filter is being triggered thus labeling
>> the email as spam. How can I exempt this server from SPF checks?
>>
>> I'm running:
>> Ubuntu 8.04
>> Postfix
>> Amavisd-new
>> Spamassassin
>>
>
>
>Since you've decided to use a service for this the best way to solve this
>problem is to whitelist the mail server(s) of this service. How exactly you
>do that depends on how your mail server is configured and merely listing
>what software you are using doesn't quite cut it.
>
>Basically, what you need to do is whitelist the mail server(s) of the
>service you are using so it by-passes SPF checks. You may need to do that in
>Postfix and/or possibly Spamassassin depending on where SPF checks are
>implemented.
>
>If, on the other hand, this service you are using is already doing SPF
>checks then you can turn that feature off on your own server.
>
>
>--
>Gino Cerullo
>
>Pixel Point Studios
>21 Chesham Drive
>Toronto, ON M3M 1W6
>
>416-247-7740
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/
>[http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: MTA needs to allow specific mail server [ In reply to ]
> I meant to say some
> spammer is sending to about 3000 emails per day to non-existent mailboxes
> and my server is rejecting them. The purpose of this service I'm using is
> to reduce the load on my equipment.

3000 per day is about 2 per minute; can your server really not cope with
that? Checking for valid users isn't really that arduous a task...

I would suggest some other method of tackling the issue - LART to
upstream, iptables[1], that sort of thing. Introducing more hops into the
delivery chain just makes life more difficult. Your solution might be more
troublesome than your problem - particularly if the spam attack is
short-lived (as they usually are).

Vic.

[1] If you filter a spammer in iptables, make sure to DROP the packet,
rather than REJECT it. It slows the attack quite considerably...



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: MTA needs to allow specific mail server [ In reply to ]
Hi Vic,

I have 100 very active users. This one domain (with a single user/mailbox)
has been getting 2000-4000 emails a day for non-existent mailboxes for two
years now. The IP addresses are never the same. It will never stop if I
don't tackle the issue.

I'm sick if seeing it in my reports. My server has been handling it for two
years now but enough is enough.

My solution I thought was brilliant as it has totally resolved the problem
except for the fact that this users incoming emails often get tagged as spam
(strangely only certain senders get tagged) and go into her junk folder. I
finally realized that routing her mail through another mx caused it to fail
the spf test. I like having a spf test for the server in general so all I
need to do is exempt filtering for that upstream mx.



-----Original Message-----
From: Vic [mailto:spf1@beer.org.uk]
Sent: Wednesday, June 16, 2010 4:33 PM
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] MTA needs to allow specific mail server


> I meant to say some
> spammer is sending to about 3000 emails per day to non-existent
> mailboxes and my server is rejecting them. The purpose of this service
> I'm using is to reduce the load on my equipment.

3000 per day is about 2 per minute; can your server really not cope with
that? Checking for valid users isn't really that arduous a task...

I would suggest some other method of tackling the issue - LART to upstream,
iptables[1], that sort of thing. Introducing more hops into the delivery
chain just makes life more difficult. Your solution might be more
troublesome than your problem - particularly if the spam attack is
short-lived (as they usually are).

Vic.

[1] If you filter a spammer in iptables, make sure to DROP the packet,
rather than REJECT it. It slows the attack quite considerably...



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: MTA needs to allow specific mail server [ In reply to ]
At 22:24 16/06/2010 Wednesday, Eric Biondi wrote:
>Hi Vic,
>
>I have 100 very active users. This one domain (with a single user/mailbox)
>has been getting 2000-4000 emails a day for non-existent mailboxes for two
>years now. The IP addresses are never the same. It will never stop if I
>don't tackle the issue.

this isn't tackling the issue, its just complicating it and off loading it
{i suspect not a single one of those senders is not listed on a common dnsbl like zen {and thus rejectable long before even looking up the recipient}}
{as i have yet to see any non-bot attempting non-existent recipients for long}

>I'm sick if seeing it in my reports. My server has been handling it for two
>years now but enough is enough.

your server your rules, but be aware you have {to avoid seeing the issue} now a setup that can lead to increased abuse {backscatter} {and worse from an 'innocent' {but contracted} third party} OR increased spam {if to avoid abuse you whitelist all mail from this host}

>My solution I thought was brilliant as it has totally resolved the problem
>except for the fact that this users incoming emails often get tagged as spam
>(strangely only certain senders get tagged)

only the ones from the few domains using SPF would be the reason

> and go into her junk folder. I inally realized that routing her mail through another mx

without bothering to configure spamassasin/postfix {as they both have a section in the manual/config for this}

>caused it to fail the spf test.

actually caused it to raise the spamassasin score as you are only using SPF as part of spamassasins score and thus not really using SPF as designed

> I like having a spf test for the server in general so all I need to do is exempt filtering for that upstream mx.

yes it will fix your symptoms but not the real issues/problems

as you arn't really using SPF as intended
{SPF was/is intended as a low impact test to tell if at rcpt-time {before receiving an email} if the sender is likely-forged and thus the mail can/should be rejected before transmission}

if you accept mail that fails SPF you clearly aren't really 'using' SPF on any of your email

I still wonder why you came to this list with this issue as its clearly an issue with your use/mis-configuration of spamassasin and surely should have been directed towards their mailinglist, its not an issue with SPF and as you have pointed out you don't even use SPF as intended just by accident of spamassasin using spf in their scoring algorithim

>-----Original Message-----
>From: Vic [mailto:spf1@beer.org.uk]
>Sent: Wednesday, June 16, 2010 4:33 PM
>To: spf-help@v2.listbox.com
>Subject: RE: [spf-help] MTA needs to allow specific mail server
>
>
>> I meant to say some
>> spammer is sending to about 3000 emails per day to non-existent
>> mailboxes and my server is rejecting them. The purpose of this service
>> I'm using is to reduce the load on my equipment.
>
>3000 per day is about 2 per minute; can your server really not cope with
>that? Checking for valid users isn't really that arduous a task...
>
>I would suggest some other method of tackling the issue - LART to upstream,
>iptables[1], that sort of thing. Introducing more hops into the delivery
>chain just makes life more difficult. Your solution might be more
>troublesome than your problem - particularly if the spam attack is
>short-lived (as they usually are).
>
>Vic.
>
>[1] If you filter a spammer in iptables, make sure to DROP the packet,
>rather than REJECT it. It slows the attack quite considerably...
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/
>[http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: MTA needs to allow specific mail server [ In reply to ]
I'm guessing that he meant he has an 'email server' instead of 'email
account'.
If you are filtering for email addresses for whom to accept, please do not
put such a test prior to SPF checks. Even if you add that filtering
machine's IP address to your SPF whitelist, you are basically giving each
and every SPF violator a clean-chit as the mails will appear to originate
from your filtering machine instead of the actual sender (from SPF point
of view).

Here's what to do:
1) Check for SPF records first.
2) Use DNSBLs to do further filtration.
3) Send the remaining mails through an anti-spam engine like MailScanner.
4) At this stage, assuming that most of your spam is weeded out, if
there is any mail to a non-existant user, it probably is a genuine mail
with a misspelled recipient address which ought to be bounced to the
sender, so you don't even need to use your email-id filtration tool.


Regards,
Prashanth Chengi
National PARAM SuperComputing Facility
System Administration and Networking Group
C-DAC Pune
Phone: +91 20 25704197

--
Now we that are strong ought to bear the infirmities of the weak,
and not to please ourselves.
Romans 15:1

On Wed, 16 Jun 2010, Gino Cerullo wrote:

> On 16-Jun-10, at 2:08 PM, Eric Biondi wrote:
>
>> I have an email account that receives thousands of emails to non-existent
>> mailboxes on the same domain.
>
> I'm guessing that the wording of this statement isn't exactly as you intended
> so I can only say, why are you accepting email for non-existing mailboxes?
>
> Do you mean that you are receiving email *from* non-existant mail accounts?
> If so, Postfix Address Verification is a way to solve this.
>
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html
>
>
>> I resolved the problem by routing the incoming mail though a service that
>> only allows specified mailboxes through (they don't do any other
>> filtering).
>> The only trouble is now my SPF filter is being triggered thus labeling the
>> email as spam. How can I exempt this server from SPF checks?
>>
>> I'm running:
>> Ubuntu 8.04
>> Postfix
>> Amavisd-new
>> Spamassassin
>>
>
>
> Since you've decided to use a service for this the best way to solve this
> problem is to whitelist the mail server(s) of this service. How exactly you
> do that depends on how your mail server is configured and merely listing what
> software you are using doesn't quite cut it.
>
> Basically, what you need to do is whitelist the mail server(s) of the service
> you are using so it by-passes SPF checks. You may need to do that in Postfix
> and/or possibly Spamassassin depending on where SPF checks are implemented.
>
> If, on the other hand, this service you are using is already doing SPF checks
> then you can turn that feature off on your own server.
>
>
> --
> Gino Cerullo
>
> Pixel Point Studios
> 21 Chesham Drive
> Toronto, ON M3M 1W6
>
> 416-247-7740
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
> Modify Your Subscription: http://www.listbox.com/member/
> [http://www.listbox.com/member/]
>
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: MTA needs to allow specific mail server [ In reply to ]
> 3) Send the remaining mails through an anti-spam engine like MailScanner.

Unless MailScanner has changed significantly since last I looked at it,
I'd have to disagree with that bit.

MailScanner always used to operate after the mail had been accepted. This
means that, if it finds a spam email, you can bounce it (leading to a
backscatter nuisance), accept it anyway (meaning the filter is worthless),
or discard it (leading to dropped mail). None of these situations is
desireable.

Now it might be that Mailscanner has changed architecturally (I haven't
checked), but if it is still as above, it represents something of a
problem.

I use spamass-milter. This causes spam to be rejected at my boundary. It
does mean the load on my MX is a little peaky, but that's of little
consequence - email is not an isochronous message transport :-)

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com