As I’ve noted before, we
still have a major problem with sites generating bounce/backscatter storms in
response to forged mail — whether deliberately targeted, as a “Joe-Job”, or as a side-effect of attempts to evade over-simplistic sender address verification as seen in spam, viruses, and so on.
Sites sending these bounces have a broken
mail configuration, but there are thousands remaining out there — it’s very hard
to fix an old mail setup to avoid this issue. As a result, even if your mail server is set up correctly and can handle the incoming spam load just fine, a single spam
run sent to other people can amplify the volume of response bounces in a Smurf-attack-style volume
multiplication, acting as a denial of service. I’ve
regularly had serious load problems and backlogs on my MX, due solely to these bounces.
However, I think I’ve now solved it, with only a little loss of functionality.
Here’s how I did it, using Postfix and SpamAssassin.
(UPDATE: if you use the algorithm described below, you’ll block mail from people using Sender Address Verification! Use this updated version instead.)
Firstly, note that if you adopt this, you will lose functionality.
Third party sites will not be able to generate bounces which are sent
back to senders via your MX — except during the SMTP transaction.
However, if a message delivery attempt is run from your MX, and it is bounced
by the host during that SMTP transaction, this bounce message will still be
preserved. This is good, since this is basically the only bounce scenario that
can be recommended, or expected to work, in modern SMTP.
Also, a small subset of third-party bounce messages will still get past, and be
delivered — the ones that are not in the RFC-3464 bounce format generated
by modern MTAs, but that include your outbound relays in the quoted header.
The idea here is that “good bounces”, such as messages from mailing lists
warning that your mails were moderated, will still be safe.
OK, the details:
In Postfix
Ideally, we could do this entirely outside Postfix — but in my experience,
the volume (amplified by the Smurf attack effects) is such that these
need to be rejected as soon as possible, during the SMTP transaction.
Update: I’ve now changed this technique: see this blog
post for the current details, and skip this section entirely!
(If you’re curious, though, here’s what I used to recommend:)
In my Postfix configuration, on the machine that acts as MX for my domains —
edit ‘/etc/postfix/header_checks’, and add these lines:
/^Return-Path: <>/ REJECT no third-party DSNs
/^From:.*MAILER-DAEMON/ REJECT no third-party DSNs
Edit ‘/etc/postfix/null_sender’, and add:
<> 550 no third-party DSNs
Edit ‘/etc/postfix/main.cf’, and ensure it contains these lines:
header_checks = regexp:/etc/postfix/header_checks
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/null_sender
(If you already have an ‘smtpd_sender_restrictions’ line, just
add ‘check_sender_access hash:/etc/postfix/null_sender’ to the end.)
Finally, run:
sudo postmap /etc/postfix/null_sender
sudo /etc/init.d/postfix restart
This catches most of the bounces — RFC-3464-format Delivery-Status-Notification messages from other mail servers.
In SpamAssassin
Install the
Virus-bounce ruleset. This will catch challenge-response mails, “out of
office” noise, “virus scanner detected blah” crap, and bounce mails generated
by really broken groupware MTAs — the stuff that gets past the Postfix
front-line.
Once you’ve done these two things, that deals with almost all the forged-bounce
load, at what I think is a reasonable cost. Comments welcome…