[wplug] Since we're talking iptables...
Poyner, Brandon
bpoyner at ccac.edu
Thu Mar 4 08:35:45 EST 2004
James' explanation is correct. The one thing to clarify is that the
bounced message is not sent to root, it is normally sent to postmaster
which is often aliased to root. The distinction may seem minor but it
can help when writing procmail rules. In fact since you are using
sendmail you could define the DoubleBounceAddress in sendmail.cf
(confDOUBLE_BOUNCE_ADDRESS in .mc files) to go wherever you want.
Brandon Poyner
Network Engineer II
CCAC - College Office
412-237-3086
-----Original Message-----
From: James O'Kane [mailto:jo2y at midnightlinux.com]
Sent: Wednesday, March 03, 2004 11:02 PM
To: WPLUG
Subject: Re: [wplug] Since we're talking iptables...
On Wed, 3 Mar 2004, Brandon Kuczenski wrote:
> Also, does this indicate some kind of relaying hole in my
configuration?
I don't believe that to be the case. I'm doing secondary mx for
wplug.org
among other domains, and what sometimes happens is the spammer tries the
primary, it fails, so they try the secondary.
In the simplest/easiest configuration, the secondary doesn't have
knowledge of legitimate accounts on the primary, so it accepts the mail
from the spammer, closes that connection, and opens one to the primary
to
deliver the message.
Now, the primary still says the message is for a bogus account, so the
secondary tried to open a connection to the sender. Since more often
than
not, that is a bogus address, the secondary is stuck with a bounce
message
that it can't deliver.
After a few days, it expires and notification of that goes to root.
There are different tarpits and automatic blockers for various spammers
that work at the IP level. If you're a member of Usenix (www.usenix.org)
I
could point you to some conference papers on the subject.
-james
_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug
More information about the wplug
mailing list