North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

backscatter hosts (was: Re: Barracuda Networks Spam Firewall)

  • From: Steven Champeon
  • Date: Tue May 18 18:21:18 2004

on Tue, May 18, 2004 at 04:01:40PM -0400, Todd Vierling wrote:
> 
> On Mon, 17 May 2004, Jared B. Reimer wrote:
> 
> : >We had this problem when our inbound-smtp server ( the server the
> : >barracuda is dumping mail to) was accepting all RCPT TOs
> 
> : This is a pretty serious flaw IMHO, if it is (in fact) true.  qmail isn't
> : the only mailer that behaves this way.
> 
> And, regardless of what the Barracuda box did, you should fix your qmail
> install.  This behavior is no longer considered acceptable by the 'net at
> large, because accept-then-bounce is the biggest cause of virus spew
> bounceback spam.
> 
> (As a result, people have begun widely blocking MXs that accept-then-bounce.
> You'd do yourself quite a favor to convert to reject-at-SMTP now, before you
> get blocked too.)

At present, thanks to a recent massive joe job against one of the
domains we host, I've got a list of ~16100 mailhosts that I no longer
accept null sender mail* from. Most of them are running qmail, based on
some unscientific analysis I did when compiling the list. All of them
accepted, then bounced, mail from spammers HELO'ing with that domain
"back" to the victim. Several hundred also sent us DSNs from virus
forgeries. All of them were unnecessary.

Sad, really, especially given that patches exist to fix this problem.

Steve
* or postmaster/Symantec_Antivirus/Webshield/VirusWall/JCT/etc.

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
Buy "Cascading Style Sheets: Separating Content from Presentation, 2/e" today!
http://www.amazon.com/exec/obidos/ASIN/159059231X/heskecominc-20/ref=nosim/