Weblog entry #125 for Steve
See all weblog entries made by Steve.
I'm getting swamped with mailbounces with forged return addresses of @debian-administration.org.
So far the filtering is catching them. I use procmail and catch them with this snippet:
# # Bounces # :0: *(Return-Path:).*(<>)
1700 messages in the last ten minutes, and still climbing....
Update: 3500 messages later I'm just bouncing these bounces at SMTP time now.
Comments on this Entry
http://www.postfix.org/BACKSCATTER_README.html#forged_other
Hehe, and I was surfing for stats of backscatter by MTA earlier, I could just ask Steve.
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Yes a fair point. I've been catching bounces like this for the past few months, but I usually only have a few messages a day caught - and I look at these every day or two just in case it was a real bounce.
Right now I've got so many bounce messages archived that I don't know what to do with them!
Stats-wise my procmail rule caught 2863 messages between 15:54:54 and 17:54:09. (One hour.)
System load rose to about 6 before my queue-only tweaks to Exim kicked in and I logged *hundreds* of exim4 errors:
Connection from [xx.xx.xx.xx] refused: too many connections
(Not sure if this is something that is tunable, but I don't recall ever setting it up.)
Now I'm just dropping mail at SMTP time, rather than using wildcard handling for that domain since there are only a couple of "real" addresses in use.
Even now this is getting a few messages every couple of seconds:
2006-08-24 22:15:00 H=mx.crye-xxxx.com [xx.xx.xx.xx] F=<> rejected RCPT <FrankvsGarcia@debian-administration.org>: I don't want your spam.
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Clearly I meant two hours. Clearly ..
[ Parent | Reply to this comment ]