Reject incomming e-mails to known addresses

Hi group,

I have a new domain which i'm virtual hosting on my box. I have a few
users setup on it and a catch all.

The thing is, it looks like someone had the domain before me, and i'm
getting swamped with spam to only two addresses - info@ and marcello@

Is there any way I can reject e-mails to both of these addresses?

Thanks.

andrew.casey@gmail.com wrote in news:1191253458.877532.67090@
19g2000hsx.googlegroups.com:

> Hi group,
>
> I have a new domain which i'm virtual hosting on my box. I have a few
> users setup on it and a catch all.
>
> The thing is, it looks like someone had the domain before me, and i'm
> getting swamped with spam to only two addresses - info@ and marcello@
>
> Is there any way I can reject e-mails to both of these addresses?
>
> Thanks.

In /etc/postfix/block, put

info@domain.com DISCARD
marcello@domain.com DISCARD

Then run "postmap block"

In main.cf you can put something like this:

smtpd_recipient_restrictions =
...
check_recipient_access hash:/etc/postfix/block
...
permit_mynetworks
etc...


That will tell the sender the message was delivered, then quietly (with
an entry in the logfile) delete the message.

There's more than one way to skin a cat, so I'm sure there are other ways
of doing it. But this is one :P

Darek wrote:
[SNIP]
> There's more than one way to skin a cat, so I'm sure there are other ways
> of doing it. But this is one :P

Nice one.

I do it by aliasing the un-wanted user to /dev/null.

In "aliases" (wherever on you system it lies):
# Put your local aliases here.
bad_one: /dev/null
bad_two: /dev/null
....

Just remember to run "newaliases" after adding them.

Cheers,
Gary B-)

In article <5mdtlsFcr4j7U1@mid.individual.net>, Gary R. Schmidt wrote:
> I do it by aliasing the un-wanted user to /dev/null.
>
> In "aliases" (wherever on you system it lies):
> # Put your local aliases here.
> bad_one: /dev/null
> bad_two: /dev/null
> ...
>

Think twice about that. You're telling the spammers that's
a deliverable address. They'll tell their friends.
You're absorbing their message body,
up to your maximum. I'd put an item in your recipients map,

bad_one REJECT That address is bad.

Then in main.cf,

smtpd_recipient_restrictions =
...
check_recipient_access hash:recipients
...


That way you send them away before they waste your time
with the message body.


Cameron

andrew.casey@gmail.com wrote:
> Hi group,
>
> I have a new domain which i'm virtual hosting on my box. I have a few
> users setup on it and a catch all.
>
> The thing is, it looks like someone had the domain before me, and i'm
> getting swamped with spam to only two addresses - info@ and marcello@
>
> Is there any way I can reject e-mails to both of these addresses?
>
What do you mean by "reject"? If you mean respond with 550 reject
messages, that's a bad idea because the sender addresses are probably
forged.

As its only two known addresses that are getting the spam you could set
up a "dustbin" user to run procmail using a recipe that deletes all the
mail it receives by piping it into /dev/null. Use a .forward script in
the dustbin user to run procmail. Add entries to /etc/aliases to
redirect mail for "info" and "marcello" to the dustbin user. Don't
forget to run postalias after you've edited /etc/aliases.

If much of the spam is backscatter[1] it may also be worthwhile setting
up an SPF record for your new domain. See http://www.openspf.org/ for an
SPF description and http://www.kitterman.com/spf/validate.html for SPF
record test and validation tools.

[1] "backscatter" is spam sent to other domains with your address forged
as the sender, in this case info and marcello addresses in your domain.
Creating an SPF record suppresses backscatter if the target domain's MTA
is SPF-aware. Many are these days.


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |

In article <74gnt4-24c.ln1@zoogz.gregorie.org>, Martin Gregorie wrote:
> andrew.casey@gmail.com wrote:
>> Hi group,
>>
>> I have a new domain which i'm virtual hosting on my box. I have a few
>> users setup on it and a catch all.
>>
>> The thing is, it looks like someone had the domain before me, and i'm
>> getting swamped with spam to only two addresses - info@ and marcello@
>>
>> Is there any way I can reject e-mails to both of these addresses?
>>
> What do you mean by "reject"? If you mean respond with 550 reject
> messages, that's a bad idea because the sender addresses are probably
> forged.

What? REJECT is exactly the right thing to do with incoming
mail to addresses that are known bad.
If you do it in smtpd_recipient_restrictions, your smtpd can
move on and doesn't waste time looking at the spammer's DATA.

If the sender is legit, he gets a Delivery Status Notice
explaining that's a wrong address.

If the sender is spamware, it moves on and the spam
vanishes. It *might* record a bad address, but chances
are it doesn't bother.

If the sender is a hijacked server, say a PHP exploit,
he generates a backscatter message to some random address
(the one the spammer forged), which probably rejects it. His
queue fills up with double
bounces, his mail stops working, and his users beat his
door down, forcing him to pay attention to his neglected
machine, and find and fix the hole.

If the incoming message *is* backscatter, the backscattering
machine fills up with double bounces and crashes, forcing
its owner to do something about the backscatter he's been
generating. Or it throws the message away and keeps
on backscattering. Either way, it's not your problem.


The alternative is what Qmail did.
Qmail-1.03 has an enormous architectural flaw, in that it
accepts everything and then tries to return the undeliverables.
You only have a choice of throwing them away, or generating
backscatter. When you get hit with a dictionary attack,
you're toast. It's one reason I switched from Qmail to Postfix.


>
> As its only two known addresses that are getting the spam you could set
> up a "dustbin" user to run procmail using a recipe that deletes all the
> mail it receives by piping it into /dev/null.

Bad idea. Those "legitimate" spammers who try to maintain
valid lists mark these addresses as valid and deliverable,
and they keep getting spammed. And sold to more "legitimate"
spammers. Better to let them know to go away.

And if you are going to throw it away, Procmail is kind
of heavy. "|dd of=/dev/null" has the same effect.
I assume Postfix' local(8) won't deliver directly to /dev/null
because it's world readable? Haven't tried it.


> If much of the spam is backscatter[1] it may also be worthwhile setting
> up an SPF record for your new domain. See http://www.openspf.org/ for an
> SPF description and http://www.kitterman.com/spf/validate.html for SPF
> record test and validation tools.

That works if your users will let you do it. My users like
to send mail through their ISP's outbound relays, with
our domain in the envelope-sender and From: line.
Eventually this will be impossible, and I'll have to let them
use SMTP AUTH submission just to send mail that looks right.
But we're enjoying it while it lasts. When I register in
SPF, it's over.


Cameron