Banning NDR/Postmaster spoofing

Users tips and ideas

Moderators: FlorianB, Pascal, bourgeois, mentor

uncltom
Posts: 495
Joined: Tue Aug 26, 2008 3:01 am
How did you hear about Mailcleaner: I dont remember probably google?
Location: Spokane, WA

Banning NDR/Postmaster spoofing

Postby uncltom » Thu Oct 13, 2011 12:52 am

So it finally happened to one of our clients. Someone is spoofing their e-mail address in the return to and envelope from header fields. Now it's time to block NDRs that dont come from my mail server (or relay)! This is how I did it.

1. Download and extract this to /usr/mailcleaner/share/spamassassin:
vbounce.tar.gz
(7.55 KiB) Downloaded 382 times


2. Edit 20_vbounce.cf in /usr/mailcleaner/share/spamassassin and change mail.domain.ext from

Code: Select all

whitelist_bounce_relays      mail.domain.ext
to any mail relay you might be using so you get your own NDR's. Not using one? Just leave the line as is. Apparently it's required.

3. As with any spamassassin change run:

Code: Select all

spamassassin --lint


4. If you have no errors from step 3 then run:

Code: Select all

/usr/mailcleaner/etc/init.d/mailscanner restart
to put it in place.

See http://wiki.apache.org/spamassassin/VBounceRuleset for more info...

Other things to consider since putting this in place.
1. Turn off all whitelisting. The bounces will come from legit senders like gmail.com hotmail.com etc... so whitelisting is useless while this continutes.
2. Frequently the spammers move on to another e-mail address so this does not have to be a permanent change.
3. Make sure your from spoofing doesnt cause you to be blacklisted. It'd be stupid to blacklist based on the from field but the poster is true "Retards: Everybody knows one".
~ Tom

Return to “Tips”

Who is online

Users browsing this forum: No registered users and 1 guest