backscatter (was Re: casper@snigelpost.org bounces?)

[Arvid Picciani <ae...@exys.org>]

Charles Gregory wrote:
> On Thu, 25 Jun 2009, Arvid Picciani wrote:
>> I started blocking some backscattering hosts and would like to inform 
>> them how to fix the issue.
>
> I still welcome suggestions for handling the few remaining cases where 
> my procmail chokes on a mailbox limit. Probably more of a PM question 
> than an SA question, but seeing how the cause for concern is 
> backscatter from 'full mailbox' DSN's I'm figuring the answer is here, 
> if anywhere....
>
> - C
I didn't exactly understand which of the two possible questions you 
asked (yeah, not native speaker :/ ) so i'll try both:

1)  your MTA bounces, becouse your users mailboxes are full.
Defer (temporary  reject) the message at smtp time, so the sending MTA  
retrys a few times and ultimatly   gives up informing the REAL sender. 
(you could also reject permanently,  if you want that)
If you absolutely can't fix the MTA, at least check the SPF before 
bouncing. If the SPF doesn't match the sender,  don't send a bounce. 
Same for dkim. Also don't bounce spam.
Note that backscatter can actually get you blacklisted if you bounce to 
traps.

2) You're receiving backscatter and you get "mailbox full" DSNs
I find it impossible to parse DSNs.  There is no standard and its 
supposed to be human readable.
For now i block mail from postmaster/bounce-*/MAILERDAMEON/...  from 
listed (known misconfigured) hosts. I had to firewall two very 
aggressive hosts though ("normal" hosts!)
This blogs legitime DSNs so it might not be the solution for everyone.
Backscatter.org is far from complete, so i'm working on a trap. Thanks 
to one of our domain beeing joe jobbed (and not receiving legitime DSN, 
since we dont use it anymore) i can get around 100 hosts per day listed.
Unfortunatly i lack the infrastructure to make it usefull for the 
public, and backscatter.org has no report form.

Re: backscatter (was Re: casper@snigelpost.org bounces?)

[Charles Gregory <cg...@hwcn.org>]

On Thu, 25 Jun 2009, Arvid Picciani wrote:
>>  I still welcome suggestions for handling the few remaining cases where my
>>  procmail chokes on a mailbox limit. Probably more of a PM question than an
>>  SA question, but seeing how the cause for concern is backscatter from
>>  'full mailbox' DSN's I'm figuring the answer is here, if anywhere....
> 1)  your MTA bounces, becouse your users mailboxes are full.

Of the two questions, this one is closest, but it's not the MTA that 
generates the bounce. The MTA has handed off the message for delivery to 
individual recipients after accepting the DATA. Procmail encounters the 
full mailbox and signals the MTA.

My MTA checks for a mailboxes that are *already* over quota while dealing 
with individual 'RCPT_TO' commands. The problem comes after I receive DATA 
and know the size of the mail. At this point the only actions my MTA can 
take are for ALL recipients. I can't reject mail just for *one* recipient 
with a (nearly) full mailbox. The only 'workaround' for this would be to 
have my MTA enforce individual recipients by returning a 4xx code for 
second and subsequent recipients. Mind you, this might actually help with 
some spam, but it would also add to bandwidth for ALL legitimate mail with 
multiple recipients, forcing transmission of the data/body for each one.

> 2) You're receiving backscatter and you get "mailbox full" DSNs
> I find it impossible to parse DSNs. There is no standard and its 
> supposed to be human readable.

This wasn't my question, but I have a 'fairly good' answer for it:
I do a body check for a quoted From line that has the wrong 'name' in 
front of my address.... Eg. "From: Bob Kenny <ch...@hwcn.org>...

- Charles