Re: Kinda O/T: Block Return-Path: <> mail?

[mouss <us...@free.fr>]

Evan Platt a écrit :
> I'm getting quite a bit of spam with
> Return-Path: <>
> in the headers.
> 
> Will I likely see valid e-mail with this? Searching my previous mail, it
> appears to all be bounce warnings.
> 
> If so, what's the best way to just blackhole this? I have postfix, and put
> /Return-Path: <>/    Reject in the header_checks, but that seems to not
> be correct.
> 
> Here's a example of one of the headers:
> 
> Return-Path: <>
> X-Original-To: evan@espphotography.com
> Delivered-To: eplatt@espphotography.com
> Received: from aamer-e5bc809e7.chello.nl (a49245.upc-a.chello.nl
> [62.163.49.245])
>     by espphotography.com (Postfix) with SMTP id B4BCF35A80D
>     for <ev...@espphotography.com>; Thu,  5 Jan 2006 10:56:24 -0800 (PST)
> Message-Id: <20...@espphotography.com>
> Date: Thu,  5 Jan 2006 10:56:24 -0800 (PST)
> From: MAILER-DAEMON
> To: undisclosed-recipients:;
> 

Instead of focusing on the bad pattern, note that:


1) Note also that:
- Return-Path = <>
- To = undisclosed-recipients
- Message-id is added by your system (@espphotography.com)
- FROM is non fqdn

This all is suspicious. so a meta rule will catch this.
I think such a rule should be added to SARE. any ninjas out there?


2) At MTA level:

IP=62.163.49.245
host=a49245.upc-a.chello.nl
helo=aamer-e5bc809e7.chello.nl

You could decide to reject or greylist this. Here is a "conservative" way:

- If rdns and/or hello look dynamic

Then use one or more of the following approaches:

- lookup the client in some dul lists (njabl/dynablock seems safe) and
reject if found
- greylist
- ...

To implement "looks dynamic", you could match against some patterns:
/\d{4}/		(or even /\d{3}/)
/\d-\d+-\d/
...