How to not send NDRs if not in EmailTo li |
Post Reply 
|
| Author | |
john11 
Newbie 
Joined: 06 April 2005 Location: United States Status: Offline Points: 17 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: How to not send NDRs if not in EmailTo liPosted: 26 September 2006 at 1:49am |
|
We have a whitelist of all authorized email addresses. We reject the rest. How to put the rest into IP BlackList and/or not send NDRs?
|
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 26 September 2006 at 10:30pm |
|
If using an "authorized to" whitelist, automatically all recipients not on the list will be rejected. However the sender will always receive an error code when attempting to send an email to an address not in that list. This causesan NDR to be generated by the sender's mail server and cannot be avoided.
As an alternative, you could configure SpamFilter to "tag spam & deliver". This way spam is marked as such and delivered, so no NDRs are generated. You would then need client rules to catch the tagged emails and stop them. |
|
|
|
|
john11
Newbie
Joined: 06 April 2005 Location: United States Status: Offline Points: 17 |
Post Options
Thanks(0)
Quote Reply
Posted: 26 September 2006 at 10:34pm |
|
Roberto, I'm trying not to let the DHA attackers know which email is good and which is not. Any other suggestions? We apparently are under a 24 hour, basically continuous, DHA attack. I prefer to drop on the floor those email addresses that are bogus. No NDR. And then deliver the email that is good. I am not very concerned about spam now. The MAPS and other filters do that nicely. I am trying to not let the mail program tell the DHA attackers which email is legit and which are not. What to do? |
|
|
|
|
LogSat
Admin Group
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 26 September 2006 at 10:51pm |
|
John,
Please see the response by sgeorge to an earlier post you made at http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID= 5801&TPN=1. That filter efectively blocks most attacks as the IP will be banned at a connection level, preventing it from sending any further commands to SpamFilter. |
|
|
|
|
john11
Newbie
Joined: 06 April 2005 Location: United States Status: Offline Points: 17 |
Post Options
Thanks(0)
Quote Reply
Posted: 26 September 2006 at 10:55pm |
|
yup. already doing that. But the ip caches show only a couple send more than 1 msg to a bogus email address. It looks like a zillion zombies, each with its own ip address, are sending spam to bogus addresses, trying to guess the correct addresses. I'd REALLY like to accept these msgs, drop them on the floor, and not respond with any 55x msg. |
|
|
|
|
sgeorge
Senior Member 
Joined: 23 August 2005 Status: Offline Points: 178 |
Post Options
Thanks(0)
Quote Reply
Posted: 27 September 2006 at 4:08pm |
|
hmm... you're making me think...
Here's an idea... and it may only work if you have a set of email addresses that have a predictable format... Do your authorized email addresses all have a similar format of some sort? (e.g. john.smith@domain.com, mary.kate@domain.com, etc?) If so, you may be able to make a RegEx filter that loosely specifies a large set of receipient addresses that are invalid. For example, take the email addresses that I listed above. If by chance all of your addresses appear as firstname(dot)lastname@domain.com, you may be able to block all incoming mail that isn't sent to an address with a "." in it, and send to null. It's not likely that you'll say, "yeah, that's our setup", but let's suppose... you could add a keyword of (\w*[^.]\w*@*):null ...to your "To Emails" blacklist. A more practical approach: take the full source of two of these emails. Post it on the board. I can take a look and see *crosses fingers* if there's another way (such as a keyword) to block all of these messages and send them to null. |
|
|
|
|
Marco
Senior Member
Joined: 07 June 2005 Location: Netherlands Status: Offline Points: 137 |
Post Options
Thanks(0)
Quote Reply
Posted: 29 September 2006 at 10:33am |
|
Maybe somone can figure out a way to 'harvest' the zombie ip's, maybe by using the honeypot or parsing the log's. Once you got all zillion, feed them into your firewall, that should stop anything after that. Tagging as spam and filtering afterwards would cost immense bandwidth, i dont see that a suitable option. |
|
|
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
|
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.352 seconds.