There is a package that is being developed right now that basically will squelch emails received from some domain.com address if the sending IP address isn't in the list of permitted addresses. Sender Permitted From (http://spf.pobox.com/) attempts to eliminate Joe Dropping from domain.com by doing a look up on a TXT record similar to dccnet.com. IN TXT "v=spf1 mx ptr ip4:24.207.1.0/24 -all". This would block mail, with a FROM: address of *@dccnet.com that didn't relay through any of the MX hosts, originate from any broadband client address (from the prt record) or from the 24.207.1.0 Class C address space. As this project is fairly new, there aren't many large domains making use of it, and the tools available aren't mature enough for some email implementations (mobile users making use of Hot Spots with SMTP Hijacking and no submit port opened) for which the sending users IP address isn't known. However, I do believe this project will pick up favor to help eliminate one source of address forgery, which I believe would have helped in your situation. AOL had made use of this for 24 hours earlier this month and it resulted in the blocking of a large volume of spam addressed from aol.com (not originating from aol.com address space). Hopefully sites like yahoo, hotmail and others Of course the cows have left the barn, but its definitely worth looking at. Cheers, Aaron -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Suresh Ramasubramanian Sent: January 22, 2004 6:15 PM To: Edward Gray Cc: nanog@merit.edu Subject: Re: Large Mail Provider Throttling Edward Gray wrote:
To protect ourselves from delayed mail, we have implemented several system wide rules to block Autoreplies and Undeliverable messages from being sent to the large providers. Unfortunately, this has resulted in many complaints from customers (since it's all or nothing). We have so far, left these rules enabled 24x7 since, the system already becomes degraded by the time we realize an event is occurring.
You might want to * Use a mailserver that can reject rather than bounce email (that is, a mailserver where the smtpd process has a view of the userdb) * Use a "current spam source" blocklist like cbl.abuseat.org, as well as a good open proxy blocklist like opm.blitzed.org * Set up spamassasin to trash rather than later bounce email that does get through your filters, and has a high enough spam score. * Do some HELO filtering (HELO hotmail.com from an IP with rDNS that doesn't say hotmail? HELO your.own.ip or HELO your.own.domain from an untrusted IP that you don't relay for / that someone hasn't authenticated from? REJECT) :) * I'd add that a simple header check to reject (or preferably, discard) any mail with the string ".mr.outblaze.com" in any Received: header will get rid of a lot of spam for you. There are a few other things, but these will be off topic here. Please feel free to mail me offlist. srs -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com security and antispam operations