The only autoreply from the joe-job of mirror@ibiblio that I found entertaining.

I’m stuck and I don’t have a good way out. I’ll paint the picture for you: I’m responsible for a mail server that handles mail for about 50 domains. We get joe jobbed pretty much constantly, and recently spammers have started picking on not-so-tech-savvy individuals who do their mail with us. Eg. “Poor User”<p.user@example.net> gets inundated with bounces. Why?

1. Spammer forges From: “Poor User” <p.user@example.net>
2. Spammer sends mail to a misconfigured MTA (not us).
3. misconfigured MTA accepts the forged mail, realizes the final To: address is invalid.
4. misconfigured MTA generates a DSN (Delivery Status Notification).
5. DSN goes to”Poor User” <p.user@example.net>.
6. Poor User files a ticket with me.

Now, there are circumstances when the original recipient MTA of the spam is not “misconfigured” when it sends the DSN. Example: somebody has set up a mail alias, say joe.user@example.org (note .ORG instead of .NET here), that points to TriLUG mail address, but joe does something silly and kills the TriLUG address without notifying the example.org mail admin. Over the weekend, spam sent to the example.org address will generate bounces.

Anyway, part of the solution would seem to be deploying something like SPF or DKIM. This would cut down on the number of servers that accept mail that claims to be from us but isn’t. Great! Let’s delpoy one of them! But….

• Suddenly we’re forcing all our (hundreds of) active users to reconfigure their mail clients to use us when sending mail outbound with a From: that claims to be from our domain. That’s a big flood of tickets, given the number of MUAs that aren’t configured that way by default.
• We don’t do DNS in-house. We’re dependent on $UNIVERSITY for DNS, and they’ve told me flatly they won’t do SPF or DKIM until they’ve finishd migrating to a new IPAM. Oh, and I’m the first person ever to have asked them about either.

So I’m stuck. I’d welcome any suggestions that will help mitigate the problem. This is a bit of a pickle.

I had 403 messages in my inbox as of Tue,  1 Apr 2008 21:23:15 -0400 (EDT). I now have 3295. /var filled up and postfix got a bit unhappy about that. I had it fixed by 22:54, so theoretically we haven’t lost any legitimate mail, but boy did the floodgates open…. h8 spammers. We got absolutely hammered today. The mail log is already 235M again.