Spammers and "Postmaster notify: see transcript for details"

Hey guys, was wondering if you could help me understand how to resolve this. I've never been very knowledgeable about sendmail stuff.

So my web server runs a fairly recent and pretty vanilla OpenBSD. I host a few web sites on it and use it for a local DNS server.

Some spammers somewhere are sending their messages using my domain names as originating domains on their emails. When those emails bounce, I get a error email to root notifying me of the bounce. I think that's all there is to it, I have relaying turned off and I don't think my machine contributes in any way except for being responsible for the domain on the faked "From" field.

I get hundreds of these a day lately. I became aware of this when it filled up the disk with /var/log on it.

What is my best recourse here? Am I correct in what the cause is?

Thanks you guys,

Jim

You have virtually no recourse. Sorry.

Or are you asking about how to keep your /var/log from filling up?

Thanks, Bitt. Yeah, well, 2 questions:

1. How can I stop these messages to root without killing all the legitimate bounces from typos in real emails? If they went to a log instead of the root mailbox, then log rotation would take care of it. So yeah, how do I keep var from filling?

2. How can I make sure my system isn't compromised?

(3). Is this normal?

It is normal to get hit by something like this for a day or so. I get it happen a couple of times a year.

If it goes on for more than a day or so then that is unusual and would make me wonder whether someone is deliberately using your domain, rather than just picking it at random.

Check root's mailbox more often? Forward it to another account that you already check more often?

That sucks.

Thanks for the thoughts, though. I appreciate it.

I'm not sure but would setting up DomainKeys and SPF help in preventing the return of emails known not to be from you? I would think that this would only work from email servers checking for SPF and/or DomainKeys.

Hmmm - I guess you want a filter (procmail?) that deletes bounces that don't match an entry in your sent email.

Depending on your setup "sent email" may need to be recorded by a tap on your smtp or it may just look in your sent mail folder?

But, as usual with any spam solution you need to ask the experts : why won't this work?

Then you learn something new and obscure about how complex and 'insecure' email is...

Exactly. SPF and domain certs for example aren't really usable if you use websites (such as separately hosted blogs or social networks) where third party machines end up sending out emails on your behalf.

Just like whitelists don't work very well if you buy lots of stuff online as you can never be sure whether they will send out the order confirmation email from a domain even vaguely close to the one the website is using

Hey, Andy... install an empeg in your other two cars.

Whitelists with the "Verify you sent me mail" are also rather annoying. All it does is shift work onto people wishing to contact you to also help you in your spam fight. I was getting so many of those for a while to the board admin address, because people would sign up for thread notifications, and not add the proper address to their whitelist.

So far, the method of giving everyone their own address to e-mail you at works well. A few months back I wanted a cleaning service to do the moveout cleanup, and I signed up as d_servicemagic@domain.com to find someone. Last week I started to notice spam coming into that address, so I tossed it into the filter on postfix to drop it at the server level. GMail users can do the same trick by giving out username+whatever@gmail.com, then filter out any unneeded addresses after using one.

As for the postmaster stuff, I basically just stopped paying attention to any of it. Until a properly fixed e-mail system gets widely deployed to address the problems, I'm not going to waste my time sorting through tons of bounces for an e-mail domain used by a few friends and myself.

Sometimes. There are a lot of web-sites that don't think "username+whatever" is a valid email address, rendering this trick useless much of the time.

Thanks

That's why I use spamgourmet.

The problem with tricks like that is that many websites also use the email for the login. Then you have to remember the exact format you chose for each disposable address for a given website. Sure you could use the full website+domain in the address so you wouldn't have to remember it, but that can lead to a very long login name to type.

I guess a better solution would be to have a Firefox plugin that remembered and entered the email/login for you.

Passwordsafe
Windows : http://passwordsafe.sourceforge.net/
Linux : http://www.semanticgap.com/myps/

Keepass is cool too:
Windows and linux (and many more): http://keepass.info/

Seconded. I use the portable version.