Spam Filter ISP Support - How to not send NDRs if not in EmailTo li

Print Page | Close Window

How to not send NDRs if not in EmailTo li

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5807
Printed Date: 31 July 2025 at 11:12am

Topic: How to not send NDRs if not in EmailTo li

Posted By: john11
Subject: How to not send NDRs if not in EmailTo li
Date Posted: 26 September 2006 at 1:49am

We have a whitelist of all authorized email addresses. We reject the rest. How to put the rest into IP BlackList and/or not send NDRs?

Replies:

Posted By: LogSat
Date Posted: 26 September 2006 at 10:30pm

If using an "authorized to" whitelist, automatically all recipients not on the list will be rejected. However the sender will always receive an error code when attempting to send an email to an address not in that list. This causesan NDR to be generated by the sender's mail server and cannot be avoided.

As an alternative, you could configure SpamFilter to "tag spam & deliver". This way spam is marked as such and delivered, so no NDRs are generated. You would then need client rules to catch the tagged emails and stop them.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: john11
Date Posted: 26 September 2006 at 10:34pm

Roberto, I'm trying not to let the DHA attackers know which email is good and which is not. Any other suggestions? We apparently are under a 24 hour, basically continuous, DHA attack.

I prefer to drop on the floor those email addresses that are bogus. No NDR. And then deliver the email that is good. I am not very concerned about spam now. The MAPS and other filters do that nicely. I am trying to not let the mail program tell the DHA attackers which email is legit and which are not. What to do?

Posted By: LogSat
Date Posted: 26 September 2006 at 10:51pm

John,

Please see the response by sgeorge to an earlier post you made at http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=5801&TPN=1 - http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID= 5801&TPN=1.
That filter efectively blocks most attacks as the IP will be banned at a connection level, preventing it from sending any further commands to SpamFilter.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP

Posted By: john11
Date Posted: 26 September 2006 at 10:55pm

yup. already doing that. But the ip caches show only a couple send more than 1 msg to a bogus email address. It looks like a zillion zombies, each with its own ip address, are sending spam to bogus addresses, trying to guess the correct addresses.

I'd REALLY like to accept these msgs, drop them on the floor, and not respond with any 55x msg.

Posted By: sgeorge
Date Posted: 27 September 2006 at 4:08pm

hmm... you're making me think...

Here's an idea... and it may only work if you have a set of email addresses that have a predictable format... Do your authorized email addresses all have a similar format of some sort? (e.g. john.smith@domain.com, mary.kate@domain.com, etc?)

If so, you may be able to make a RegEx filter that loosely specifies a large set of receipient addresses that are invalid. For example, take the email addresses that I listed above. If by chance all of your addresses appear as firstname(dot)lastname@domain.com, you may be able to block all incoming mail that isn't sent to an address with a "." in it, and send to null. It's not likely that you'll say, "yeah, that's our setup", but let's suppose...
you could add a keyword of
(\w*[^.]\w*@*):null
...to your "To Emails" blacklist.

A more practical approach: take the full source of two of these emails. Post it on the board. I can take a look and see *crosses fingers* if there's another way (such as a keyword) to block all of these messages and send them to null.

Posted By: Marco
Date Posted: 29 September 2006 at 10:33am

Maybe somone can figure out a way to 'harvest' the zombie ip's, maybe by using the honeypot or parsing the log's.

Once you got all zillion, feed them into your firewall, that should stop anything after that.

Tagging as spam and filtering afterwards would cost immense bandwidth, i dont see that a suitable option.

-------------
Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams

Print Page | Close Window