Hi all, Today my mail servers started to get bombarded with emails alleading to be from [email protected]. All had a subject of "Your friend wants to share photos and updates with you" and all with an attachment "Your_Friend_New_photos-updates_id[random number].zip". All ZIP files had a file called "Your_Friend_New_photos-updates.jpeg.exe" inside them.
All these messages where blocked by amavis-new because they had an attachment with a .exe filename. However, it generated a a DSN to [email protected] because I have $final_banned_destiny = D_BOUNCE; These DSN's were getting rejected by Facebook's mailservers with the following error "554 5.7.1 POL-P3 http://postmaster.facebook.com/response_codes?ip=x.x.x.x#pol-t"; Looking at my logs I also noticed that the original messages which were causing the DSN to be created where failing DKIM. I began to look into how to prevent sending DSN's created by $final_banned_destiny being set D_BOUNCE to alleadged senders who's message fails DKIM and came accross this explaination of what D_BOUNCE means... D_BOUNCE Mail will not be delivered to its recipients. A non-delivery notification (bounce) will be created by amavisd-new and sent to the sender by amavisd-new. Exceptions: bounce (DSN) will not be sent if a virus name matches @viruses_that_fake_sender_maps , or to messages from mailing lists (Precedence: bulk|list|junk), or for spam level that exceeds the $sa_dsn_cutoff_level. If a quarantine is configured, a copy of the mail will go there. If not, we have lost the mail, but if the mail was legitimate, the sender should receive notification of the disposition of the message. The interesting bit for me is "or for spam level that exceeds the $sa_dsn_cutoff_level". I have $sa_dsn_cutoff_level = 20.0 on my servers. I created a spamassassin rule to catch messages with a subject of "Your friend wants to share photos and updates with you" and to score it 30 (lint'd and tested fine) but still the DSN's were getting created. It seems to me that spamassassin wasn't being run against the message because in my logs all of the messages had a SA score of 0.00 and non had any tests triggered. I realise a lot of people will say set $final_banned_destiny = D_DISCARD, and it may come to that. But I would like to notifiy a real sender of a BANNED message, while not casuing backscatter by notifiying fake senders of banned messages. Is there a way to do it safely? Regards Steve # uname - a FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 # amavisd -V amavisd-new-2.7.0 (20110701) # perl -v This is perl 5, version 14, subversion 2 (v5.14.2) built for amd64-freebsd DISCLAIMER This email is for the use of the intended recipient(s) only. If you have received this email in error, please notify the sender immediately and then delete it. If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this email without the authors prior permission. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses. The information contained in this communication may be confidential and may be subject to the attorney-client privilege. If you are the intended recipient and you do not wish to receive similar electronic messages from us in future then please respond to the sender to this effect.
