I have currently set up a new email server and I am trying to control
what goes into the postmaster mail box. I would like to know when
there are problems, but 99.9% of the stuff that I get in there involves
m-f-ing spammers. I have a couple of items that I would like to figure
out.

1. Is it okay to alias MAILER-DAEMON to /dev/null? In alot of these
loops, my MAILER-DAEMON is the ending point as it is the only valid
address. I feel that mail addressed to MAILER-DAEMON should just be
dumped. Am I missing something with this?

2. Is it possible to check for a valid user before running
spamassassin? I am spending processor cycles indentifying spam for
users that don't exist (and in most cases never did). Can sendmail
just issue a 550 prior to running all the checks?

3. What is the proper etiquite for bouncing spam? At first, I was
excited to reject these messages with a nice (NOT) message. But then I
figured out that almost every reply-to address in these accounts are
bogus and if they are real, they are probably spoofed anyway. So in
almost every case, I am just putting an extra burden on some innocent
mail server by bouncing these.

So is it better to just drop these and stop the proliferation of these
timely and annoying messages? However, in the case that a ham has been
identified as a spam, you would want the person to know that the
addressee has never seen the message!

WHAT TO DO!?

Bottom line is this is ridiculous -- Spammers really are evil. There
is a special place in hell reserved for these scums.

That doesn't me for now though. Any ideas? Thanks in advance.

On 01/15/07 20:54, darrins@gmail.com wrote:
> 1. Is it okay to alias MAILER-DAEMON to /dev/null? In alot of these
> loops, my MAILER-DAEMON is the ending point as it is the only valid
> address. I feel that mail addressed to MAILER-DAEMON should just be
> dumped. Am I missing something with this?

I can't say for 100% certainty, but I don't think you want to /dev/null
this address. I have set up my double bounce address to a specific
account that routes messages to /dev/null. However, this is NOT my
Postmaster / Mailer-Daemon address.

> 2. Is it possible to check for a valid user before running
> spamassassin? I am spending processor cycles indentifying spam for
> users that don't exist (and in most cases never did). Can sendmail
> just issue a 550 prior to running all the checks?

Sendmail (normally) requires (relays are the exception) a valid
recipient before you can start the DATA phase of an SMTP transaction.
So, if Sendmail knows about your recipients, it will require there to be
a valid recipient email address. Thus if there is no valid recipient,
there is no message to invoke SpamAssassin on.

> 3. What is the proper etiquite for bouncing spam? At first, I was
> excited to reject these messages with a nice (NOT) message. But then I
> figured out that almost every reply-to address in these accounts are
> bogus and if they are real, they are probably spoofed anyway. So in
> almost every case, I am just putting an extra burden on some innocent
> mail server by bouncing these.

Do not bounce a spam. If you do not reject it during the SMTP phase,
you should throw it away and NOT send a bounce. You might also want to
consider running some sort of sender verification milter.

> So is it better to just drop these and stop the proliferation of these
> timely and annoying messages? However, in the case that a ham has been
> identified as a spam, you would want the person to know that the
> addressee has never seen the message!

Reject any thing and everything that you can during the SMTP
conversation. If you are running some sort of sender verification
milter, you can be safer in bouncing messages. However, it is still
very likely that you will inflect undo load on some system or user that
had a forged MAIL FROM: line. In short, PLEASE do NOT bounce.

You should really only bounce what you think is not spam, say if
someone's disk quota is full, recipient set up a LDA time filter to
reject (bounce) the message, etc.

> WHAT TO DO!?

Drink. Drink LOTS. (I don't care what you drink (alcoholic or not is
up to you), just drink a LOT of it!)

> Bottom line is this is ridiculous -- Spammers really are evil. There
> is a special place in hell reserved for these scums.

Indeed.

> That doesn't me for now though. Any ideas? Thanks in advance.

Look in to double bounce address, and many different milters, not the
least of which includes a sender verification filter.



Grant. . . .

Grant Taylor wrote:
> On 01/15/07 20:54, darrins@gmail.com wrote:
> > 1. Is it okay to alias MAILER-DAEMON to /dev/null? In alot of these
> > loops, my MAILER-DAEMON is the ending point as it is the only valid
> > address. I feel that mail addressed to MAILER-DAEMON should just be
> > dumped. Am I missing something with this?
>
> I can't say for 100% certainty, but I don't think you want to /dev/null
> this address. I have set up my double bounce address to a specific
> account that routes messages to /dev/null. However, this is NOT my
> Postmaster / Mailer-Daemon address.
>
> > 2. Is it possible to check for a valid user before running
> > spamassassin? I am spending processor cycles indentifying spam for
> > users that don't exist (and in most cases never did). Can sendmail
> > just issue a 550 prior to running all the checks?
>
> Sendmail (normally) requires (relays are the exception) a valid
> recipient before you can start the DATA phase of an SMTP transaction.
> So, if Sendmail knows about your recipients, it will require there to be
> a valid recipient email address. Thus if there is no valid recipient,
> there is no message to invoke SpamAssassin on.
>
> > 3. What is the proper etiquite for bouncing spam? At first, I was
> > excited to reject these messages with a nice (NOT) message. But then I
> > figured out that almost every reply-to address in these accounts are
> > bogus and if they are real, they are probably spoofed anyway. So in
> > almost every case, I am just putting an extra burden on some innocent
> > mail server by bouncing these.
>
> Do not bounce a spam. If you do not reject it during the SMTP phase,
> you should throw it away and NOT send a bounce. You might also want to
> consider running some sort of sender verification milter.
>
> > So is it better to just drop these and stop the proliferation of these
> > timely and annoying messages? However, in the case that a ham has been
> > identified as a spam, you would want the person to know that the
> > addressee has never seen the message!
>
> Reject any thing and everything that you can during the SMTP
> conversation. If you are running some sort of sender verification
> milter, you can be safer in bouncing messages. However, it is still
> very likely that you will inflect undo load on some system or user that
> had a forged MAIL FROM: line. In short, PLEASE do NOT bounce.
>
> You should really only bounce what you think is not spam, say if
> someone's disk quota is full, recipient set up a LDA time filter to
> reject (bounce) the message, etc.
>
> > WHAT TO DO!?
>
> Drink. Drink LOTS. (I don't care what you drink (alcoholic or not is
> up to you), just drink a LOT of it!)
>
> > Bottom line is this is ridiculous -- Spammers really are evil. There
> > is a special place in hell reserved for these scums.
>
> Indeed.
>
> > That doesn't me for now though. Any ideas? Thanks in advance.
>
> Look in to double bounce address, and many different milters, not the
> least of which includes a sender verification filter.
>
>
>
> Grant. . . .

Thanks for the info. Very informative and precisely what I was looking
for. I am going to make some adjustments and see if I can get this
thing working better.

I will google some of these terms, but if anyone can give me some hints
I would appreciate it.

Basically, I am running spamass-milter and it is definitely running on
mail for unknown users on my system. Any thoughts on how to change
this? Do I need to run another milter?

Also I am a little unfamiliar with the double-bounce term and how to
set this up.

Again, I really appreciate the reply and this definitely gets me
looking in the right direction.

darrins@gmail.com wrote:
> Thanks for the info. Very informative and precisely what I was looking
> for. I am going to make some adjustments and see if I can get this
> thing working better.

*nod*

> I will google some of these terms, but if anyone can give me some hints
> I would appreciate it.

Get a copy of the Sendmail Operations and Administration Guide (included
in the Sendmail source code op.ps). I don't know that you need to read
all of it, but at least skim the ToC and some of the pertinent sections.

Also, if you don't have a copy of the (proverbial) "Bat Book" I suggest
you drop the $ to get one. I have found that the book is not the best
to learn Sendmail, but it is a GREAT reference when you want to
configure some things. Again, skim the ToC and some of the contents so
that you are aware that options do exist. It would to know what
the options do, but not necessarily how. You can go get the "How" when
you need it.

> Basically, I am running spamass-milter and it is definitely running on
> mail for unknown users on my system. Any thoughts on how to change
> this? Do I need to run another milter?

I'm not sure that the milter is really filtering messages for unknown
users. However, by the very nature of how milters run, spamass-milter
will have log entries for any and all messages that come in to the server.

As I understand it, each milter runs in lock step sync with the SMTP
transaction. So if you have multiple milters installed, this would be
the flow through each of them.

SMTP Connection
- Milter 1 HELO/EHLO check
- Milter 2 HELO/EHLO check
...
- Milter n HELO/EHLO check
EHLO <bla>
- Milter 1 HELO/EHLO check
- Milter 2 HELO/EHLO check
...
- Milter n HELO/EHLO check
MAIL FROM:<bla>
- Milter 1 MAIL FROM: check
- Milter 2 MAIL FROM: check
...
- Milter n MAIL FROM: check
RCPT TO:<bla>
- Milter 1 RCPT TO: check
- Milter 2 RCPT TO: check
...
- Milter n RCPT TO: check
DATA
- Milter 1 DATA check
- Milter 2 DATA check
...
- Milter n DATA check

Each milter runs at each step in the SMTP transaction. Each milter has
the opportunity to reject and possibly alter a message through out the
SMTP transaction.

Thus you will see log entries where a subsequent milter will process
some of the message even before the user is verified. This is why I
don't think your messages to unknown users are really being filtered by SA.

As a test, telnet to your SMTP server and walk through the SMTP
transaction dialog process by hand using an invalid recipient to see if
Sendmail rejected it or not. If Sendmail does reject the invalid user
then you can not even send the data of the message in question to
Sendmail and subsequently in to SA.

You control the order of milter traversal by the order they are listed
in your mc / cf files. If you do not use the INPUT_MAIL_FILTER option
but rather the MAIL_FILTER option in your mc file you define
InputMailFilters options to DAEMON_OPTIONS to define the order of milters.

> Also I am a little unfamiliar with the double-bounce term and how to
> set this up.

define(`confDOUBLE_BOUNCE_ADDRESS', `user@domain.tld')

> Again, I really appreciate the reply and this definitely gets me
> looking in the right direction.

You are welcome.



Grant. . . .

darrins@gmail.com wrote:
>
> Thanks for the info. Very informative and precisely what I was looking
> for. I am going to make some adjustments and see if I can get this
> thing working better.
>
> I will google some of these terms, but if anyone can give me some hints
> I would appreciate it.
>
> Basically, I am running spamass-milter and it is definitely running on
> mail for unknown users on my system.

spamass-milter and all milters in current unpatched sendmail will
process all recipients known or unknow, errored or unerrored.

However

This is not a real problem, since the heavy lifting is only done after
the DATA stage, which you dont get to without valid recipients.

Sendmail 8.14 appears to address the unknown rcpt thing.

Its also addressed in the milter-rrres patch available at

http://www.jmaimon.com/sendmail

This page may also

http://www.jmaimon.com/sendmail/spamass-milter/

> Any thoughts on how to change
> this? Do I need to run another milter?

You can run other milters if you want

see here for a list

http://www.jmaimon.com/sendmail/milters

>
> Also I am a little unfamiliar with the double-bounce term and how to
> set this up.

Double bounce means where should sendmail send a bounce message to the
effect that it was unable to deliver a bounce message.

You shouldnt receive those because you shouldnt be generating bounce
messages since sendmail and spamassassin should be doing all the
rejections inside the smtp session and therefore sendmail doesnt accept
responsibility for the email and therefore it doesnt produce a bounce.

>
> Again, I really appreciate the reply and this definitely gets me
> looking in the right direction.

And yes, you do need a postmaster box. Yes I know, 99% of everything in
there is spam. However it is RFC required and the only way remote
parties can attempt to bring issues to your attention.

Major thanks to both of you.

I have gotten my setup to the point I was hoping thanks to the
from both of you. The double bounce was a huge . The philosophy
or dropping spam instead of bouncing also makes me feel better that I
am not slamming some innocent mail server. I will live with the
spam-checking of unknown users. With the addition of the of the double
bounce, it is not as annoying anymore.

I really appreciate expert advice from places like this. Not everyone
is an expert at sendmail, but you have to start somewhere.

Thanks again.