Backscatterer DNSBL Sendmail Ruleset

Identify and Reject NDR Spam

Contents:


Overview:

This is a tiny piece of sendmail ruleset which will check to see if an incoming NDR (non-delivery report) is coming from a host known to be sending backscatter. Odds are good that NDRs from these hosts are caused by spamers using your domain or email address to spam people.

It's a trade-off between losing real NDRs by being drowned out in a sea of spam NDRs versus losing the odd legit NDR from a host flagged as a backscatterer. This isn't the only possible reaction to backscatter and there's a whole lot of 'discussion' on this topic in other places.

For more information about Spam NDR / backscatter click here

I use this ruleset in conjunction with fail2ban and my own sendmail hacks in order to disconnect and ban these evil servers.
Take a look at my page sendmail-fail2ban

This ruleset is nearly identical to any other DNSBL blacklist. The change for this ruleset is absolutely trivial, hardly worthy of an entire web page. The difference is that it only checks hosts when the sender address is empty, meaning that the mail is from MAILER-DAEMON / POSTMASTER and as such will contain an NDR. To check all mail against a backscatterer list would be too reckless, even for me. Annoyed that I could not find even one simple example, I invested the time and effort to figure it out myself. Hopefully this page will save others some time and frustration.

If you are using the DELAY_CHECKS feature, it means that the 'MAIL FROM:' address is not checked until after the 'RCPT TO:'. In that case, this ruleset will never be called for authenticated senders. There's a short-circuit in Scheck_rcpt to avoid unnecessary checks against authenticated users.

If you don't use DELAY_CHECKS, this ruleset will check your authenticated users against the blacklist. If you want to prevent this, you need to modify this ruleset to only check if $&{auth_type} is null.

Download:

backscatter-20090930-cf.txt

This is a plain text file that contains a snippet of sendmail rulesets.
Be certain that you retain the tabs and spaces because certain tabs and spaces really matter to sendmail and it can cause nasty hard to find bugs.

Install:


Back up your sendmail.cf, then edit your sendmail.cf and search for this section:

######################################################################
### check_mail -- check SMTP `MAIL FROM:' command argument
######################################################################

There you will probably see short sections for

SLocal_check_mail
and
Scheckmail

after those you should see a longer section named:

SBasic_check_mail

Now look about 10 lines down for a line that looks like this:
R<>         $@          we MUST accept <> (RFC 1123)
Insert the entire file directly ABOVE that line. Back up your new sendmail.cf

How to Tell if it is Working:

If you are impatient like me, you can hard-code a bad ip address into a rule.

Assuming a known bad ip address is 1.2.3.4, comment out this line and replace it with a copy like the one below:
#R$-.$-.$-.$-    $:  $(dnsbl $4.$3.$2.$1.ips.backscatterer.org . $: OK $)
R$-.$-.$-.$-   $:  $(dnsbl 4.3.2.1.ips.backscatterer.org . $: OK $)

Info:

Check these websites for more information on backscatter and backscatterers:

www.backscatterer.org
www.uceprotect.net
www.spamresource.com/2007/02/backscatter-what-is-it-how-do-i-stop-it.html
www.seanster.com/sendmail-fail2ban/

Version History:

20090930
First public release

Created 30 September 2009

Copyright © 2009 By Sean McLaughlin All Rights Reserved.

Email: backscatter@nro.ca

http://www.seanster.com/sendmail-backscatter/

//End of File