spam problems - from spoofed address

[mickier]

I'm having a lot of problems with excessive spam (to our president)... It's basically a DOS... What's happening is that some spammers are sending out tons of spam and they're using our president's email address in the "From" field. Many thousands of emails "bounce-back" to his address hourly/daily...

I'm trying to figure out how to block these bounce-backs... Technically, these "bounces" are not spam themselves, they are legitimate messages from legitimate servers, bouncing back a message to our pres telling him the message he "sent" is not being delivered... Of course HE NEVER SENT THEM, - I can see the originating server's ip address, and the one who originally sent the email is some server in Africa and some server in China or east asia.

Anyway, the thing is; is there a good way to block these messages? I have to somehow block them based on the "original message", not the current message header... I've attached a sample message. They set the reply-to field to their email address to receive any actual replies, but by using agan@xxx.com in the "From" field, they send all the bounce-backs to me..



Maybe there's a different approach I should be looking into..

[phoenix]

Quote:

Originally Posted by mickier

I'm having a lot of problems with excessive spam (to our president)... It's basically a DOS... What's happening is that some spammers are sending out tons of spam and they're using our president's email address in the "From" field. Many thousands of emails "bounce-back" to his address hourly/daily...

It's called 'backscatter' or 'NDR' spam, search the forums for those words and you'll find some information on how to reduce it.

[mickier]

thanks for the suggestion, but unlike most of the other posters who describe backscatter/ndr, these are bouncing [only] to one of my [real] addresses. A spammer is using my president's email address as the "from" field... these are not a type of scatter email, these are all bounces back to our president's addr. Apparently a direct DOS attack on his account. Ignoring or rejecting non-real addresses wouldn't help in this specific case since all the bounces are addressed to him.

The link you provided for another person's post do describe the exact problem we're experiencing, and there's a link there to some ideas of how to block them on postfix (http://www.postfix.org/BACKSCATTER_README.html) but unfortunately these are a bit beyond my current technical level, and appear a little outdated...

It has helped answer the first question though - there doesn't seem to be a zimbra-implemented solution at this time, so I'll start looking into direct postfix solutions realizing zimbra will probably often undo my manual edits...