Email for our domains is received by Sendmail 8.17.1 with Acme SPF milter 2.001 (libspf2-1.2.10) quite properly — most spam is rejected immediately. Unfortunately, since 18 May, some new backscatter has emerged, which the SPF milter is unable to prevent:
(where TIP — Sendmail task ID, …@… — sender's email address, and IP — its IP address).
This backscatter is quite powerful: he sends relentlessly every 13-17 minutes to hundreds of recipients at the same second, every time from a different fake email address, and each time from also different yet always real SMTP server all over the world. My Sendmail rejects emails to non-existing addresses of our domains immediately, but disconnects only after one hundred of failed submissions:
While we have very few users, I would like to reduce the limit of failed submissions from the same sender from 100 to 10 or even to 2 subsequent errors
Although in general the SPF milter should not accept failed relay domains, it should immediately disconnect from illegal senders. How does this backscatter manage to get through — could he exploit some possible flaw in SPF milter or in its library libspf2-1.2.10?
Code:
spfmilter[TID]: SPF_request_query_mailfrom() failed
spfmilter[TID]: lib_do_check() failed on mail from '…@…' sent by [IP] - No errorsThis backscatter is quite powerful: he sends relentlessly every 13-17 minutes to hundreds of recipients at the same second, every time from a different fake email address, and each time from also different yet always real SMTP server all over the world. My Sendmail rejects emails to non-existing addresses of our domains immediately, but disconnects only after one hundred of failed submissions:
Code:
relay=[119.198.92.115], reject=550 5.1.1 <2frfp6gnlyuwb@on.lt>... User unknown
... (lots of similar submissions at the same second) ...
relay=[119.198.92.115], reject=550 5.1.1 <u99eymkowimstj@on.lt>... User unknown
lost input channel from [119.198.92.115] to IPv4 after rcptWhile we have very few users, I would like to reduce the limit of failed submissions from the same sender from 100 to 10 or even to 2 subsequent errors
550 5.1.1 User unknown, but I do not know where this limit is set.Although in general the SPF milter should not accept failed relay domains, it should immediately disconnect from illegal senders. How does this backscatter manage to get through — could he exploit some possible flaw in SPF milter or in its library libspf2-1.2.10?