Proper Ways to Dispose of Spam? 119
An anonymous reader asks: "My domain name is being stolen by spammers; they forge outgoing mail using my poor innocent domain name. First, I'd like to plead with mail server administrators out there: please REJECT spam and undeliverable mail. If you reject instead of bouncing then legitimate mail senders will still know there is a problem. Second, do you have any tips for dealing with a flood of spam bounces? Exim is pitching the bounces pretty quickly, but my server is still getting overwhelmed."
In the case of stolen sender addresses, SPF attempts to address this problem but has it been effective?
The toilet (Score:3, Funny)
Re:The toilet (Score:5, Funny)
1. For goodness sake, whatever you do, don't eat the stuff!
KFG
Re: (Score:2)
+1 Insightful
+1 Informative
+1 funny
- Avron
Re: (Score:1)
KFG
Proper disposal of spam (Score:1, Offtopic)
SPF! (Score:5, Informative)
Re: (Score:3, Informative)
Re:SPF! (Score:4, Insightful)
The only thing that did solve it was killing all addresses I don't use and adding filters for the most common bounces.
Re: (Score:3, Insightful)
Re:SPF! (Score:4, Informative)
Re: (Score:2)
I'd hate to see it without.
Re: (Score:2)
Re: (Score:3, Insightful)
Spammers don't care about hit rates and neither do the folks that employ them. Who cares if it's 10 people out of 100 that fall for the bait or 10 people out of 100,000 -- it's still 10 sales that they can credit to spamming.
Re: (Score:2)
It's kinda easy to see the difference between a 10% hit rate and a
If they could get a 10/100 hit rate, everybody would be doing it.
Re: (Score:2)
They can use whatever spam protection on thier domain that they want. It is the persons recieving the mail that counts. When I asume someones domain and send spam on it, the spam never hits that persons server to see what they have in place. It goes direc
Re: (Score:2)
Re: (Score:1)
I've just googled spf and gone to the site, but could someone give me a quick summary of how I might set it up. Can I do it or do I need to have my hosting company take care of it?
Right now I don't use my own email servers - I use the servers provided by the people who host my web site. (As is probably already obvious - this is not an area where I am terribly proficient.) I'm going to keep reading at the spf site
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:1)
To put it another way, just do a whois query for your domain and look at the nameservers. If they look like ns1.yourhostingprovider.com, then your hosting provider is responsible for DNS (thus SPF).
Re: (Score:3, Informative)
Go into your hosting account, then open the control panel for the domain you want to set up SPF for.
On the page that opens up, select DNS Manager.
Scroll down to the bottom of that page, and there should be a button saying something like "Add SPF Record."
Assuming you use smtpout.secureserver.net to send your email, the defaults should work splendidly, and it should be good to go.
Rejecting spam bounces (Score:3, Informative)
The current main benefit to SPF is that when
Re: (Score:2)
Do you have a package that does this, specifically?
It sounds like an interesting solution to one of the most frustrating spam problems I have.
Re: (Score:3, Informative)
Re: (Score:1)
I added an SPF record and within two months they quit using my domain.
I suspect spammers avoid domains with SPF records, for now.
Re: (Score:2)
But if I add GMail's servers as valid sources for my domain, then any gmail user can send email as if it were from me.
If I don't, it makes the email I send look less valid and more likely to be rejected or flagged as spam.
How do I avoid this catch-22?
Re: (Score:1)
Re: (Score:2)
When I setup my domains and listed GMail servers as valid senders, I saw a big increase in spam bounces that were being sent from that domain.
Maybe I had it setup or it was just a coincidence and had nothing to do with GMail.
Thanks.
Gmail Sender overrides your From for SPF checks (Score:1)
Gmail sends the mail as coming from your domain, but the sender header is listed as coming from your gmail address. Because of this, the SPF testers seem to care about Gmail's SPF check, not your domain's. For example, send an email to the address given by this site:
http://senderid.espcoalition.org/ [espcoalition.org]
For example, in my case, I see:
In the headers send in the email, I see:
gmail SPF no problem but other domains need DKIM (Score:2)
gmail will be correctly set as the sender so SPF records will be correct
the problem is other domains that do not...
basically we need DKIM that signs the message so that when we get somthing back we examin the sig and if it does not have our DKIM we reject it
simple we need both SPF and DKIM in the real world
Re: (Score:2)
Even if there's only a 25% chance that it blocks the spam where the spammers are trying to send it, that's a 25% chance that you won't have to do much more.
For those of you trying to use it, SPF isn't going to do that much more to prevent YOU from receiving spam, but it will make that much harder for spammers sending spam to use your domain as a source. -- (and, thus, for you getting bounces and blame for that spam).
anyone have a domain where this DIDN'T happen? (Score:3, Insightful)
Good Luck.
Re:anyone have a domain where this DIDN'T happen? (Score:5, Interesting)
I got a call from a sysadmin somewhere in nowheresville USA. The minute I picked up the phone, the guy started berating me, since I was destroying his domain, and it was all my fault, because I'm running Exchange and obviously I was infecting him with Winblows.
After I finally got things sorted out, I walked him through exactly how and why it wasn't our domain a'tall, which would have been obvious had he looked at the headers of any one of the thousands of emails he claimed he recieved. If he knows how to read any of them. When he realized he was wrong, he slammed the phone down midsentence.
Point of the story: SPF is great, proper mail server administration is great, but there will always be jerks who think they know what they're doing when they don't, and they're the bane of the whole system, more like a wolf in sheep's clothing than a known enemy.
SPF somewhat effective (Score:3, Informative)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re:SPF somewhat effective (Score:5, Informative)
A DNS request is tiny compared to bouncing about bits of mail - if you can reject the message before even processing the body thanks to SPF you significantly reduce bandwidth consumption, much more than that spent on a DNS lookup, especially now there are so many image based spams floating about.
I have a similar problem (Score:2)
SPF is effective... sort of (Score:2, Informative)
As for what to do... It's a tough call. You're being affected by a "Joe Job" [http://en.wikipedia.org/wiki/Joe_job]
Re: (Score:2)
General spoofing is just there to hide their tracks, and make it more likely that the mail will be delivered.
SPF is Marginally Effective (Score:2, Informative)
Here is the SPF line I am using with Gmail (with an irrelevant ip4 entry omitted):
@ IN TXT "v=spf1 mx include:aspmx.googlemail.com -all"
I figure that at worst, I am keeping myself off blacklists because the ones likely to blacklist my dom
Re: (Score:3, Informative)
Re: (Score:1)
filtered catch-all (Score:2)
I could probably get away with doing a catch-all on a subdomain
What I do is I use e-mail addresses that look sort of like this: slashdotcrowell07@mydomain.com. On the front is the name of the business, so if I get mail at that address, I know it was because I gave it to them. Next is my name. Next is the last two digits of
Re: (Score:1)
Re: (Score:2)
I can't see handing out a new email address every year... just too much of PITA, especially with the older relatives and ones I only hear from a couple times a year.
Re: (Score:1)
I just whitelist them.
Re: (Score:2)
Or you could just use qmail
Nowadays, when I give out an email for anything it's to
"smith-businessname@domain.com" or something similar. Anything at smith-* will end up at my smith account automatically. Allows for great automatic tracking, and now pre-setup needed (I make them up on the fly). If one of them ever gets compromised, I can simply add a config in there that handles that extension specifically. Furthermore, no automatic spamming bot is going to create wildcards and a blah-* like that.
Re: (Score:2)
My email addresses also have a catch all. At one point I needed to implement a filter to ignore lots of common names (ie., tom, dick, and harry).
I have received lots of bounces to email that purp
Re: (Score:2)
Re: (Score:1)
No (Score:2)
I've been hit by the same problem (and eventually gave up on my own domain and decided to let GMail deal with it) so I sympathize, but this simply isn't true. Bounces are much more effective.
Re:No (Score:5, Informative)
Re: (Score:1)
Re: (Score:2)
And as far as the stream of bounces flowing at the moment I think this has mostly to do with this: http://www.theregister.co.uk/2007/01/09/scam_decli ne/ [theregister.co.uk]
One of the SPAM botnets was lost over Christmas (I guess, not only NASA and ESA can lose systems by bogus commands/software uploads). As a result the spamgangs have ordered a couple of clones of old beaten up viruses to go and capture new zombies. At least some of these use the codebase of one of the old crap pieces of code that generated fake addres
Re: (Score:2, Insightful)
It's really not that difficult to configure your mail systems to reject instead of accept then bounce. I see this as becoming manditory, simi
Who gets overwhelmed by spam bounces these days? (Score:1)
-BA
Disposing spam... (Score:1, Offtopic)
[Please insert wow ur fat [creimer.ws] joke here.]
I put the spam into the trash, tie the top of the trash bag, and throw trash bag into the dumpster outside. I don't know what the fuss is about disposing spam. Spam is spam.
Gmail checks SPF... (Score:2)
But doesn't follow the spec and reject on fail
So I'm not sure what value that is, and I'm not sure if google forms a bias against spam from my domain, even though it's verifiable that the spam is a forgery and that my domain had nothing to do about it.
Other lameness are domains like hotmail.com and aol.com which publish records which indicate you shouldn't reject mail claiming to be from them from servers that they don't control. (soft-fail or neutral results).
How I dispose of spam.,.. (Score:1, Offtopic)
Backup MX is to blame for some of this bouncing (Score:5, Interesting)
Are you running your own backup MX? Probably not. It's often a generic spooler your ISP lets you use for convenience. Even if you do, does your backup MX have all your rules in place, so it knows what to reject? No, I bet not. So this backup server accepts the mail without question, then passes it to the primary, and then it gets bounced.
We need to either have a way to give our backup MX our rulesets (which the people who run the backup servers understandably won't like), allow backup and primaries to just silently discard (which legitimate senders and receivers won't like), or, quite possibly, stop using backup MX entirely, and then if the primary goes down, the originating mail servers should do their normal pattern of retrying for 5 days, or whatever.
Large companies who need 100% instant availability of mail shouldn't be using backup MX anyway, (I've seen backup MX servers configured to hand off to primary hourly or even daily, not to mention those that hold until the primary asks for the mail) they should be using a ring of servers sharing primary preference. I'd expect the ruleset to be identical across the ring, thus allowing for instant rejection all the time.
Re: (Score:3, Informative)
Your right. I work for a smallish ISP and notice that spam-bots usually prefer the backup MX record.
For smaller domains and people with fewer resources having one MX record is impractical. For larger systems, like say an ISP, their is typically only one MX record, which really points to a virtual server that exists in a Foundry switch or some such. This is then load balanced round-robin style to a group of identically configured servers, preferably that are geographically distributed. This is a little mor
Re: (Score:2)
Re: (Score:2)
Grab a PC, setup a syslog server on it listening to the network, tell your MTAs to log there in addition to local logging.
Re: (Score:2)
10 primary
20 backup
30 primary
This way, if spammers prefer the highest MX, which they are known to do, you get all the benefit of the filtering on the primary, as well as backup if the primary goes down.
SPF hasn't helped me much (Score:2, Interesting)
The reason for my choic
Donate it (Score:1)
I believe that smalltime is accepting cans of spam to fuel their "Find-the-Spam" game. They're capitolizing on the idea that this is obviously something that only a hobo would eat, and turning it into a fun game [smalltime.com].
PS. - For added entertainment, try the text version!
My idea (Score:1)
A recent conversation with a would-be vendor: (Score:2)
"Alright"
"Is it jay ewe inn kay at blah blah blah dot com?"
"uhh...Yep, that's me. John Unk."
Only trusted vendors get real e-mail addresses here. I don't even get spam on my home e-mail. Absolutely none, after three years of having the same e-mail.
Re: (Score:1)
Re: (Score:2)
I know next to nothing about JavaScript, but I'm wondering whether there's a good way to obfuscate an e-mail address using JS or some other client-side script so that the spam crawlers don't see it because it would only
Why the forging in the first place? (Score:3, Informative)
If you run any mail server for a reasonable amount of time, until the feds decide to get off their lazy asses and prosecute these criminals, you're going to run into this problem. It usually passes after a few days. If I run into it, I will sometimes change the MX record of the offending domain to 127.0.0.1 temporarily. And rule number one is avoid *@domain.com mail mappings...
Re:Why the forging in the first place? (Score:4, Informative)
Re: (Score:3, Insightful)
There's also a mundane reason for it:
This solution expresses itself in both
spamassassin (Score:1)
Simple, check the Received: envelope headers (Score:4, Informative)
Don't use a catch-all (Score:5, Informative)
@example.com error:nouser 550 5.1.1 User unknown
It's important to do this on the server that accepts mail from the outside. If you have a setup with an antispam/virus gateway that then relays to an internal server, you need to make the gateway aware of the valid/invalid addresses.
By rejecting invalid senders in the SMTP transaction, you only get bounces from the few messages that forged an actual sender. In my experience, the addresses tend to look like ashawuiefgfyig@example.com, so most of the bounces will just disappear into the ether(net).
Re: (Score:2)
No, the point is that it doesn't bounce. It's rejected in the SMTP transaction, which means that the connecting server just sees "500 user unknown" before it even transmits the message body -- no new bounce message is created. And if the message you're rejecting is a bounce in the first place, it should have a null sender, which means that the connecting server won't try to generate a new bounce either.
SPF seems like a good idea but... (Score:2)
I too get loads of spam bounces sent to non-existent addresses "from" (random string)@(my domain), not to mention "please validate your message" challenges and autoreplies; my approach is one enormous blacklist that just autodeletes any messages from postmaster, mailer_daemon etc that aren't to m
The subject is apparently incorrect... (Score:1)
I propose the firing squad or hanging. By their balls (if they have any).
Maybe evisceration?
Postfix Backscatter HOWTO (Score:5, Informative)
There is a Postfix backscatter HOWTO at http://www.postfix.org/BACKSCATTER_README.html [postfix.org]
Difference between bounce and reject. (Score:2)
My understanding is that a reject is sent by the receiving SMTP server before it's accepted the mail. I.e. server a->server b, server a says mail is to: bill@serverB_Domain.com from: john@spoofedaddress.com. Server B can then accept the mail, or reject it (with various different codes for each). If B accepts it,
Re: (Score:1)
Re: (Score:2)
PersonA gets virus. Virus on PersonA's machine connects to PersonA's ISP SMTP server, and sends out ten thousand messages as personb@example.com.
PersonA's ISP server dutifully accepts these messages, and tries to send them. Each and every one, in this example, is to an invalid recipient. So each and every message goes like this:
ISP Mail server: telnet recipient.mail.server 25
HELO it.is.me!
MAIL FROM: personb@example.com
RCPT TO: invalidaddress@mail.server
550 unknown address
'Oh, noes!' thinks the I
Re: (Score:2)
I've also seen some backscatter mail from poorly configured virus scanners that don't know that viruses spoof the from: or reply-to: address.
Re: (Score:2)
Ah yes, stupid virus scanners, at both the mailserver and the user level, that send back a bounce. Especially the extra stupid ones that include the original message in a bounce, which sends the virus laden message to an innocent third party...who's antivirus then bounces the virus laden message right back....
Re: (Score:2)
But why? The pain to Person A and Person A's ISP isn't that high.
To avoid producing all that useless bounce messages, to be a decent business that doesn't cause problems, to avoid Corporation XYZ (who was infected by a virus from Person A's ISP) suing person A's ISP for gladly spreading viruses around when there's simple, inexpensive technology available that would have prevented it. Or maybe just providing an additional service to Person A who'd appreciate not sending out viruses to his family and friends
Re: (Score:1)
mail from:
250 Sender ok
rcpt to:
550 does not exist here
If it was a virii sending this, it just stops there. No one gets any message. If there's a mail server inbetween, then the sender side mail server would generate a bounce to me@here.com. Most virii are sending direct with no mail server in between.
bounce:
mail from:
250 Sender ok
rcpt to:
250 Recipient ok
data
354 Enter mail, end with "." on a line by itself
lolspamspam wonderfull spam lovely spam
.
250 Message accepted for delivery.
It then sends the spam
a HOWTO for Postfix and SpamAssassin (Score:2)
BATV (Score:2, Informative)
Envelope Sender Signature (Score:4, Informative)
http://howtos.linux.com/howtos/Spam-Filtering-for
The idea is to tag outgoing messages in such a way that legitimate DSNs are distinguishable from illegitimate backscatter (which can then be discarded).
I assume you're using a catch-all (Score:2)
I assume you're using a catch-all email account, like I do. I get about 100 SPAMs/bounces a day. Here are techniques that I use:
No Bounces (Score:1, Offtopic)
Eaaasssyyy. Just set your MX record to 127.0.0.1!
You will never get a bounce.
Re: (Score:1)
Re: (Score:2)
*drool*
Re: (Score:2)