Bounced Email - Dealing w/ the Latest Type of Spam? 96
heretic108 asks: "For 3 years, I've been running a home office EXIM mailserver to handle mails on my 3 personal domains. All had been fine - I'd fastidiously configured EXIM to guard against relaying, and even now receive a clean bill of health from the various relay-checker sites. Spam levels were moderate, and mostly arrested by SpamAssassin and Thunderbird's inbuilt filters, until today. I got up this morning to find 3500+ e-mails in my inbox. All were bounces - spoofed and genuine, and came from a vast variety of IP addresses (eg lots of AOL users' IPs), which indicates they're being sent largely via compromised windows boxen, as well as from inadequately-configured corporate/ISP mailservers which don't bother to check the purported 'from' addresses against the originating domains. This hurricane continues, with 10-30 new incoming spams every minute! I've re-enabled Active Spam Killer, but this is next to useless, since ASK passes all 'bounce' messages, real or otherwise, to the mbox without challenge. I'm hoping to hear from anyone who can share success stories in dealing with such a menace, without undue complication or loss of legitimate mail. Thanks in advance for all your constructive and positive suggestions." It seems that dealing with regular Spam is almost easy in comparison to dealing with its consequences: bounced emails. Does anyone have suggestions, or filters on how to handle bounced e-mail that has resulted from someone using your e-mail address to spam someone else?
Baysian Spam Filter (Score:4, Informative)
A baysian spam filter can learn to filter ANYTHING!
Re:Baysian Spam Filter (Score:2)
Re:Baysian Spam Filter (Score:5, Insightful)
Re:Baysian Spam Filter (Score:5, Interesting)
Re:Baysian Spam Filter (Score:4, Funny)
Re:Baysian Spam Filter (Score:1)
Hey, at least it wasn't (-1, Overrated), which is shorthand for "You suck, because." :-)
Re:Baysian Spam Filter (Score:2)
Re:Baysian Spam Filter (Score:2)
Re:Baysian Spam Filter (Score:1)
Re:Baysian Spam Filter (Score:2)
I was talking about two different filters- the Symantec filte
Why is one false positive too many? (Score:2)
Re:Baysian Spam Filter (Score:2)
The problem with err-on-the-side-of-caution bayesian filters is that they take time to tune correctly- but once you get them tuned, they're very eff
Re:Baysian Spam Filter (Score:2)
Re:Baysian Spam Filter (Score:2)
Re:Baysian Spam Filter (Score:2)
You do know, right, that the modern post office is so accurate that bankruptcy courts count putting the bill into a blue box as being equivalent to the debt holder having recieved a payment, right?
Postmaster - /dev/null (Score:2, Interesting)
My SpamAssassin rules do a pretty good job of filterering messages about viruses I didn't send but even then I can't get 'em all. I wish there was standard for email generated in response to other emails.
Re:Postmaster - /dev/null (Score:2, Insightful)
Re:Postmaster - /dev/null (Score:1)
if the filtering is done inside the user agent it shouldn't be impossible to whitelist bounces from mail you really sent.
did anybody already implement this?
Re:Postmaster - /dev/null (Score:2)
Probably the only thing you can do is drop the addresses that are getting the bounces. In fact, it's best to configure the mail server to deny those addresses at the SMTP level and
Re:Postmaster - /dev/null (Score:2)
BTW, ^FROM_DA
Did you piss anyone off lately? (Score:5, Informative)
Re:Did you piss anyone off lately? (Score:5, Informative)
I too was joe-jobbed once and it is not pleasant.
Re:Did you piss anyone off lately? (Score:5, Informative)
Sadly, it may not subside so quickly. A couple of years ago I was really strict about reporting open relays and proxies and other spam-resenders to the ISPs responsible for the netblock on which they reside. Unfortunately, I think I sent a report to the abuse contact for some netblock that was actually controlled directly by spammers, or something like that. Ever since then, I've been under an almost constant joe-job. I don't have my mailer configured to copy postmaster on every bounce, but I see all sorts of bounce delivery attempts every day to accounts that have never existed.
All I can think of is that it's an ongoing attempt to discredit my domain. I'm sure they're not targetting me specifically at this point, but have simply added my domain to a list of domains from which they send their forged mail.
noah
Re:Did you piss anyone off lately? (Score:2)
Re:Did you piss anyone off lately? (Score:2)
I sent a few messages to administrative contacts, but nothing has happened -- and I don't expect anything to, since they are located in China.
Their website is such a con too, with friendly warm graphics to make them look professional. They mention secure and reliable transactio
Re:Did you piss anyone off lately? (Score:2)
Same is happening to me and has been for the last 2 years, about 10,000 bounce messages a day right now, they are arriving literally faster than I can download them. Fortunately I nolonger use that account for email (just webspace and backup dialup incase my main ISP has problems) so at least I'm not losing legitimate mail. I'm thinking of asking the ISP to just redirect all mail to my domain into /dev/null.
Before this started I used that address for complaining about spam so I can only assume that somew
Re:Did you piss anyone off lately? (Score:2)
Widespread adoption of SPF would solve
I had this problem once (Score:5, Interesting)
I called the company spamming and they "took a message". However, I was able to filter them because they were coming to a few specific random accounts, such as vxxylj@sample-domain.com and rtyylhi@sample-domain.com for example.
I could not find any other way to filter them because it seems that there are several dozen formats for bounces. That made me wish there was a standard format for bounces, or at least a standard subject line or sender address.
newly obligatory twisted Dave Barry quote (Score:5, Funny)
and twisted to change the subject to spam.
===
People do not like spam.
And how has the spam industry responded to this tidal wave of public hostility? It has issued this statement: "Gosh, if these people really don't want us to email them, then there's no point in our emailing them! We'd only be making them hate us more, and that's just plain stupid! We'll try to come up with a less offensive way to do business."
No, wait, that's what the spammers would say in Bizarro World, where everything is backward, and Superman is bad, and spammers contain human DNA. Here on Earth, the spammers are claiming they have a constitutional right to email people who do not want to be emailed. They base this claim on Article VX, Section iii, row 5, seat 2, of the U.S. Constitution, which states: "If anybody ever invents the Internet, Congress shall pass no law prohibiting salespeople from using it to completely fill your inbox."
Related topic... URL blacklist attack spam. (Score:2)
Just a heads up... It's the next phase in the arms race for me, and I'm not seeing this
Bounces are a problem (Score:3, Informative)
Re:Bounces are a problem (Score:2)
Re:Bounces are a problem (Score:1)
And if I ever get something from someone's lame challenge/response system, I will respond to it so that the spammer's next load goes through to the oth
Publish SPF Records (Score:5, Insightful)
So do the right thing and publish them. 5 minutes a domain tops if you're familiar with DNS.
Re:Publish SPF Records (Score:2)
Re:Publish SPF Records (Score:1)
Re:Publish SPF Records (Score:2)
You are looking for www.zoneedit.com
Supports all record types, dynamic updates, and it's free for first 5 domains.
But you don't want to run a mailserver on a dynamic DNS machine anyway. When the IP changes, some of your mail will be delivered to some other machine until all the DNS caches expire. If you're lucky, than other machine won't be running a server, and it will just bounce. If you're unlucky, the other machine will reject the mail, and you'll never see it.
Re:Publish SPF Records (Score:2)
Re:Publish SPF Records (Score:2)
A secondary MX won't help for the case where the machine that gets your old dynamic address happens to be running a mail server. Depending on how unlucky you are, the message will be rejected (because the address isn't valid on that machine), or worse, accepted. In either case, the secondary MX will never see it. Admittedly, this is unlikely, but it *could* happen.
Re: (Score:1)
How to fix (Postfix) (Score:5, Informative)
Re:How to fix (Postfix) (Score:4, Interesting)
...
I see about 6 junk messages a month to my account.
And you see about 0 messages from Lotus Notes users. I think we'll roll out greylisting at our company later.
Re:How to fix (Postfix) (Score:3, Informative)
Re:How to fix (Postfix) (Score:2)
Re:How to fix (Postfix) (Score:2)
Re:How to fix (Postfix) (Score:2)
Bounce Keys (Score:5, Informative)
Here's the Exim howto http://psg.com/~brian/software/authbounce/configu
Re:Bounce Keys (Score:2)
Re:Bounce Keys (Score:2)
I don't see a lot of true joe-jobs, but my domain is named such that many people put addresses @mydomain in email boxes they want to fill with some bogus data.
Procmail recipe (Score:5, Informative)
Re:Procmail recipe (Score:1)
Re:Procmail recipe (Score:2)
Sure I want to know; I just don't want those notices mixed into my inbox. The recipe only puts the DSNs into a separate folder so that they aren't mixed up with other mail. If you're getting hammered with 3000+ DSNs per day in your inbox like the article submitter is, then it'd help to filter them somewhere else so that you can deal with other mail that isn't from mailer daemons.
Re:Procmail recipe (Score:2)
This recipe is less comprehensive but works for me. It puts messages from mailer daemons (and the like) not specifically addressed to me into the spam-mailer mailbox. If my real address is forged, the bounce will unfortunately get through, but nearly always the forged address is just random_chars@mydomain.org. As a bonus, legitimate bounces are passed through. YMMV.
Re:Procmail recipe (Score:2)
Re:Procmail recipe (Score:2)
You're already using Thunderbird's filters. (Score:2)
So, then, what's the problem?
because they are still being flooded out? (Score:2)
i actually just lost my email on my hosting (shared hosting) because i was GETTING too much email. they claimed my incoming mail was flooding out their servers.
this story submitter said they host their mail server so it's an inhouse hog of bandwith.
Re:because they are still being flooded out? (Score:2)
Besides, a hundred thousand messages is still only about a hundred megabytes worth of messages, or two hundred megs, which is a drop in the bucket on a real server (Or even a budget one http://servermatrix.com). Heck, the "flood" wouldn't even stre
Re:because they are still being flooded out? (Score:2)
You must have missed the part where the parent poster said "shared hosting". Many shared hosting providers don't like for you to keep *any* mail on their mail servers. They want you to download it as often as possible. And to make sure you do that, you sometimes only get around a 50MB (or less) quota. If he had the time, patience, and skill to r
Re:because they are still being flooded out? (Score:2)
if the orig poster was running an old linux box as a mail server on a home network it might just get really annoying to deal with all
Re:because they are still being flooded out? (Score:2)
If it's being filtered client-side, it's not so bad.
Mail is delivered to your server, assuming 20 emails per minute (That's about two hundred thousand mails a week), consuming roughly half a kilobyte per second of downstream. You could run your mail server on DIALUP and that would STILL be a small amount. These are bounce mails, they're all text and probably only about 2KB (I'm guessing, but they can't be that big)
And say you cleared out your local mail server to your cl
Spammers reading the RFCs, and 5xx countermeasures (Score:1)
The solution I'm currently experimenting with is to use simscan [inter7.com] with qmail to pipe the mail through spamassassin befor
Re: (Score:1)
Backscatter (Score:5, Informative)
Spam lingo for this phenomenon is "backscatter" or "outscatter" (I prefer the last one, as the bounces are not actually sent "back", but to an innocent third party). Spam Links as a link collection to get you up to date at:
http://spamlinks.net/filter-bounce.htm [spamlinks.net]
A nice solution is Bounce Address Tag Validation (BATV), described at:
http://www.ietf.org/internet-drafts/draft-levine-m ass-batv-00.txt [ietf.org]
Abstract:
Re:Backscatter (Score:1)
Re:blame the feds (Score:1)
Bayesian filtering (Score:1)
Send all bounce msgs to /dev/null/ (Score:4, Interesting)
Re:Send all bounce msgs to /dev/null/ (Score:2, Informative)
Legitimate bounces DO still happen. Not often for most people, but they are still a reality.
Re:Send all bounce msgs to /dev/null/ (Score:3)
And how do you know that you never get a legit bounce since you filter those too?
Re:Send all bounce msgs to /dev/null/ (Score:3)
I e-mailed a contact address that was no longer valid. If I had just trashed the bounce, I never would have known that my e-mail had failed, and I would have assumed that the people I was trying to contact were a bunch of jerks, instead of tracking down a working address for them. This kind of stuff happens fairly often for those of us who don't live in a cave.
Re:Send all bounce msgs to /dev/null/ (Score:2)
Full and mispelled hotmail accounts. fairly frequently.
I had over 6,000 in less than 3 days (Score:1)
550 user not know (Score:2)
That way I drop about 66% of inbound email before it enters my email gateway.
5 minute kill sequence for all spam (Score:1)
Re:5 minute kill sequence for all spam (Score:2)
> valid address...
Yes they do. It just isn't their valid address.
>
> with your real address?
Me, when I receive your replies to the spams sent with my address forged.
NEVER REPLY TO SPAM
Re:5 minute kill sequence for all spam (Score:1)
Re:5 minute kill sequence for all spam (Score:1)
The beauty of it is, instant feedback to someone who uses the wrong address. Nothing is lost if someone sends a message to your old address unless:
a) they're not using a valid address to talk to you - pretty unlikely if you really want to hear from them
b) they don't go to the effort of following your auto reply message and forewarding it to your
Re:5 minute kill sequence for all spam (Score:3, Insightful)
Except now you're causing the problem that led to this question in the first place: now you're sending crap out to random people, because, as you yourself just said, they never used a real address. It often ends up going to someone real, though.
Re:5 minute kill sequence for all spam (Score:1)
Are the people recieving these messages random or are they individuals who's address is known by spammers who continue to use the same address? Chances are any real person who's address is used by spammers get so much crap anyway, their address is already near useless.
Who do you blame? Me adapting to the spam, your the friend who gave your address to the spammer, or the person who wrote the spam?
I thank you making for this point however, it ma
Drop all spam bounces (Score:2)
The way I delt with it was simple;
All (afaik) legitimet bounces include a copy of at least the headers of the original email that was bounced.
If the email came from my system, those headers will contain reference to my system.
At receipt time (Eg before the MTA accepts the message), my filter scans bounce messages for my mail system name.
If it doesn't have it. its either:
a) A bounce for a message where the MTA doesn't include a copy of my original email. (oh well).
b) A bounce for a