Proper Ways to Dispose of Spam?

An anonymous reader asks: "My domain name is being stolen by spammers; they forge outgoing mail using my poor innocent domain name. First, I'd like to plead with mail server administrators out there: please REJECT spam and undeliverable mail. If you reject instead of bouncing then legitimate mail senders will still know there is a problem. Second, do you have any tips for dealing with a flood of spam bounces? Exim is pitching the bounces pretty quickly, but my server is still getting overwhelmed." In the case of stolen sender addresses, SPF attempts to address this problem but has it been effective?

The toilet

[antifoidulus]

regardless of whether it comes out the back port or the front(both are equally likely).

Re:The toilet

[kfg]

You have already failed the first rule of disposing of Spam:

1. For goodness sake, whatever you do, don't eat the stuff!

KFG

Re:

[avronius]

And on a day that I don't have mod points!

+1 Insightful
+1 Informative
+1 funny

- Avron

Re:

[kfg]

How the hell should I know? See rule one.

KFG

Proper disposal of spam

[gentimjs]

Either call the EPA and get them to declare a superfund site in your compost pile, or use it as fuel in home-brew nuclear fusion experiments. The end results will likely be simmilar. I'm told its also a good substitute for bathroom grout.

SPF!

[Alphager]

Two of my domain-names are in several spammer-tools and i was inundated by spam-bounces (and auto-replies). With SPF, i am down to one bounce every now and then.

Re:

[crow]

I found SPF to be nearly useless. I would think that spammers would automatically avoid domains with SPF records to increase their hit rate, but apparently not.

Re:SPF!

[stg]

That was the same in my case. I still get about the same number of bounces from spammers after adding SPF.
The only thing that did solve it was killing all addresses I don't use and adding filters for the most common bounces.

Re:

[Alphager]

We are talking about spam-bounces, not the spam itself. Of course using SPF as sole spamfilter is useless (spammers quite frequently kite domains and set up an SPF-record allowing everybody to send mail for that domain). But most spam-filters know that a false-positive with SPF is not possible (if you ignore email-forwarding, of course) and won't bounce the mail to the innocent domain.

Re:SPF!

[qbwiz]

Right, but that post was saying that he thought that spammers would avoid forging a domain with SPF on it, because it would be more likely that their mail would be rejected. Therefore, if you add SPF to your domain, you shouldn't get as many bounces, as spammers won't want to forge that as the sender.

Re:

[ednopantz]

You mean to tell me my bounce flood is what happens *with* spf?
I'd hate to see it without.

Re:

[davburns]

I suspect that there is a high correlation between sites that check SPF and sites that reject (5xx) spam. If not, sites that check SPF are (almost) a proper subset of sites that reject spam. (If I had time and resources to do only one or the other, I'd do the former; I suspect almost anyone else would do the same.) The main place where SPF will help is if software checks it before sending vacation (and similar) messages.

Re:

[poot_rootbeer]

I would think that spammers would automatically avoid domains with SPF records to increase their hit rate, but apparently not.

Spammers don't care about hit rates and neither do the folks that employ them. Who cares if it's 10 people out of 100 that fall for the bait or 10 people out of 100,000 -- it's still 10 sales that they can credit to spamming.

Re:

[TubeSteak]

Of course hit rates are important. That's why spammers blast out huge numbers of e-mails.

It's kinda easy to see the difference between a 10% hit rate and a .01% hit rate.

If they could get a 10/100 hit rate, everybody would be doing it.

Re:

[sumdumass]

Well it is all acedemic at this pint because SPF does nothing to a spammer when sending spam from a domain that uses SPF. So what if your server verifies the email it recieves, It is unlikley your domain is going to be on the send list rather the from list.

They can use whatever spam protection on thier domain that they want. It is the persons recieving the mail that counts. When I asume someones domain and send spam on it, the spam never hits that persons server to see what they have in place. It goes direc

Re:

[ahodgson]

The people (and software) that send out NDR's to spam, instead of just rejecting it outright, are already busy polluting the Internet. Why would they take the time to add SPF checking to their already misconfigured systems? Hell, they'd probably send NDR's for that, too.

Re:

[stoolpigeon]

This has been a problem for me for quite a while and I assumed there was nothing I could do.

I've just googled spf and gone to the site, but could someone give me a quick summary of how I might set it up. Can I do it or do I need to have my hosting company take care of it?

Right now I don't use my own email servers - I use the servers provided by the people who host my web site. (As is probably already obvious - this is not an area where I am terribly proficient.) I'm going to keep reading at the spf site

Re:

[silas_moeckel]

If you just care about outbound SPF assuming your hosting provider also runes your DNS severs they can add it in easily.

Re:

[stoolpigeon]

i've read some more - and i guess i have a better picture of it all. my domain is registered with go daddy and they are the ones who point my domain at the ip address where my site is -- so godaddy is who i need to add the spf record?

Re:

[funfail]

Domain registrars (GoDaddy in your case) rarely point to the web server's IP address. Instead, they point to the nameservers that point to the web server. If this is the case, most probably your hosting provider is also providing you with DNS service. You should ask them.

To put it another way, just do a whois query for your domain and look at the nameservers. If they look like ns1.yourhostingprovider.com, then your hosting provider is responsible for DNS (thus SPF).

Re:

[Medieval_Gnome]

My domain (and email) is hosted with godaddy, and it was trivial to set up SPF.

Go into your hosting account, then open the control panel for the domain you want to set up SPF for.

On the page that opens up, select DNS Manager.

Scroll down to the bottom of that page, and there should be a button saying something like "Add SPF Record."

Assuming you use smtpout.secureserver.net to send your email, the defaults should work splendidly, and it should be good to go.

Rejecting spam bounces

[CustomDesigned]

Speaking from 2 years experiences with rejecting 11000+ spams a day, publishing SPF records helps, but not enough folks reject mail with SPF fail for it to help a lot with spam bounces. The real solution to spam bounces is to "sign" your MAIL FROM, using SRS for example. (SRS is not just good for forwarding.) Then you just reject bounces without a proper signature. After signing, your MAIL FROM would look like this:

<SRS0=WHEtL=GU==user@example.com>

The current main benefit to SPF is that when

Re:

[Sancho]

Can you elaborate on the FROM signing? What mail clients might support this (I use mutt, so I assume I can wedge this functionality in). Are individual mails signed differently?

Do you have a package that does this, specifically?

It sounds like an interesting solution to one of the most frustrating spam problems I have.

Re:

[CustomDesigned]

I use pysrs from the pymilter [sourceforge.net] project for MAIL FROM signing. It adds a macro to sendmail, and installs a pysrs daemon as a sendmail socket map. The SRS library could be used by a python script to integrate with mutt I suppose (I always do all my filtering in the MTA - so I can't offer advice). Example code (with random spaces inserted by slashdot):

>>> srs = SRS.new(secret='boo')
>>> srs.sign('user@example.com')
'SRS0=dqj5=GU==user@ example.com'
>>> srs.reverse('SRS0=dqj5=GU==use

Re:

[mophab]

I have had problems with spammers using one of the domains I owned.
I added an SPF record and within two months they quit using my domain.
I suspect spammers avoid domains with SPF records, for now.

Re:

[DigitalRaptor]

I want to add SPF to my domains, but I send email from GMail as if it were being sent from my domain.

But if I add GMail's servers as valid sources for my domain, then any gmail user can send email as if it were from me.

If I don't, it makes the email I send look less valid and more likely to be rejected or flagged as spam.

How do I avoid this catch-22?

Re:

[gb3]

Doesn't Gmail require users to verify they can receive E-mail on an account before they are able to send with that account? Or is there a way around that I'm not aware of?

Re:

[DigitalRaptor]

Good point, I'm not sure. I do have my accounts setup that way, and yes, they send a confirmation email with a link you have to click.

When I setup my domains and listed GMail servers as valid senders, I saw a big increase in spam bounces that were being sent from that domain.

Maybe I had it setup or it was just a coincidence and had nothing to do with GMail.

Thanks.

Gmail Sender overrides your From for SPF checks

[Matthew Bafford]

Gmail sends the mail as coming from your domain, but the sender header is listed as coming from your gmail address. Because of this, the SPF testers seem to care about Gmail's SPF check, not your domain's. For example, send an email to the address given by this site:

http://senderid.espcoalition.org/ [espcoalition.org]

For example, in my case, I see:

MAIL FROM: me@gmail.com
PRA: me@gmail.com
SPF-Record-Classic: v=spf1 redirect=_spf.google.com

In the headers send in the email, I see:

From: me@example.invalid
Reply-To:

gmail SPF no problem but other domains need DKIM

[johnjones]

hey there

gmail will be correctly set as the sender so SPF records will be correct

the problem is other domains that do not...

basically we need DKIM that signs the message so that when we get somthing back we examin the sig and if it does not have our DKIM we reject it

simple we need both SPF and DKIM in the real world

Re:

[darkonc]

I'd say turn on SPF for your domain no matter what the varied effect for other users...

Even if there's only a 25% chance that it blocks the spam where the spammers are trying to send it, that's a 25% chance that you won't have to do much more.

For those of you trying to use it, SPF isn't going to do that much more to prevent YOU from receiving spam, but it will make that much harder for spammers sending spam to use your domain as a source. -- (and, thus, for you getting bounces and blame for that spam).

anyone have a domain where this DIDN'T happen?

[Subgenius]

Welcome to my hell. I've had this happen to 8 of my domains over the last couple of years, typical spam runs of 30k at a time, based on all of the 'bounce back' messages that tell me 'my' mail is spam, or worse "go F** yourself, spammer" crud. SPF might fix this, but only if it was mandatory and ALL ISPs blocked non-commercial email servers (DO NOT WANT the latter to occur).

Good Luck.

Re:anyone have a domain where this DIDN'T happen?

[Southpaw018]

Ahhh, I had one of those -yesterday-. We have SPF implemented, and it still doesn't work very well, alas.

I got a call from a sysadmin somewhere in nowheresville USA. The minute I picked up the phone, the guy started berating me, since I was destroying his domain, and it was all my fault, because I'm running Exchange and obviously I was infecting him with Winblows.

After I finally got things sorted out, I walked him through exactly how and why it wasn't our domain a'tall, which would have been obvious had he looked at the headers of any one of the thousands of emails he claimed he recieved. If he knows how to read any of them. When he realized he was wrong, he slammed the phone down midsentence.

Point of the story: SPF is great, proper mail server administration is great, but there will always be jerks who think they know what they're doing when they don't, and they're the bane of the whole system, more like a wolf in sheep's clothing than a known enemy.

SPF somewhat effective

[asc4]

SPF is only somewhat effective as unfortunately only some have adopted it. Still, it takes all of a few seconds to add an SPF record for your domain. It can't hurt. Also, try reporting the servers hitting you with backscatter to Spamcop. Again, it might not help much, but it can't hurt.

Re:

[zyl0x]

Join now and start losing those extra pounds of SPAM today! We guarantee results in 12 weeks!

Re:

[zyl0x]

..and my browser totally posted this under the wrong parent, thus nullifying the funniness of this comment with a +2 bonus.

Re:

[oyenstikker]

How was it your browser's fault and not your own? What browser were you using?

Re:

[zyl0x]

Well, not so much my browser, as it was me hitting the back button *on* the browser. So, it was the browser's fault, but mostly my fault by proxy.

Re:

[oyenstikker]

The cursed back button. Arch enemy of every web application developer and user.

Re:

[Shaman]

Actually outside of a small server, it can do great harm. The DNS system is heavily loaded worldwide now... SPF just adds yet another DNS request to each e-mail.

Re:SPF somewhat effective

[Albanach]

The DNS system is heavily loaded worldwide now

I'm not sure what you mean by this - surely with a properly caching nameserver, you add almost no additional load to the root nameservers by performing SPF lookups as the query never goes near them? Your own DNS servers might be heavily loaded - in which case you should can additional ones or pay for someone else to provide DNS service. DNS scales easily so that shouldn't be an issue.

A DNS request is tiny compared to bouncing about bits of mail - if you can reject the message before even processing the body thanks to SPF you significantly reduce bandwidth consumption, much more than that spent on a DNS lookup, especially now there are so many image based spams floating about.

I have a similar problem

[SkunkPussy]

I get about 50-75 bouncebacks a day on my domain, although I believe some of them at least are "false bouncebacks" from spammers, the idea being im more likely to read a bounceback than a spam.

SPF is effective... sort of

[XenoPhage]

SPF is only effective if everyone uses it. It's pretty much that simple. Problems with forwards and mailing lists aside, SPF seems to work pretty well. I've been using it for a while now and I like it.

As for what to do... It's a tough call. You're being affected by a "Joe Job" [http://en.wikipedia.org/wiki/Joe_job] .. Defending against this is not the easiest thing in the world. Filtering is probably the only route you can go right now. you should be able to filter based on the subject and To: addre

Re:

[Thansal]

for refference, the point of Joe Jobbing some one is to ruin their reputation.

General spoofing is just there to hide their tracks, and make it more likely that the mail will be delivered.

SPF is Marginally Effective

[prothid]

I am having this same issue. I have SPF set up with '-all' on the end of it. This still lands me with a lot of bounces every day. I am using Gmail for my mail and I have about 10 to 20 bounces that didn't get caught by their spam filter sitting in my inbox every morning.

Here is the SPF line I am using with Gmail (with an irrelevant ip4 entry omitted):

@ IN TXT "v=spf1 mx include:aspmx.googlemail.com -all"

I figure that at worst, I am keeping myself off blacklists because the ones likely to blacklist my dom

Re:

[Neon Spiral Injector]

Spammers *love* domains with catch-all aliases and specifically target them for impersonation. I would suggest finding an easy way to add new aliases as needed (so you can create one just before you sign up on a site) and kill the catch-all.

Re:

[prothid]

Yeah, I may end up having to do this. It was nice while it lasted! I could probably get away with doing a catch-all on a subdomain.. hmm...

filtered catch-all

[bcrowell]

It is probably worth noting that I have a catch-all alias for inbound emails. I like to give a different email address for each site I go to so that I can track who is sending me spam.
I could probably get away with doing a catch-all on a subdomain
What I do is I use e-mail addresses that look sort of like this: slashdotcrowell07@mydomain.com. On the front is the name of the business, so if I get mail at that address, I know it was because I gave it to them. Next is my name. Next is the last two digits of

Re:

[prothid]

Right now I just use the domain name without the tld. I like your idea though, I will have to start doing that. Thanks!

Re:

[grimwell]

I do something similar. I use businessname@subdomain.mydomain.com. When I start receiving spam at that address I setup an alias to automatically forward it to spam@uce.gov. I do like your idea of adding a date to the name, I'll probably start doing that.

I can't see handing out a new email address every year... just too much of PITA, especially with the older relatives and ones I only hear from a couple times a year.

Re:

[bcrowell]

I can't see handing out a new email address every year... just too much of PITA, especially with the older relatives and ones I only hear from a couple times a year.
I just whitelist them.

Re:

[Etcetera]

Or you could just use qmail :)

Nowadays, when I give out an email for anything it's to
"smith-businessname@domain.com" or something similar. Anything at smith-* will end up at my smith account automatically. Allows for great automatic tracking, and now pre-setup needed (I make them up on the fly). If one of them ever gets compromised, I can simply add a config in there that handles that extension specifically. Furthermore, no automatic spamming bot is going to create wildcards and a blah-* like that.

Re:

[milgr]

I don't think that the spammers realize that a domain is read by only one person. Frequently, if they know that billg@microsoft.com is a possibly email address, then they will send spam to billg@microsoft,com, and replace billg with plenty of other common names, such as dave@microsoft.com, bill@microsoft.com, etc.

My email addresses also have a catch all. At one point I needed to implement a filter to ignore lots of common names (ie., tom, dick, and harry).

I have received lots of bounces to email that purp

Re:

[Neon Spiral Injector]

There is something you can do about it, just what I was suggesting: Kill the catch-all. Spammers will stop abusing your domain (as much), you won't get bounces to addresses you don't use, and any server that performs sender address verification callouts will know that the MAIL FROM: is bogus and reject the message right away.

Re:

[Kalriath]

If gmail is hosting your domain, you already have a "catch all to one mailbox" option available to you - GMail uses the little understood "+" specifier in email addresses. Just use an email of the format whatever+mailboxname@domainname.com - this will still go to your inbox without you needing to run a catch-all. And if they do share it, just create a filter for all emails to nastyspamsharer+mailboxname@domainname.com to go straight to /dev/null.

No

[Otter]

If you reject instead of bouncing then legitimate mail senders will still know there is a problem.

I've been hit by the same problem (and eventually gave up on my own domain and decided to let GMail deal with it) so I sympathize, but this simply isn't true. Bounces are much more effective.

Re:No

[Neon Spiral Injector]

You should not generate the bounce, a 5xx responce to an SMTP command is all your server should do. If it is a real mail server talking to yours it will generate the bounce for the user that is relaying through it (hopefully including the text of your 5xx reply).

Re:

[Otter]

Ahhh, if that's what he mean by "reject", then I agree.

Re:

[arivanov]

Exactly

And as far as the stream of bounces flowing at the moment I think this has mostly to do with this: http://www.theregister.co.uk/2007/01/09/scam_decli ne/ [theregister.co.uk]

One of the SPAM botnets was lost over Christmas (I guess, not only NASA and ESA can lose systems by bogus commands/software uploads). As a result the spamgangs have ordered a couple of clones of old beaten up viruses to go and capture new zombies. At least some of these use the codebase of one of the old crap pieces of code that generated fake addres

Re:

[Akatosh]

Spam is spam. I don't care if it was relayed by using the victim address in 'rcpt to:' (traditional spamming) or 'mail from:' (blowback spamming). So you stuck three lines of text above it then relayed it on to the victim. Good job, by bouncing instead of rejecting you're an open relay. You even add some additional bayesian slaying text to the top. That's how I see it.

It's really not that difficult to configure your mail systems to reject instead of accept then bounce. I see this as becoming manditory, simi

Who gets overwhelmed by spam bounces these days?

[Bright Apollo]

I own a handful of domains, and I have little if any problem setting up autoreject for invalid email addresses. The only problem I can't easily handle is when a valid email account is used by a spammer. I think you should strongly consider changing your domain host if you've got these issues in 2007.

-BA

Disposing spam...

[__aaclcg7560]

If I haven't eaten it...

[Please insert wow ur fat [creimer.ws] joke here.]

I put the spam into the trash, tie the top of the trash bag, and throw trash bag into the dumpster outside. I don't know what the fuss is about disposing spam. Spam is spam. :P

Gmail checks SPF...

[rthille]

But doesn't follow the spec and reject on fail :-(
So I'm not sure what value that is, and I'm not sure if google forms a bias against spam from my domain, even though it's verifiable that the spam is a forgery and that my domain had nothing to do about it.

Other lameness are domains like hotmail.com and aol.com which publish records which indicate you shouldn't reject mail claiming to be from them from servers that they don't control. (soft-fail or neutral results).

How I dispose of spam.,..

[Lord_Slepnir]

You'll need a dog. I simply feed him my excess cans of spam. If you're dealing with spam e-mail, then simply print out the spam, and use it to paper train the dog after it's gorged on Spiced HAM.

Backup MX is to blame for some of this bouncing

[artifex2004]

It's great to set up your mail server to reject the mail up front. But many spammers know people are doing this, so they connect to backup MX, often the one with least priority. From what I've read, that's how spammers' mail blasting programs are written these days.

Are you running your own backup MX? Probably not. It's often a generic spooler your ISP lets you use for convenience. Even if you do, does your backup MX have all your rules in place, so it knows what to reject? No, I bet not. So this backup server accepts the mail without question, then passes it to the primary, and then it gets bounced.

We need to either have a way to give our backup MX our rulesets (which the people who run the backup servers understandably won't like), allow backup and primaries to just silently discard (which legitimate senders and receivers won't like), or, quite possibly, stop using backup MX entirely, and then if the primary goes down, the originating mail servers should do their normal pattern of retrying for 5 days, or whatever.

Large companies who need 100% instant availability of mail shouldn't be using backup MX anyway, (I've seen backup MX servers configured to hand off to primary hourly or even daily, not to mention those that hold until the primary asks for the mail) they should be using a ring of servers sharing primary preference. I'd expect the ruleset to be identical across the ring, thus allowing for instant rejection all the time.

Re:

[GreggBz]

Your right. I work for a smallish ISP and notice that spam-bots usually prefer the backup MX record.

For smaller domains and people with fewer resources having one MX record is impractical. For larger systems, like say an ISP, their is typically only one MX record, which really points to a virtual server that exists in a Foundry switch or some such. This is then load balanced round-robin style to a group of identically configured servers, preferably that are geographically distributed. This is a little mor

Re:

[Kissing Crimson]

You could use a central syslog server: HOWTO [campin.net]

Re:

[dodobh]

Unix MTAs log to syslog. Syslog is perfectly capable of sending stuff over the network.

Grab a PC, setup a syslog server on it listening to the network, tell your MTAs to log there in addition to local logging.

Re:

[Plug]

A useful thing to do (although in no way a solution) if you need a backup MX and can't use exactly the same rules on one as the other, is to set up priorities as such:

10 primary
20 backup
30 primary

This way, if spammers prefer the highest MX, which they are known to do, you get all the benefit of the filtering on the primary, as well as backup if the primary goes down.

SPF hasn't helped me much

[Slashdot Parent]

I publish SPF records for all of my domains, and I still get a ton of blowback. Here are the options that I evaluated:

1. Don't use catch-all addresses. Normally blowback is not addressed to a valid user. This was not an option for me, but it may be for you.
2. Reject invalid bounce messages. Any message coming with an empty envelope sender to an address that has never sent mail on my system is considered invalid and rejected during SMTP with a message stating why. This is what I chose.

The reason for my choic

Donate it

[emil10001]

I believe that smalltime is accepting cans of spam to fuel their "Find-the-Spam" game. They're capitolizing on the idea that this is obviously something that only a hobo would eat, and turning it into a fun game [smalltime.com].

PS. - For added entertainment, try the text version!

My idea

[QueePWNzor]

I have an old FreeBSD mailserver that uses Exim. You should set up an intermediate domain/DNS system that can destroy the wrong usage of your name outgoing through the system. Then, I reccomend looking through Perl scripts, because though one is not definative, try, try again and you might partially suceed. Also, be sure to do security and firewall updates as mine was hacked... I don't know everything that you've tryed, but if you haven't done all of those thouroughly, then you're screwed:) It'll never

A recent conversation with a would-be vendor:

[PFI_Optix]

"Okay, I'd like to send you some more information and need to verify your e-mail address."

"Alright"

"Is it jay ewe inn kay at blah blah blah dot com?"

"uhh...Yep, that's me. John Unk."

Only trusted vendors get real e-mail addresses here. I don't even get spam on my home e-mail. Absolutely none, after three years of having the same e-mail.

Re:

[bcrowell]

Unfortunately, many people don't have this option. If you're running a web-based business, you may need prospective customers to be able to e-mail you for the first time without making them jump through hoops, because you don't want to lose their business.

Re:

[PFI_Optix]

In that case, forms are your friend. You might even include a little note that you use the form because publishing your e-mail address directly would result in it being flooded with junk mail. Users will understand that, even if (like me) they aren't fond of using web forms to make contacts.

I know next to nothing about JavaScript, but I'm wondering whether there's a good way to obfuscate an e-mail address using JS or some other client-side script so that the spam crawlers don't see it because it would only

Why the forging in the first place?

[mabu]

I believe the main reason why spammers are forging in the first place is to taint relay blacklists. RBLs hurt spammers more than anything else. When they forge from addresses they cause legitimate relays to be spammed by other legitimate relays and this in turn may prompt some relays to blacklist legitimate smtp servers and tarnish the effectiveness of RBLs. However, most admins are now wise to this and differentiate between the different types of traffic.

If you run any mail server for a reasonable amount of time, until the feds decide to get off their lazy asses and prosecute these criminals, you're going to run into this problem. It usually passes after a few days. If I run into it, I will sometimes change the MX record of the offending domain to 127.0.0.1 temporarily. And rule number one is avoid *@domain.com mail mappings...

Re:Why the forging in the first place?

[Robotech_Master]

In my experience, some spammers will also forge the 'from' address to be the address of the intended recipient of the spam, and then send it to an address they know will bounce (i.e. with an autoresponder) to try to get past spam filters or something.

Re:

[Kelson]

There's also a mundane reason for it:

1. Using your own address makes you more traceable and means you have to deal with bounces, complaints, etc.
2. Using a forged address saves you that inconvenience.
3. Completely bogus addresses will have a low throughput, because it's trivial for a receiving server to check whether a domain name exists or not.
4. Verifying a specific address at a real domain, however, is more involved.
5. Solution: Use a bogus address at a real domain name.

This solution expresses itself in both

spamassassin

[stuff-n-things]

I run a domain which receives a few thousand spam messages a day (one every 15-30 seconds or so). Postfix, amavis, clamav, spamassassin, and procmail are my friends. Use amavis rather than spamc/d to keep spamassassin running and to get clamav too. You're mailer will have to send all messages to amavis like it's forwarding all mail to another email server, and listen on another port so that it doesn't loop back to amavis. Have the mailer send catch all addresses to an alias, then have the spamassassin confi

Simple, check the Received: envelope headers

[Anonymous Coward]

You start by rejecting outright email for non-existant email addresses. That gets rid of all bounces that come from addresses the spammers have made up. Then you look at the Received headers of the email that you supposedly sent and validate that it did indeed come from your IP and the header is of the form that your MTA generates. If not, somebody was impersonating you and you reject the bounce. See Stopping Backscatter Email [postfix.org].

Don't use a catch-all

[Kelson]

The problem of invalid bounces drops dramatically if you set up your incoming server so that invalid addressees are rejected with a "User unknown" note at SMTP time. If you're using Sendmail with a virtual user table, this is as easy as adding the following at the end of the file

@example.com error:nouser 550 5.1.1 User unknown

It's important to do this on the server that accepts mail from the outside. If you have a setup with an antispam/virus gateway that then relays to an internal server, you need to make the gateway aware of the valid/invalid addresses.

By rejecting invalid senders in the SMTP transaction, you only get bounces from the few messages that forged an actual sender. In my experience, the addresses tend to look like ashawuiefgfyig@example.com, so most of the bounces will just disappear into the ether(net).

Re:

[Kelson]

And your bounce bounces into someone elses mailbox

No, the point is that it doesn't bounce. It's rejected in the SMTP transaction, which means that the connecting server just sees "500 user unknown" before it even transmits the message body -- no new bounce message is created. And if the message you're rejecting is a bounce in the first place, it should have a null sender, which means that the connecting server won't try to generate a new bounce either.

SPF seems like a good idea but...

[jazman]

...are MAILER_DAEMONs and their friends who are so stupid they bounce instead of reject likely to be intelligent enough to check an SPF record before sending a bounce message to someone who obviously didn't send it?

I too get loads of spam bounces sent to non-existent addresses "from" (random string)@(my domain), not to mention "please validate your message" challenges and autoreplies; my approach is one enormous blacklist that just autodeletes any messages from postmaster, mailer_daemon etc that aren't to m

The subject is apparently incorrect...

[Kumba]

It should be "Proper Ways to Dispose of Spammers?"

I propose the firing squad or hanging. By their balls (if they have any).

Maybe evisceration?

Postfix Backscatter HOWTO

[alanxyzzy]

Knowing that a common term for this is "backscatter" may help you search for other hints and tips.

There is a Postfix backscatter HOWTO at http://www.postfix.org/BACKSCATTER_README.html [postfix.org]

Difference between bounce and reject.

[Vellmont]

Can someone tell me the differences in terms of when each happens, and what happens on the other end between a bounce and a reject? I _think_ I understand the difference, but I'm not certain.

My understanding is that a reject is sent by the receiving SMTP server before it's accepted the mail. I.e. server a->server b, server a says mail is to: bill@serverB_Domain.com from: john@spoofedaddress.com. Server B can then accept the mail, or reject it (with various different codes for each). If B accepts it,

Re:

[kitterma]

Your understanding of bounce versuse reject seems correct to me.

Re:

[SuiteSisterMary]

PersonA gets virus. Virus on PersonA's machine connects to PersonA's ISP SMTP server, and sends out ten thousand messages as personb@example.com.

PersonA's ISP server dutifully accepts these messages, and tries to send them. Each and every one, in this example, is to an invalid recipient. So each and every message goes like this:
ISP Mail server: telnet recipient.mail.server 25
HELO it.is.me!
MAIL FROM: personb@example.com
RCPT TO: invalidaddress@mail.server
550 unknown address

'Oh, noes!' thinks the I

Re:

[Vellmont]

Well, person A's ISP should be have a virus scanner in place to prevent this kind of garbage. If you detect the mail is a virus, silently drop it (and perhaps log the IP address it came from). In any case, I can see how that'd present a problem.

I've also seen some backscatter mail from poorly configured virus scanners that don't know that viruses spoof the from: or reply-to: address.

Re:

[SuiteSisterMary]

I've also seen some backscatter mail from poorly configured virus scanners that don't know that viruses spoof the from: or reply-to: address.

Ah yes, stupid virus scanners, at both the mailserver and the user level, that send back a bounce. Especially the extra stupid ones that include the original message in a bounce, which sends the virus laden message to an innocent third party...who's antivirus then bounces the virus laden message right back....

Re:

[Vellmont]

But why? The pain to Person A and Person A's ISP isn't that high.

To avoid producing all that useless bounce messages, to be a decent business that doesn't cause problems, to avoid Corporation XYZ (who was infected by a virus from Person A's ISP) suing person A's ISP for gladly spreading viruses around when there's simple, inexpensive technology available that would have prevented it. Or maybe just providing an additional service to Person A who'd appreciate not sending out viruses to his family and friends

Re:

[Akatosh]

reject:
mail from:
250 Sender ok
rcpt to:
550 does not exist here

If it was a virii sending this, it just stops there. No one gets any message. If there's a mail server inbetween, then the sender side mail server would generate a bounce to me@here.com. Most virii are sending direct with no mail server in between.

bounce:
mail from:
250 Sender ok
rcpt to:
250 Recipient ok
data
354 Enter mail, end with "." on a line by itself
lolspamspam wonderfull spam lovely spam
.
250 Message accepted for delivery.

It then sends the spam

a HOWTO for Postfix and SpamAssassin

[jmason]

I've been dealing with this a lot recently -- I just wrote up a short howto doc over on my blog [taint.org] yesterday, in fact, using Postfix on the MX to catch most of the bounces, with SpamAssassin to filter out the remainder.

BATV

[Patrin]

Take a look at Bounce Address Tag Validation (BATV). http://mipassoc.org/batv/index.html [mipassoc.org] There even is an implementation for EXIM. This drops spam bounces like you wouldn't believe.

Envelope Sender Signature

[mossmann]

Check out the Envelope Sender Signature technique described here:

http://howtos.linux.com/howtos/Spam-Filtering-for- MX/collateral.shtml [linux.com]

The idea is to tag outgoing messages in such a way that legitimate DSNs are distinguishable from illegitimate backscatter (which can then be discarded).

I assume you're using a catch-all

[GWBasic]

I assume you're using a catch-all email account, like I do. I get about 100 SPAMs/bounces a day. Here are techniques that I use:

• My reply-to address doesn't go to my catch-all. This way, all undeliverable bounces in my catch-all are only from SPAM.
• Almost everyone who I email on a regular basis figures out my REAL email address, thus the special account for my reply-to address has very little SPAM.
• I use Apple's mail program instead of Microsoft's mail programs. It's much easier to see what's SPAM beca

No Bounces

[the eric conspiracy]

Eaaasssyyy. Just set your MX record to 127.0.0.1!

You will never get a bounce.

Re:

[OneSmartFellow]

Also usefull as bait for carp. They seem to really like, and fight to get on the hook.

Re:

[Ruzty]

Cubed with diced potatoes and onions. Fry in a bit of butter. When it's nearly done toss in a few cubes of Velveeta. As soon as the "cheese" melts toss it on a plate and enjoy! I prefer some pickled jalapeños with mine and a nice cold Diet Pepsi.

*drool*

Re:

[Xugumad]

Just one baseball bat? Erm, budget cutbacks?