I actually missed a whole bunch of stuff that also would have FP'd on
this. Cox in many cases and Earthlink among others are blocking
outbound port 25, so customers using these services for access which
are mailing to other customers on my server would FP on both the
SPAMDOMAINS and MAILFROM filters. Cable and DSL providers at times
have had large segments of their networks blacklisted for continuing
problems with spam, so they can produce a score. If I was having
problems with self addressed spam getting through, I would probably
think about using this to add a few points like Andrew suggested, but
some of the FP's produced would be problematic with a few regular
senders that fail multiple technical tests.
Matt
Matthew Bramble wrote:
Bill,
It depends on your customer makup. My FP rate with a MAILFROM filter
would be close to 90% if not more because of several sites that are
configured to send form submissions as being an account from the same
domain. SPAMDOMAINS would be a better test because the Web sites and
domain based E-mail often shares the same reverse DNS lookup, but not
in cases where they are just using aliases for forwarding. I have
several customers that have software that sends out automated messages
claiming to be from their own domains, such as firewalls and the like,
and then I have some customers with sites hosted in different
facilities that forge the From address for ecommerce. All of this is
before you get the refer-a-friend and gift card stuff. I see all of
this with less than 250 actual accounts and just 50 domains hosted on
my server at present.
If you don't do a lot of Web hosting, you might not see much of a
problem, or if you do hosting for sites without forms configured in
that way, you also wouldn't notice it. I personally don't want to be
whitelisting E-mail as the result of being alerted to the problem by a
customer that rightfully assumed that the From address should be their
own when setting up a script on a Web site. Spam that forges the from
address is likely to fail many technical tests because forging isn't
generally limited to the from address, typically they forge the HELO
and screw many other things up in the headers. I almost never get spam
that passes the filters that uses my own address anymore.
As my own sample of FP's seen in the last 5,000 or so messages would be
the following:
- Used Vehicle Inquiry - [name removed] (about 20 of these)
- New Vehicle Inquiry - [name removed] (about 20 of these)
- Parts Inquiry - [name removed] (about 5 of these)
- Website Contact Form (2 of these)
- New firmware available. (1 of these, sent from a SonicWall)
- From your friend: [name removed] (2 of these sent through SendAFriend)
- Internet Order # [numbers] (3 of these)
In addition to these there are GM and Mazda corporate Internet lead
notifications that fake the from address as the address they are
sending them to (these have problems with these poorly configured
servers). Again though, depending on your customer makup, your mileage
may vary. SPAMDOMAINS would have not FP'd on a few of the first 4
examples because they are locally hosted on the same domain as the
receiver, but would have FP'd on MAILFROM.. Everything else would have
FP'd on both tests.
Matt
Bill Landry wrote:
We whitelist the IP address of any
system we permit to relay through our IMail server, and all of our
customer either use SMTP Auth or we whitelist their IP address space.
So the only time we have see a problem is with some mailing lists and
e-card services, which we accommodate via filtering.
As a quick test, I separated out
my
hosted domains from the SPAMDOMAINS file and created a new spamdomains
test called FORGED-DOMAINS. Here are the subjects of the messages I
have flagged with this test within the past 5 minutes:
2 Subject: Complimentary 30
Day Supply of Phentermine!
1 Subject: [NAME WITHHELD]
Where to deposit your Payroll?
1 Subject: Someone wants to date you
1 Subject: Self-paced degree programs for busy adults
1 Subject: Please claim your gift
1 Subject: Lowest Mortgage Rates in 45 Years!
1 Subject: Get a Proven Anti - Aging Creme at No Charge
1 Subject: Credit Relief
1 Subject: Complimentary 30 Day Supply of Phentermine!
1 Subject: Absolutely Free, CostsNothing, FreeAir Tickets
1 Subject: 4 F r e e Airline Tickets + $100 Cash Back
1 Subject: 3 months of FREE Satellite TV
1 Subject: 0% Auto Loans!
1 Subject: you are *approved already. No credit check
Looks like a very effective test
to
me.
Bill
-----
Original Message -----
Sent:
Friday, September 19, 2003 2:16 PM
Subject:
Re: [Declude.JunkMail] blocking spam faked as coming from local a
ddress ddress ddress ddress
Bill,
It's because it is very rare that you see spam faking your address,
0.1% from a recent test, and much more common that false positives will
be created as was noted. I was able to monitor this behavior because
unfortunately the DYNAMIC filter catches but doesn't score intra-server
domain E-mail, and I searched for this knowing they would all be in
there. In other words, filtering for from addresses faked to say they
are from your own domain would have a false positive rate of around
75%, or at least that would be so on my server. One prime example is
that many of my customer's Web sites with forms will send the
submission as if it came from the customer's own domain, and thus fail
the test. Lots of ecommerce is done this way. It's a very bad idea in
my opinion. Maybe I'm missing something though???
Using SPAMDOMAINS to filter for local domains would also be just as
problematic I would think. You might not have issues based on the
makeup of your customers and maybe not caring too much about gray area
commercial stuff like greeting cards which might fail the filters. No
way would I start whitelisting stuff either based on something which
would properly add points so rarely. Are you not seeing the same very
low incidence of this type of thing? or is that unique to my own
customer base?
Matt
Bill Landry wrote:
----- Original Message -----
From: Matthew Bramble
I highly recommend not filtering the fake MAILFROM for your local domains.
Why not? I don't actually do this, rather I use SPAMDOMAIN instead. But I
don't see a problem doing it with MAILFROM in a filter file either.
Bill
|
