Ok, I set up a test using SPAMDOMAINS functionality as was described in
this thread. It just caught two E-mails, however both were not
actually forged, but instead the HELO From address included a long
string for list washing of bounced addresses. One of these is in
Bill's list in fact:
Received: from mail03-art-edu.mx07.com [209.66.76.42] by
my-hosted-domain.com with ESMTP
(SMTPD32-7.13) id A10141101A8; Sat, 20 Sep 2003 01:09:21 -0400
Received: (from [EMAIL PROTECTED])
by mail03-art-edu.mx07.com (8.8.8/8.8.8) id AAA89631;
Sat, 20 Sep 2003 00:18:39 -0400 (EDT)
Date: Sat, 20 Sep 2003 01:07:37 -0400 (EDT)
Message-Id: <[EMAIL PROTECTED]>
From: The Arts & Education Source
<[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: [16] What is Phentermine?
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="MIME_BOUNDARY-23113-0-1064028662"
X-Declude-Sender:
[EMAIL PROTECTED]
[209.66.76.42]
X-Declude-Spoolname: De101041101a8865d.SMD
X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service
(www.igaia.com) for spam.
X-Note: This E-mail was sent from mail03-art-edu.mx07.com
([209.66.76.42]).
X-Spam-Tests-Failed: SPAMCOP, MAILPOLICE-BULK, NOLEGITCONTENT,
FORGEDASLOCAL, W-HIGH, W-MED, W-LOW, W-SUB [16]
When I assembled my stats I worked from the E-mail's From address found
in the headers and not in the HELO (X-Declude-Sender). It appears that
setting this up using SPAMDOMAINS will result in scoring any bounce
handlers that include the receiver's address in the HELO data, but not
necessarily in the message's headers. Our tests were not checking the
same things, and it appears that much of what you are catching are
bounce addresses. I was using MAILFROM with ENDSWITH which doesn't
catch these bounce addresses. I double checked, and forged senders
continue to be very rare on my server. I don't know that I want to
punish bulk-mailers that are looking for bounces either since many in
fact are legitimate, such as several from a recent post referenced by
Andrew:
im31877-errors+863709.954008572+[[EMAIL PROTECTED]
OWNER-NOLIST-20030821115189*[[EMAIL PROTECTED]
spencer1-errors+860989.389749042+[[EMAIL PROTECTED]
realestateweekly-text-return-44-[[EMAIL PROTECTED]
IMCEAEX-_O=CARLSON_OU=NATRVCN018-TORONTO_CN=EXRECIPIENTS_CN=[[EMAIL PROTECTED]
sentto-4331469-1096-1061380934-[[EMAIL PROTECTED]
Maybe I set up my test wrong (just one domain.tld per line)? If not,
it's probably important to know that you are adding scores to these
things. SPAMDOMAINS works as a CONTAINS filter and not an ENDSWITH
filter, so it's going to get tagged all the time with bounce messages
instead of forged local senders.
BTW, I found the forged E-mails by searching for "@my-local-domain.tld
[" since that is unique formating for the X-Declude-Sender line.
Matt
Bill Landry wrote:
We whitelist the IP address of any
system we permit to relay through our IMail server, and all of our
customer either use SMTP Auth or we whitelist their IP address space.
So the only time we have see a problem is with some mailing lists and
e-card services, which we accommodate via filtering.
As a quick test, I separated out my
hosted domains from the SPAMDOMAINS file and created a new spamdomains
test called FORGED-DOMAINS. Here are the subjects of the messages I
have flagged with this test within the past 5 minutes:
2 Subject: Complimentary 30
Day Supply of Phentermine!
1 Subject: [NAME WITHHELD]
Where to deposit your Payroll?
1 Subject: Someone wants to date you
1 Subject: Self-paced degree programs for busy adults
1 Subject: Please claim your gift
1 Subject: Lowest Mortgage Rates in 45 Years!
1 Subject: Get a Proven Anti - Aging Creme at No Charge
1 Subject: Credit Relief
1 Subject: Complimentary 30 Day Supply of Phentermine!
1 Subject: Absolutely Free, CostsNothing, FreeAir Tickets
1 Subject: 4 F r e e Airline Tickets + $100 Cash Back
1 Subject: 3 months of FREE Satellite TV
1 Subject: 0% Auto Loans!
1 Subject: you are *approved already. No credit check
Looks like a very effective test to
me.
Bill
-----
Original Message -----
Sent:
Friday, September 19, 2003 2:16 PM
Subject:
Re: [Declude.JunkMail] blocking spam faked as coming from local a
ddress ddress ddress ddress
Bill,
It's because it is very rare that you see spam faking your address,
0.1% from a recent test, and much more common that false positives will
be created as was noted. I was able to monitor this behavior because
unfortunately the DYNAMIC filter catches but doesn't score intra-server
domain E-mail, and I searched for this knowing they would all be in
there. In other words, filtering for from addresses faked to say they
are from your own domain would have a false positive rate of around
75%, or at least that would be so on my server. One prime example is
that many of my customer's Web sites with forms will send the
submission as if it came from the customer's own domain, and thus fail
the test. Lots of ecommerce is done this way. It's a very bad idea in
my opinion. Maybe I'm missing something though???
Using SPAMDOMAINS to filter for local domains would also be just as
problematic I would think. You might not have issues based on the
makeup of your customers and maybe not caring too much about gray area
commercial stuff like greeting cards which might fail the filters. No
way would I start whitelisting stuff either based on something which
would properly add points so rarely. Are you not seeing the same very
low incidence of this type of thing? or is that unique to my own
customer base?
Matt
Bill Landry wrote:
----- Original Message -----
From: Matthew Bramble
I highly recommend not filtering the fake MAILFROM for your local domains.
Why not? I don't actually do this, rather I use SPAMDOMAIN instead. But I
don't see a problem doing it with MAILFROM in a filter file either.
Bill
|
