|
Scott, is this list moderated? I sent a
response to the list regarding this thread on Friday and it has not shown up on
the list. This has happened to me at least three times over the past month
or so.
Matt, the addresses you are referring to below are
not bounce messages, they are Variable Envelope Return Path (VERP) addresses
that some list servers use to manage bounce messages and automate address
removal. And just because lots of spammers are starting to implement and
support VERP on their spam lists does not mean that I want to deliver these spam
messages to my customers.
Do the subjects shown in the attached text
file (zipped to pass spam filters) that have been flagged so far today (by the
FORGED-DOMAINS spamdomains test I setup) look like legit, non-spam
messages? Over 90% of these messages are sent by VERP style from
addresses, but so what, they are still clearly spam that my customers do not
want.
Anyway, what works for me in my battle to fight
spam may not work for you, and vise versa. BTW, the search string I used
to output this file is shown at the top of the attached file.
Bill
----- Original Message -----
Sent: Friday, September 19, 2003 11:05
PM
Subject: Re: [Declude.JunkMail] blocking
spam faked as coming from local address
Ok, I set up a test using SPAMDOMAINS functionality as was
described in this thread. It just caught two E-mails, however both were
not actually forged, but instead the HELO From address included a long string
for list washing of bounced addresses. One of these is in Bill's list in
fact:
Received: from mail03-art-edu.mx07.com [209.66.76.42] by
my-hosted-domain.com with ESMTP
(SMTPD32-7.13) id A10141101A8;
Sat, 20 Sep 2003 01:09:21 -0400
Received: (from [EMAIL PROTECTED])
by
mail03-art-edu.mx07.com (8.8.8/8.8.8) id AAA89631;
Sat, 20 Sep 2003
00:18:39 -0400 (EDT)
Date: Sat, 20 Sep 2003 01:07:37 -0400
(EDT)
Message-Id: <[EMAIL PROTECTED]>
From:
The Arts & Education Source <[EMAIL PROTECTED]>
To:
<[EMAIL PROTECTED]>
Subject:
[16] What is Phentermine?
MIME-Version: 1.0
Content-Type:
multipart/alternative;
boundary="MIME_BOUNDARY-23113-0-1064028662"
X-Declude-Sender: [EMAIL PROTECTED]
[209.66.76.42]
X-Declude-Spoolname: De101041101a8865d.SMD
X-Note: This
E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam.
X-Note: This
E-mail was sent from mail03-art-edu.mx07.com
([209.66.76.42]).
X-Spam-Tests-Failed: SPAMCOP, MAILPOLICE-BULK,
NOLEGITCONTENT, FORGEDASLOCAL, W-HIGH, W-MED, W-LOW, W-SUB
[16]
When I assembled my stats I worked from the E-mail's From
address found in the headers and not in the HELO (X-Declude-Sender). It
appears that setting this up using SPAMDOMAINS will result in scoring any
bounce handlers that include the receiver's address in the HELO data, but not
necessarily in the message's headers. Our tests were not checking the
same things, and it appears that much of what you are catching are bounce
addresses. I was using MAILFROM with ENDSWITH which doesn't catch these
bounce addresses. I double checked, and forged senders continue to be
very rare on my server. I don't know that I want to punish bulk-mailers
that are looking for bounces either since many in fact are legitimate, such as
several from a recent post referenced by Andrew:
im31877-errors+863709.954008572+[[EMAIL PROTECTED]
OWNER-NOLIST-20030821115189*[[EMAIL PROTECTED]
spencer1-errors+860989.389749042+[[EMAIL PROTECTED]
realestateweekly-text-return-44-[[EMAIL PROTECTED]
IMCEAEX-_O=CARLSON_OU=NATRVCN018-TORONTO_CN=EXRECIPIENTS_CN=[[EMAIL PROTECTED]
sentto-4331469-1096-1061380934-[[EMAIL PROTECTED]
Maybe
I set up my test wrong (just one domain.tld per line)? If not, it's
probably important to know that you are adding scores to these things.
SPAMDOMAINS works as a CONTAINS filter and not an ENDSWITH filter, so it's
going to get tagged all the time with bounce messages instead of forged local
senders.
BTW, I found the forged E-mails by searching for
"@my-local-domain.tld [" since that is unique formating for the
X-Declude-Sender line.
Matt
|
ForgedDomainsSubjects.zip