The one guy getting Joe Jobbed today is now up to 34 bounces from just four asian domains, and that's only what I'm catching based on them returning the original content, and they would be passing if these were being bounced by senders that don't fail my FOREIGN filter because they score very low for my hold. He could be getting hundreds of these just today. I wouldn't be surprised if I get a call about this one on Monday, thankfully he's a friend of mine and won't blame me :)
The Joe Job from last week which is still winding down was passing through my server without getting caught at all. It was being sent to the person's contact record for their domain name registration, and it's configured as an off-server alias in IMail. I'm wondering if spam blocking works for this without me setting up a separate directory under Declude??? I'll have to test that out, seems strange that when he forwarded them back to me they were caught, but not caught when they were coming through my system.
I'm surprised that I haven't been hearing more people talking about this issue.
Matt
Markus Gufler wrote:
An idea: Unfortunately NDRs are somewhat of undefined that it's not a general solution, but why not block NDRs (only during rush hours) and whitelist NDRs containing the original header with some declude specific X-Header lines?
Markus
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matthew Bramble
Sent: Saturday, January 03, 2004 6:49 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail] Any thoughts on blocking bounce messages from spam? spam?
I think that Markus is mostly on the same page as I am on this issue.
So far today, I have managed to catch 22 bounces from a Joe Job on one customer's account that started late last night, and this is only what my server caught due to the bounces containing the original content that tripped my filters. The previous one seems to have died down. The one that's going on right now can be stopped by killing messages handled by the nobody alias since this one uses a fake address on my customer's domain.
The issue with writing a filter for this is that it might be very hard to just target undeliverable messages due to spam is that it would probably be impossible to target just one subset as opposed to all of it. I'm thinking that I should write a filter for basically all bounces and virus notifications, and upon request, use a ROUTETO action (or whatever is appropriate) in the domain specific file, so that these messages are delivered to a sub-directory to where we are placing their held spam.
I'm also definitely going to start redirecting unaddressable stuff to a sub-directlry by default as several of these Joe Jobs have used fake addresses, and that will take care of the problem.
So the course of action will be:
1) Give a choice to redirect the nobody alias to a sub-directory (for local accounts only).
2) Give a choice to have a filter redirect system generated messages to a sub-directory.
I would prefer not to have to turn this stuff off and on on a regular basis, so we'll see how receptive my clients are to this.
Matt
Markus Gufler wrote:
may be inmy
customers are looking to me for a solution, imperfect as it
error stringsthe end. I'm not by far sure about what to do.Matt,
In this case maybe it's a solution to define a separated filter file
(BLOCKBOUNCES) and put in this filter file as much bounce
as you can find. Then if a customer asks you if it'spossible to block
all this bounces you can explain him that this is possible, but this can also block "real" error messages.block, routeto,
If your customer agree's you can create a per-user or per-domain junkmail file that does something with it. (add weight,
...)Autowhite
Maybe it would be an idea to create something between John's
and Scott's Hijack: Hold any messages identified as NDR in aseparated
user directory. Then requeue them only if there are not more then X such messages in a certain time range. This would allow"regular" error
reports going trough and dinamically filter all of themduring Joe-Job periods.
Maybe a problem can occur if a customer sends out a large number of e-mails and there are several bounces. But if this happens I assume that the addresses was not aquired "regulary" ;-)---
Markus
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
-- =================================================== Matthew S. Bramble President and Technical Coordinator iGaia Incorporated, Operator of NYcars.com --------------------------------------------------- Office Phone: (518) 862-9042 Cellular: (518) 229-3375 Fax: (518) 862-9044 E-mail: [EMAIL PROTECTED] or [EMAIL PROTECTED] ===================================================
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
