Yep. Normally we can block about 95% of bounces (less than spam catch rates due to most bounces being from legit servers), but if there are several thousand bounces we still end up with a few hundred getting through.
It'll take some time to get the forging filter working properly, so it's liable to be a month or two with holidays and other pressing projects, but I'll report back here when I have something worthwhile. Darin. ----- Original Message ----- From: Todd Richards To: [email protected] Sent: Saturday, December 02, 2006 1:08 PM Subject: RE: [IMail Forum] New user problem Thanks Darin. Most of the stuff is getting caught and not getting to the end user. So that's good news for him (and they love me for it in the meantime). I do review all of the "hold" spam with fpReview (I love that utility) and have a few searches set up to quickly filter through it. So it's not even that big of a deal to me. My biggest concern was ending up being penalized (blacklisted) without trying to do anything about it. Also, I would appreciate any feedback on your other option if it ends up working. Thanks! Todd -------------------------------------------------------------------------------- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Saturday, December 02, 2006 11:43 AM To: [email protected] Subject: Re: [IMail Forum] New user problem Hi Todd, Backscatter from forging spam is a serious problem, and what you are experiencing. What's happening is that a spammer has harvested your customer's email address, and is sending out spam through their zombie network forging your customer's email address. There are two ways to combat it: 1. Use SPF on your customers domain in the hopes that mail servers receiving the spam will check SPF, see that the message was forging spam, and not bounce back to you. This has limited success. If the receiving server had good filtering in place, and used proper no-bounce-on-spam procedures, you wouldn't be receiving the bounces anyway. 2. Filter on any information you can find within the email, like the original spammy subject, in order to push the bounces into review or delete range. This is also limited to responding to particular spammy subjects or constant forging with wrong names, and is very reactive and temporary. I have another idea that I'm discussing on another list right now to combat this in a more proactive manner. I'll report back if any progress is made towards implementing a filter. Darin. ----- Original Message ----- From: Todd Richards To: [email protected] Sent: Saturday, December 02, 2006 12:20 PM Subject: [IMail Forum] New user problem Hi Everyone - I'm not sure where this post belongs, so I will post here first. We took on hosting for one of our members mid-week last week, and there is a problem going on. Before the changeover, they complained that one of the users, in particular, was getting a TON of spam with their old host. I proudly said "no problem" as we have things clicking very nicely now with our setup. Well, the switch has been made and said user does not get the spam he was getting before. However, I'm seeing it in that Declude/Sniffer/etc is catching it. The stuff he was referring to as "spam" is bounced messages from other people. Either his email address has been hi-jacked, or his computer has as the bounced messages are coming in that say the message from "Wrong Name <[EMAIL PROTECTED]>" could not be delivered. The trail after that shows that they are definitely spam. I have been looking through the logs and can't see for sure that the originating message is coming through our server (I haven't spent hours looking at the logs). So I can't say for sure that he is sending it through us. But I'm worried about ending up blacklisted for sending this crap. I have asked the end-users to thoroughly scan his computer for problems, and fix if found. There is no on-site tech, so they asked about changing the email address. While I'm not opposed, if it is in fact his computer then that won't make much difference. Am I missing anything? Is there any better way to troubleshoot that you can think of? None of the other users on his domain are seeing this, and I have not seen this type of traffic from any of the other users we host mail for. For what it's worth we are using Imail 8.22 (with ALL patches), the latest version of Declude, Sniffer, and invURIBL 2.7 - all running on Windows 2003 Server. I appreciate any thoughts or direction on this. Thanks! Todd [EMAIL PROTECTED]
