Hi Matt, How are you disabling bounces received at a particular account?
Darin. ----- Original Message ----- From: Matt To: [email protected] Sent: Saturday, December 02, 2006 9:26 PM Subject: Re: [IMail Forum] New user problem Todd, Make sure just in case that he doesn't have another domain somewhere else that has a catch-all that is then redirecting all E-mail to this particular address. Most joe-jobs involve using bad addresses on real domains, and therefore the bounces tend to be undeliverable, however when there is a catch-all, the volume can be significant. A few weeks ago we were seeing over 100,000 bounces per day, however only around 1,000 of those went to valid addresses. I have however found several times the condition where a catch-all on another provider forwards all of these to a single user. We do not allow that condition and force the customers to make changes. You need to check the bodies of the messages to see if they are in fact going to random addresses on another domain. Most backscatter that goes to good addresses will either happen very sporadically and randomly across one's user base, or come in bulk to a single address but clear up within 3 days to a week. When the latter happens, we just block bounces to that account for a period of time and then lift the block once it has cleared up. We do have one example though where an info@ account is forged by one small-time spammer 6 days a week for almost a year now, and we had to disable bounces for that account permanently. Matt Todd Richards wrote: Thanks Darin. Most of the stuff is getting caught and not getting to the end user. So that's good news for him (and they love me for it in the meantime). I do review all of the "hold" spam with fpReview (I love that utility) and have a few searches set up to quickly filter through it. So it's not even that big of a deal to me. My biggest concern was ending up being penalized (blacklisted) without trying to do anything about it. Also, I would appreciate any feedback on your other option if it ends up working. Thanks! Todd ------------------------------------------------------------------------------ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darin Cox Sent: Saturday, December 02, 2006 11:43 AM To: [email protected] Subject: Re: [IMail Forum] New user problem Hi Todd, Backscatter from forging spam is a serious problem, and what you are experiencing. What's happening is that a spammer has harvested your customer's email address, and is sending out spam through their zombie network forging your customer's email address. There are two ways to combat it: 1. Use SPF on your customers domain in the hopes that mail servers receiving the spam will check SPF, see that the message was forging spam, and not bounce back to you. This has limited success. If the receiving server had good filtering in place, and used proper no-bounce-on-spam procedures, you wouldn't be receiving the bounces anyway. 2. Filter on any information you can find within the email, like the original spammy subject, in order to push the bounces into review or delete range. This is also limited to responding to particular spammy subjects or constant forging with wrong names, and is very reactive and temporary. I have another idea that I'm discussing on another list right now to combat this in a more proactive manner. I'll report back if any progress is made towards implementing a filter. Darin. ----- Original Message ----- From: Todd Richards To: [email protected] Sent: Saturday, December 02, 2006 12:20 PM Subject: [IMail Forum] New user problem Hi Everyone - I'm not sure where this post belongs, so I will post here first. We took on hosting for one of our members mid-week last week, and there is a problem going on. Before the changeover, they complained that one of the users, in particular, was getting a TON of spam with their old host. I proudly said "no problem" as we have things clicking very nicely now with our setup. Well, the switch has been made and said user does not get the spam he was getting before. However, I'm seeing it in that Declude/Sniffer/etc is catching it. The stuff he was referring to as "spam" is bounced messages from other people. Either his email address has been hi-jacked, or his computer has as the bounced messages are coming in that say the message from "Wrong Name <[EMAIL PROTECTED]>" could not be delivered. The trail after that shows that they are definitely spam. I have been looking through the logs and can't see for sure that the originating message is coming through our server (I haven't spent hours looking at the logs). So I can't say for sure that he is sending it through us. But I'm worried about ending up blacklisted for sending this crap. I have asked the end-users to thoroughly scan his computer for problems, and fix if found. There is no on-site tech, so they asked about changing the email address. While I'm not opposed, if it is in fact his computer then that won't make much difference. Am I missing anything? Is there any better way to troubleshoot that you can think of? None of the other users on his domain are seeing this, and I have not seen this type of traffic from any of the other users we host mail for. For what it's worth we are using Imail 8.22 (with ALL patches), the latest version of Declude, Sniffer, and invURIBL 2.7 - all running on Windows 2003 Server. I appreciate any thoughts or direction on this. Thanks! Todd [EMAIL PROTECTED]
