On 4/18/07, Mark Farver <[EMAIL PROTECTED]> wrote:
Werner Fleck wrote:
> I receive a lot of bounces for mail messages which I have not
> originally sent. Most of this bounces have the original mail somewhere
> in the body. The original mail often contains a "Received:" line with
> one of my domains but wrong ip addresses.
These are not necessarily forged bounce messages. Lately I've noticed
that spammers using zombies are forging the sender, and adding a forged
received line that contains the MX for the forged sender domain. Its
just like any other "joe job" but the addition of the fake received line
makes it a look a little more legitimate.
Check the line just above the forged "received" line, odds are it will
be an obvious zombie host.
If a spammer is joe jobbing you, there is not much you can do. Reject
all mail for non-existent users during the SMTP transaction.
You could write some system that tags messages that were sent from your
host, and only allow bounces that have that identifier back through.
But all you end up doing is double bouncing the message, and some other
innocent postmaster will have to deal with it.
this system already exists- BATV, recently sent as an IETF draft.
http://mipassoc.org/batv/
allan
--
"The truth is an offense, but not a sin"
