Re: [Declude.JunkMail] Dealing with Joe Jobs?
Hi Dave, We see this occasionally, and SPF does help a little, but SPF is often not enforced, so it's more valuable for self-addressed spam than anything else... and many senders violate their own SPF policy. Deleting your MX doesn't help since the bounces are coming from all over, not from the spammer. We have occasionally put in additional filtering rules for the domain in question to look for keywords such as Undeliverable and hold hits for review, but most of the time our regular filtering does a good enough job that the customer doesn't get most of the bounces. Usually the joe-job lasts for 1-2 weeks and then it's over. Hope this helps, Darin. - Original Message - From: Dave Beckstrom db...@atving.com To: Declude.JunkMail@declude.com Sent: Tuesday, December 06, 2011 7:12 PM Subject: [Declude.JunkMail] Dealing with Joe Jobs? Hi All, This isn't a Declude topic but is relevant to dealing with a sort of spam issue. I hope nobody minds discussing this. I would appreciate hearing any advice you might have to offer. I have a customer who's domain is being used for Joe Jobs. Someone is randomizing email addresses for this domain and presumably sending out millions of emails. My mail server is dealing with the backscatter. I'm getting probably close to 50 - 100 server connections a minute. My smtp log shows the following type of entries (sanitized for posting here): 17:23:50 [216.127.80.40][30884] connected at 12/6/2011 5:23:50 PM 17:23:51 [216.127.80.40][30884] cmd: EHLO shack.traxel.com 17:23:51 [216.127.80.40][30884] rsp: 250-PERSEUS Hello [216.127.80.40] 250-SIZE 62914560 250-AUTH LOGIN CRAM-MD5 250 OK 17:23:51 [216.127.80.40][30884] cmd: MAIL FROM: 17:23:51 [216.127.80.40][30884] rsp: 250 OK Sender ok 17:23:51 [216.127.80.40][30884] cmd: RCPT TO:whiplash...@mycustomersdomain.com 17:23:51 [216.127.80.40][30884] rsp: 550 whiplash...@mycustomersdomain.com No such user here 17:23:51 [216.127.80.40][30884] cmd: RSET 17:23:51 [216.127.80.40][30884] rsp: 250 OK I had my SPF records set incorrectly and it was instructing other mail servers to accept email even if not from my mail server. I changed the SPF record a few days ago to instruct them to REJECT. I don't know if that change will eventually cause the spammer to move on to another domain or not. I actually deleted the customer's MX and A record for 2 days (over the weekend) to see if that might cause the spammer to find another domain. They aren't sending through my mail server, but I thought perhaps if their spam target recipient's server checked for a valid mx and found none that they would reject the spam. The theory being if the bulk of the spammer's email was rejected they might move on to another domain. Unfortunately, as soon as I added the MX and A record back then the backscatter started again. How do you guys deal with these? Just let it run its course? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Dealing with Joe Jobs?
Hi Darin, Thanks for the reply. The mail server seems to handle the bounces okay as we don't have a catchall address set up. The smtp server connects, gets a no such user here response and disconnects. No mail is actually delivered. At least that is my interpretation (from the log files) as to what's happening. I suspect this has been going on for months with the one domain. -Original Message- From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, December 07, 2011 12:54 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Dealing with Joe Jobs? Hi Dave, We see this occasionally, and SPF does help a little, but SPF is often not enforced, so it's more valuable for self-addressed spam than anything else... and many senders violate their own SPF policy. Deleting your MX doesn't help since the bounces are coming from all over, not from the spammer. We have occasionally put in additional filtering rules for the domain in question to look for keywords such as Undeliverable and hold hits for review, but most of the time our regular filtering does a good enough job that the customer doesn't get most of the bounces. Usually the joe-job lasts for 1-2 weeks and then it's over. Hope this helps, Darin. - Original Message - From: Dave Beckstrom db...@atving.com To: Declude.JunkMail@declude.com Sent: Tuesday, December 06, 2011 7:12 PM Subject: [Declude.JunkMail] Dealing with Joe Jobs? Hi All, This isn't a Declude topic but is relevant to dealing with a sort of spam issue. I hope nobody minds discussing this. I would appreciate hearing any advice you might have to offer. I have a customer who's domain is being used for Joe Jobs. Someone is randomizing email addresses for this domain and presumably sending out millions of emails. My mail server is dealing with the backscatter. I'm getting probably close to 50 - 100 server connections a minute. My smtp log shows the following type of entries (sanitized for posting here): 17:23:50 [216.127.80.40][30884] connected at 12/6/2011 5:23:50 PM 17:23:51 [216.127.80.40][30884] cmd: EHLO shack.traxel.com 17:23:51 [216.127.80.40][30884] rsp: 250-PERSEUS Hello [216.127.80.40] 250-SIZE 62914560 250-AUTH LOGIN CRAM-MD5 250 OK 17:23:51 [216.127.80.40][30884] cmd: MAIL FROM: 17:23:51 [216.127.80.40][30884] rsp: 250 OK Sender ok 17:23:51 [216.127.80.40][30884] cmd: RCPT TO:whiplash...@mycustomersdomain.com 17:23:51 [216.127.80.40][30884] rsp: 550 whiplash...@mycustomersdomain.com No such user here 17:23:51 [216.127.80.40][30884] cmd: RSET 17:23:51 [216.127.80.40][30884] rsp: 250 OK I had my SPF records set incorrectly and it was instructing other mail servers to accept email even if not from my mail server. I changed the SPF record a few days ago to instruct them to REJECT. I don't know if that change will eventually cause the spammer to move on to another domain or not. I actually deleted the customer's MX and A record for 2 days (over the weekend) to see if that might cause the spammer to find another domain. They aren't sending through my mail server, but I thought perhaps if their spam target recipient's server checked for a valid mx and found none that they would reject the spam. The theory being if the bulk of the spammer's email was rejected they might move on to another domain. Unfortunately, as soon as I added the MX and A record back then the backscatter started again. How do you guys deal with these? Just let it run its course? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Dealing with Joe Jobs?
Ahh... so even the forged FROM addresses are invalid. I see. That's good that it's not forging a valid address, which is what we usually see. On our systems we don't even see the ones bounced back to us to invalid addresses. Darin. - Original Message - From: Dave Beckstrom db...@atving.com To: Declude.JunkMail@declude.com Sent: Wednesday, December 07, 2011 3:53 PM Subject: RE: [Declude.JunkMail] Dealing with Joe Jobs? Hi Darin, Thanks for the reply. The mail server seems to handle the bounces okay as we don't have a catchall address set up. The smtp server connects, gets a no such user here response and disconnects. No mail is actually delivered. At least that is my interpretation (from the log files) as to what's happening. I suspect this has been going on for months with the one domain. -Original Message- From: Darin Cox [mailto:dc...@4cweb.com] Sent: Wednesday, December 07, 2011 12:54 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Dealing with Joe Jobs? Hi Dave, We see this occasionally, and SPF does help a little, but SPF is often not enforced, so it's more valuable for self-addressed spam than anything else... and many senders violate their own SPF policy. Deleting your MX doesn't help since the bounces are coming from all over, not from the spammer. We have occasionally put in additional filtering rules for the domain in question to look for keywords such as Undeliverable and hold hits for review, but most of the time our regular filtering does a good enough job that the customer doesn't get most of the bounces. Usually the joe-job lasts for 1-2 weeks and then it's over. Hope this helps, Darin. - Original Message - From: Dave Beckstrom db...@atving.com To: Declude.JunkMail@declude.com Sent: Tuesday, December 06, 2011 7:12 PM Subject: [Declude.JunkMail] Dealing with Joe Jobs? Hi All, This isn't a Declude topic but is relevant to dealing with a sort of spam issue. I hope nobody minds discussing this. I would appreciate hearing any advice you might have to offer. I have a customer who's domain is being used for Joe Jobs. Someone is randomizing email addresses for this domain and presumably sending out millions of emails. My mail server is dealing with the backscatter. I'm getting probably close to 50 - 100 server connections a minute. My smtp log shows the following type of entries (sanitized for posting here): 17:23:50 [216.127.80.40][30884] connected at 12/6/2011 5:23:50 PM 17:23:51 [216.127.80.40][30884] cmd: EHLO shack.traxel.com 17:23:51 [216.127.80.40][30884] rsp: 250-PERSEUS Hello [216.127.80.40] 250-SIZE 62914560 250-AUTH LOGIN CRAM-MD5 250 OK 17:23:51 [216.127.80.40][30884] cmd: MAIL FROM: 17:23:51 [216.127.80.40][30884] rsp: 250 OK Sender ok 17:23:51 [216.127.80.40][30884] cmd: RCPT TO:whiplash...@mycustomersdomain.com 17:23:51 [216.127.80.40][30884] rsp: 550 whiplash...@mycustomersdomain.com No such user here 17:23:51 [216.127.80.40][30884] cmd: RSET 17:23:51 [216.127.80.40][30884] rsp: 250 OK I had my SPF records set incorrectly and it was instructing other mail servers to accept email even if not from my mail server. I changed the SPF record a few days ago to instruct them to REJECT. I don't know if that change will eventually cause the spammer to move on to another domain or not. I actually deleted the customer's MX and A record for 2 days (over the weekend) to see if that might cause the spammer to find another domain. They aren't sending through my mail server, but I thought perhaps if their spam target recipient's server checked for a valid mx and found none that they would reject the spam. The theory being if the bulk of the spammer's email was rejected they might move on to another domain. Unfortunately, as soon as I added the MX and A record back then the backscatter started again. How do you guys deal with these? Just let it run its course? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
