Re: [Declude.JunkMail] Joe Jobs
Hi Dave, A firm SPF policy generally does help, but it depends on the receiving servers implementing SPF in order to block messages that violate your SPF policy. Aside from that and filtering that blocks any original included message content, there's nothing I know of that can stop bounces and responses that come from clean systems, unless you want to start writing filters specific to this customer that detect typical bounce messages. Darin. -Original Message- From: Dave Beckstrom Sent: Wednesday, November 28, 2012 3:16 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Joe Jobs Hi All, This isn't specifically a Declude question but I thought I'd ask anyway as its still of interest to the group, I think. I have one domain that is being referenced in a Joe Job. Essentially, a spammer sends out thousands of emails using various compromised computers. In the "FROM" field, they put randomaddr...@mydomain.com. My server gets all the backscatter email from the victims servers. This has been going on for better than 6 months. My server can handle the volume. The real problem is my customer gets nasty emails from people who think they spammed them and they don't realize it had nothing to do with our server or my customer. I've not been able to figure out a way to stop the spammers from using my domain in their FROM addresses. Essentially, I was trying to figure out if through SPF records or other means I could do something that would make referencing my domain ineffective for them. That didn't seem to help. Also, since they don't send through my server, there is little I can do. Have any of you had to deal with this situation? Any clever ideas? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Joe Jobs
Hi All, This isn't specifically a Declude question but I thought I'd ask anyway as its still of interest to the group, I think. I have one domain that is being referenced in a Joe Job. Essentially, a spammer sends out thousands of emails using various compromised computers. In the "FROM" field, they put randomaddr...@mydomain.com. My server gets all the backscatter email from the victims servers. This has been going on for better than 6 months. My server can handle the volume. The real problem is my customer gets nasty emails from people who think they spammed them and they don't realize it had nothing to do with our server or my customer. I've not been able to figure out a way to stop the spammers from using my domain in their FROM addresses. Essentially, I was trying to figure out if through SPF records or other means I could do something that would make referencing my domain ineffective for them. That didn't seem to help. Also, since they don't send through my server, there is little I can do. Have any of you had to deal with this situation? Any clever ideas? Thanks, Dave --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to imail...@declude.com, and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Joe-jobs and nobody aliases (again)
I made a determination last week that joe-jobs present a much bigger problem currently than dictionary attacks on my system, and soon I will be gatewaying off of a different machine which should solve the dictionary attack problem anyway (by accepting all messages). Because of this, I have been removing all of the nobody aliases for the domains that I host, though some of course are taking a little extra time because we're not totally sure what advertised addresses might have been used in some cases, or what dead accounts were being captured in this way as opposed to setting them up as aliases and redirected somewhere. Last week once client that still had nobody active received about 150 bounce messages from AOL to addresses that didn't exist on this local domain (randomized). AOL wasn't bouncing any content which could be scored, and every last one of these messages landed in the manager's account. Obviously this was a big problem and as soon as we became aware of it, we got rid of the nobody alias. This fixed their immediate problem, though it doesn't fix problems where the address is forged to be a real account (there's a mix of this going on). I've also just started building some spamtraps on some unused domains that I own. One account that I created last night is being used exclusively to unsubscribe to garbage that I get in a Web mail account of mine as well as subscribing to contest sites. To my astonishment, within 12 hours of creating this account, someone joe-jobbed it in a piece of spam sent to some account that didn't exist, and it was clearly spam that was sent with this from address. There is no way that this account was randomly guessed. The preventive actions that I'm taking to help protect from such things besides removing the nobody alias is to create a filter that checks for the null sender. I'm capturing all hits to this filter and I am also scoring it at 50% of my fail weight, though that may rise. I figure that the bounces that contain spam content will have an easier time getting held, and for the most part, bounce messages are only failing CMDSPACE, so this isn't stopping messages that don't contain spam content (so far). There was a suggestion by someone that a system be made that tracked repeated bounces, such as the AOL one described above. I feel that this may be the best way long term to maintain bounce functionality in the face of a problem that will likely get much worse over time. For now at least, the issue is mostly mitigated since most such things utilize fake users on joe-jobbed domains. Matt -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.