Re: Backscatter solutions
Marc Grober <[EMAIL PROTECTED]> writes: > I am getting pounded by backscatter as a result of one of my addresses > being used by some major spammers. Are there any solutions available > to address all the Delivery failure and bounce notices. I would at > least like to be able to sort between such responses from mail I am > actually sending and the backscatter. I have looked through headers > and nothing seems an obvious candidate. I am using address rewriting for all addresses @rath.org: - Every outgoing mail has its envelope from rewritten to @bounce.rath.org, a domain name that isn't used for anything else - Bounces (i.e., mails coming with envelope from <>) send to @rath.org are rejected as backscatter. - Mail to @bounce.rath.org is rewritten back to @rath.org So far this has worked perfectly. But of course, there might be software that sends bounces to the From: or Reply-To: address. So if you want to use this not exclusively for your own address, you probably want to be careful. HTH, -Nikolaus -- [EMAIL PROTECTED] | College Ring 6, 28759 Bremen, Germany Class of 2008 - Physics | Jacobs University Bremen »My opinions may have changed, but not the fact that I am right.« Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
On May 9, 2008, at 6:15 AM, Joseph Brennan wrote: > Forget SPF. Why should any system accept mail for an unknown > recipient > and then mail a bounce? That's the primary cause of backscatter. > These > systems are just as likely to accept the message, then check SPF, and > mail a bounce :-) There are a number of different systems that try to be smart about when to send back a bounce message. Pretty much every MLM besides Mailman includes logic attempting to return valid syntax errors to senders, but avoid backscattering people. SPF is obviously part of that equation. And it does help fairly significantly in practice. We have some wide open/non-filtered mailboxes that we are required to run. Implementing SPF on those mailboxes reduced our backscatter by about 24% instantly, which was just under 500 messages a day. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
On May 9, 2008, at 12:05 AM, Andy Fiddaman wrote: > Pretty much the only way to stop this is to use something like BATV to > tweak your envelope sender address outbound. That still doesn't stop I really wish people would avoid making statements like this. They are read by people who don't realize that you're either ignoring significant options, or not explaining why you don't think they work and they carry this misinformation onward with them. Please try to avoid these over-generalizations. If you want to make the claim that "only this one thing works" then back it up with details about why none of the dozen or so other choices don't work for you. And please add "for me/my environment" to your statements, because there's a lot of different options that work very well but have limitations that affect only a few environments. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
We're looking at this as a solution: http://www.snertsoft.com/sendmail/milter-null/ Karl -- Karl Boyken, system administrator [EMAIL PROTECTED] 303A MLH, Dept. of Comp. Sci. http://www.cs.uiowa.edu/~boyken/ The U. of Iowa, Iowa City, IA 52242 319-335-2730 (voice) 319-335-3668 (fax) smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
Ian Eiloart <[EMAIL PROTECTED]> wrote: > If you aren't using SPF, then you can't really complain about backscatter. Forget SPF. Why should any system accept mail for an unknown recipient and then mail a bounce? That's the primary cause of backscatter. These systems are just as likely to accept the message, then check SPF, and mail a bounce :-) This is getting off topic for the Cyrus list though. The question relevant to Cyrus, I thought, was whether a sieve filter can catch backscatter. With header-only tests, not so much. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
On Fri, 9 May 2008, Mike Cathey wrote: ; On May 9, 2008, at 3:05 AM, Andy Fiddaman wrote: ; > Pretty much the only way to stop this is to use something like BATV to ; > tweak your envelope sender address outbound. That still doesn't stop ; > everything as out-of-office replies are usually sent from a real address. ; ; BATV changes the from address of outbound messages. How well do mailing lists ; deal with users that send messages from a different address each time? Is ; there a nice workaround for this? It only changes the envelope address, leaving the From: message header intact. In my experience mailing lists validate the From: header not the return path so no problems. I haven't found any problems in the past year I've been using it. HTH. A. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
On May 9, 2008, at 3:05 AM, Andy Fiddaman wrote: > Pretty much the only way to stop this is to use something like BATV to > tweak your envelope sender address outbound. That still doesn't stop > everything as out-of-office replies are usually sent from a real > address. BATV changes the from address of outbound messages. How well do mailing lists deal with users that send messages from a different address each time? Is there a nice workaround for this? Cheers, Mike Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
On Fri, 9 May 2008, Andy Fiddaman wrote: > From: Andy Fiddaman <[EMAIL PROTECTED]> > Cc: info-cyrus@lists.andrew.cmu.edu > Date: Fri, 9 May 2008 07:05:06 + (GMT) > Subject: Re: Backscatter solutions ... > Pretty much the only way to stop this is to use something like > BATV to tweak your envelope sender address outbound. That still > doesn't stop everything as out-of-office replies are usually sent > from a real address. > > http://tools.ietf.org/html/draft-levine-mass-batv-02 > http://sourceforge.net/projects/batv-milter/ See: http://www.exim.org/exim-html-current/doc/html/spec_html/ch40.html#SECTverifyPRVS for details of how to implement BATV using exim. -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
--On 8 May 2008 17:38:18 -0700 Scott Likens <[EMAIL PROTECTED]> wrote: > I wish that was really true, > > However having a spammer recently using my domain and email address to > spam viagra. SPF etc don't really work unless the receiver is using > SPF checking. If you aren't using SPF, then you can't really complain about backscatter. If you deploy SPF, then you can expect a bit less backscatter, and you can encourage others to check your SPF records. -- Ian Eiloart IT Services, University of Sussex x3148 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
; Marc Grober wrote: ; > I am getting pounded by backscatter as a result of one of my addresses ; > being used by some major spammers. Are there any solutions available to ; > address all the Delivery failure and bounce notices. I would at least ; > like to be able to sort between such responses from mail I am actually ; > sending and the backscatter. I have looked through headers and nothing ; > seems an obvious candidate. Pretty much the only way to stop this is to use something like BATV to tweak your envelope sender address outbound. That still doesn't stop everything as out-of-office replies are usually sent from a real address. http://tools.ietf.org/html/draft-levine-mass-batv-02 http://sourceforge.net/projects/batv-milter/ A. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
Scott, I appreciate your ethusiasm, but your logic is flawed and your percentages are off by greater than 88 percent. SPF is useful for what it does. It does limit backscatter (more places check SPF than don't). It's a piece of the puzzle, and fairly effective for what it does. On May 8, 2008, at 5:38 PM, Scott Likens wrote: > I wish that was really true, > > However having a spammer recently using my domain and email address to > spam viagra. SPF etc don't really work unless the receiver is using > SPF checking. > > The simple truth is, bots check mailing lists, spam as users like you > or I. They find a new target, and start over and over again. > > They don't care about SPF, or anything related to that. Because if > 5-10% of their spam gets filtered, that still means they were only > shorted by 10,000 emails maybe. > > ... Truthfully the real solution is for ISPS to cancel those accounts > when reported, and report them when you catch them. It's a cat and > mouse game that until there is a OS that 90% of the World uses that > isn't exploitable in under 30 Seconds... will never end. > > As there is always some vulnerability, there is always someone willing > to use that vulnerability for purposes of making money. > > > On May 8, 2008, at 4:55 PM, Jules Agee wrote: > >> Marc Grober wrote: >>> I am getting pounded by backscatter as a result of one of my >>> addresses >>> being used by some major spammers. Are there any solutions >>> available to >>> address all the Delivery failure and bounce notices. I would at >>> least >>> like to be able to sort between such responses from mail I am >>> actually >>> sending and the backscatter. I have looked through headers and >>> nothing >>> seems an obvious candidate. >> >> Setting up SPF for your domains will help. >> http://www.openspf.org/ >> >> -- >> Jules Agee >> System Administrator >> Pacific Coast Feather Co. >> [EMAIL PROTECTED] x284 >> >> Cyrus Home Page: http://cyrusimap.web.cmu.edu/ >> Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki >> List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html >> >> >> !DSPAM:48239ac333621804284693! >> >> > > > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
Marc: Read this: http://spamlinks.net/prevent-secure-backscatter.htm then use what I use: http://elqui.dcsc.utfsm.cl/util/email/backscatter.html regards, Marc Grober wrote: > I am getting pounded by backscatter as a result of one of my addresses > being used by some major spammers. Are there any solutions available to > address all the Delivery failure and bounce notices. I would at least > like to be able to sort between such responses from mail I am actually > sending and the backscatter. I have looked through headers and nothing > seems an obvious candidate. > > > > > > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html -- MSc. Marcelo Maraboli Rosselott Jefe Area de Redes y Comunicaciones (Network & UNIX Systems Engineer) Ingeniero Civil Electronico, CISSP (MSc., Electronic Engineer, CISSP) Direccion Central de Servicios Computacionales (DCSC) Universidad Tecnica Federico Santa Maria phone: +56 32 2654071 Chile.http://www.usm.cl http://elqui.dcsc.utfsm.cl Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
I wish that was really true, However having a spammer recently using my domain and email address to spam viagra. SPF etc don't really work unless the receiver is using SPF checking. The simple truth is, bots check mailing lists, spam as users like you or I. They find a new target, and start over and over again. They don't care about SPF, or anything related to that. Because if 5-10% of their spam gets filtered, that still means they were only shorted by 10,000 emails maybe. ... Truthfully the real solution is for ISPS to cancel those accounts when reported, and report them when you catch them. It's a cat and mouse game that until there is a OS that 90% of the World uses that isn't exploitable in under 30 Seconds... will never end. As there is always some vulnerability, there is always someone willing to use that vulnerability for purposes of making money. On May 8, 2008, at 4:55 PM, Jules Agee wrote: > Marc Grober wrote: >> I am getting pounded by backscatter as a result of one of my >> addresses >> being used by some major spammers. Are there any solutions >> available to >> address all the Delivery failure and bounce notices. I would at >> least >> like to be able to sort between such responses from mail I am >> actually >> sending and the backscatter. I have looked through headers and >> nothing >> seems an obvious candidate. > > Setting up SPF for your domains will help. > http://www.openspf.org/ > > -- > Jules Agee > System Administrator > Pacific Coast Feather Co. > [EMAIL PROTECTED] x284 > > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ > Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki > List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html > > > !DSPAM:48239ac333621804284693! > > Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
Marc Grober wrote: > I am getting pounded by backscatter as a result of one of my addresses > being used by some major spammers. Are there any solutions available to > address all the Delivery failure and bounce notices. I would at least > like to be able to sort between such responses from mail I am actually > sending and the backscatter. I have looked through headers and nothing > seems an obvious candidate. Setting up SPF for your domains will help. http://www.openspf.org/ -- Jules Agee System Administrator Pacific Coast Feather Co. [EMAIL PROTECTED] x284 Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Backscatter solutions
Hi, as every MTA-Software uses other Templates for these kind of bounces, there is not "one" header you can use for this kind of filtering. We use the vbounce rule from spamassassin, which adds *BOUNCE_MESSAGE entries to the header X-Spam-Status to filter these kind of backscatter. http://wiki.apache.org/spamassassin/VBounceRuleset Quoting Marc Grober <[EMAIL PROTECTED]>: > I am getting pounded by backscatter as a result of one of my addresses > being used by some major spammers. Are there any solutions available to > address all the Delivery failure and bounce notices. I would at least > like to be able to sort between such responses from mail I am actually > sending and the backscatter. I have looked through headers and nothing > seems an obvious candidate. M.Menge Tel.: (49) 7071/29-70316 Universitaet Tuebingen Fax.: (49) 7071/29-5912 Zentrum fuer Datenverarbeitung mail: [EMAIL PROTECTED] Waechterstrasse 76 72074 Tuebingen Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Backscatter solutions
I am getting pounded by backscatter as a result of one of my addresses being used by some major spammers. Are there any solutions available to address all the Delivery failure and bounce notices. I would at least like to be able to sort between such responses from mail I am actually sending and the backscatter. I have looked through headers and nothing seems an obvious candidate. smime.p7s Description: S/MIME Cryptographic Signature Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html