[Declude.JunkMail] Joe Jobs

2012-11-28 Thread Dave Beckstrom
Hi All,

This isn't specifically a Declude question but I thought I'd ask anyway as
its still of interest to the group, I think.

I have one domain that is being referenced in a Joe Job.  Essentially, a
spammer sends out thousands of emails using various compromised computers.
In the FROM field, they put randomaddr...@mydomain.com.

My server gets all the backscatter email from the victims servers.

This has been going on for better than 6 months.  My server can handle the
volume.  The real problem is my customer gets nasty emails from people who
think they spammed them and they don't realize it had nothing to do with our
server or my customer.

I've not been able to figure out a way to stop the spammers from using my
domain in their FROM addresses.  Essentially, I was trying to figure out if
through SPF records or other means I could do something that would make
referencing my domain ineffective for them.   That didn't seem to help.

Also, since they don't send through my server, there is little I can do.

Have any of you had to deal with this situation?  Any clever ideas?

Thanks,

Dave





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] Joe Jobs

2012-11-28 Thread Darin Cox
Hi Dave,

A firm SPF policy generally does help, but it depends on the receiving
servers implementing SPF in order to block messages that violate your SPF
policy.

Aside from that and filtering that blocks any original included message
content, there's nothing I know of that can stop bounces and responses that
come from clean systems, unless you want to start writing filters specific
to this customer that detect typical bounce messages.

Darin.

-Original Message-
From: Dave Beckstrom
Sent: Wednesday, November 28, 2012 3:16 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Joe Jobs

Hi All,

This isn't specifically a Declude question but I thought I'd ask anyway as
its still of interest to the group, I think.

I have one domain that is being referenced in a Joe Job.  Essentially, a
spammer sends out thousands of emails using various compromised computers.
In the FROM field, they put randomaddr...@mydomain.com.

My server gets all the backscatter email from the victims servers.

This has been going on for better than 6 months.  My server can handle the
volume.  The real problem is my customer gets nasty emails from people who
think they spammed them and they don't realize it had nothing to do with our
server or my customer.

I've not been able to figure out a way to stop the spammers from using my
domain in their FROM addresses.  Essentially, I was trying to figure out if
through SPF records or other means I could do something that would make
referencing my domain ineffective for them.   That didn't seem to help.

Also, since they don't send through my server, there is little I can do.

Have any of you had to deal with this situation?  Any clever ideas?

Thanks,

Dave





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to imail...@declude.com, and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.



[Declude.JunkMail] Joe-jobs and nobody aliases (again)

2004-01-18 Thread Matt
I made a determination last week that joe-jobs present a much bigger 
problem currently than dictionary attacks on my system, and soon I will 
be gatewaying off of a different machine which should solve the 
dictionary attack problem anyway (by accepting all messages).  Because 
of this, I have been removing all of the nobody aliases for the domains 
that I host, though some of course are taking a little extra time 
because we're not totally sure what advertised addresses might have been 
used in some cases, or what dead accounts were being captured in this 
way as opposed to setting them up as aliases and redirected somewhere.

Last week once client that still had nobody active received about 150 
bounce messages from AOL to addresses that didn't exist on this local 
domain (randomized).  AOL wasn't bouncing any content which could be 
scored, and every last one of these messages landed in the manager's 
account.  Obviously this was a big problem and as soon as we became 
aware of it, we got rid of the nobody alias.  This fixed their immediate 
problem, though it doesn't fix problems where the address is forged to 
be a real account (there's a mix of this going on).

I've also just started building some spamtraps on some unused domains 
that I own.  One account that I created last night is being used 
exclusively to unsubscribe to garbage that I get in a Web mail account 
of mine as well as subscribing to contest sites.  To my astonishment, 
within 12 hours of creating this account, someone joe-jobbed it in a 
piece of spam sent to some account that didn't exist, and it was clearly 
spam that was sent with this from address.  There is no way that this 
account was randomly guessed.

The preventive actions that I'm taking to help protect from such things 
besides removing the nobody alias is to create a filter that checks for 
the null sender.  I'm capturing all hits to this filter and I am also 
scoring it at 50% of my fail weight, though that may rise.  I figure 
that the bounces that contain spam content will have an easier time 
getting held, and for the most part, bounce messages are only failing 
CMDSPACE, so this isn't stopping messages that don't contain spam 
content (so far).

There was a suggestion by someone that a system be made that tracked 
repeated bounces, such as the AOL one described above.  I feel that this 
may be the best way long term to maintain bounce functionality in the 
face of a problem that will likely get much worse over time.  For now at 
least, the issue is mostly mitigated since most such things utilize fake 
users on joe-jobbed domains.

Matt

--
=
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail.  The archives can be found
at http://www.mail-archive.com.