I've just found a new and interesting spam source - legitimate bounce messages
In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. Thanks for any suggestions, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Hello, start with putting spf record on the domain, http://www.netdummy.net/stop-bounce-mail.html and finish with filtering bogus message-id wich was not orignated on your server with whatever software you using. Regards, Yury On Thu, Oct 16, 2008 at 4:01 PM, [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. Thanks for any suggestions, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
--On Thursday, October 16, 2008 09:01:02 -0500 [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. We call those bounceback spam. The only solution that I know of is to tag all outgoing messages with a special header and then check for that header on all returns and reject those that don't contain the header. All legitimate bounces would contain the header because they originated with your MTA. E.g. X-Bounceback-Check: 0987923874 The value of the header can be anything you want it to be, and you can change it periodically if you want to keep statistical data. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Thu, Oct 16, 2008 at 09:01:02AM -0500, [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. The term coined for this type of mail is backscatter. There is no easy solution for this. The backscatter article on postfix.org, for example, caused our mail servers to start rejecting mail that was generated from PHP scripts and CGIs on our own systems, which makes no sense. The article: http://www.postfix.org/BACKSCATTER_README.html If the backscatter is all directed to a single Email address (rather than a series of addresses, e.g. [EMAIL PROTECTED], and you have [EMAIL PROTECTED] accepted), then a solution is to reject mail with an RCPT TO of an account or virtual address that does not exist on your machine. This, of course, has a wonderful side effect: spammers now have a way to detect what Email addresses on your box legitimately accept mail, thus once they find one which never gets a bounceback, will start pounding that address to kingdom come. Let me know if you do find a reliable, decent solution that does not involve SPF or postfix header_checks or body_checks. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Jeremy Chadwick wrote: | On Thu, Oct 16, 2008 at 09:01:02AM -0500, [EMAIL PROTECTED] wrote: | In the last hour, I've received over 200 legitimate bounce messages from | email services as a result of someone having used or worse is using my | email address in spam from multiple windows machines and ip addresses. | The end result is that I am getting the bounce messages. I'm sure that | others on this list have experienced the problem and maybe have a | solution that I don't have. | | The messages are allowed through my obspamd/pf and pf smtp bruteforce | blocking rules because they are completely legit. | | I guess the work around is to filter them on incoming together with our | local bounce messaages util the spammers get tired of my address. | | The term coined for this type of mail is backscatter. | | There is no easy solution for this. The backscatter article on | postfix.org, for example, caused our mail servers to start rejecting | mail that was generated from PHP scripts and CGIs on our own systems, | which makes no sense. The article: | | http://www.postfix.org/BACKSCATTER_README.html | | If the backscatter is all directed to a single Email address (rather | than a series of addresses, e.g. [EMAIL PROTECTED], and | you have [EMAIL PROTECTED] accepted), then a solution is to reject | mail with an RCPT TO of an account or virtual address that does not | exist on your machine. | | This, of course, has a wonderful side effect: spammers now have a way to | detect what Email addresses on your box legitimately accept mail, thus | once they find one which never gets a bounceback, will start pounding | that address to kingdom come. | | Let me know if you do find a reliable, decent solution that does not | involve SPF or postfix header_checks or body_checks. | Although not a solution to the immediate problems experienced by the OP in the long term, the most effective way to counter back-scatter spam is for every operator of a mail server to adopt the following behaviour: ~ * Reject e-mails *only* during the initial SMTP dialogue -- ie. respond ~ with a 5xx error code. No exceptions. This includes internal mail ~ submission of messages between users on the same system. ~ * Once your mail server has accepted a message for delivery, never ~ bounce it back to the sender as a result of spam or virus filtering ~ or for unknown destination address. Just drop it in the bit-bucket ~ in these cases. This means that your edge SMTP servers and all your MXes have to have an accurate list of all of the valid e-mail accounts on your system so that they can respond with 'user unknown' where required. The point of rejecting messages only during the initial SMTP dialogue is that at that point they are still the responsibility of the sending system. Chances are if it's a compromised machine attempting to inject spam, it's not even going to attempt resending failed messages, or send bounce-o-grammes on it's own behalf. Unfortunately, building anything beyond a single-server mail system with these characteristics is quite a lot harder than the simple-minded approach of accepting anything address to your domain at the edge, and only bouncing at the point of delivery to the mailbox. Especially if your backup MXes are a long way away from your main servers. Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. Cheers, Matthew [*] Unlikely to ever happen as technically they contradict the current RFCs. - -- Dr Matthew J Seaman MA, D.Phil. Flat 3 ~ 7 Priory Courtyard PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate ~ Kent, CT11 9PW, UK -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREDAAYFAkj3WogACgkQ3jDkPpsZ+VaqKwCeMPa4tGkwewH+l0EfgVwTvpmS IKoAoJ1ec2WTSwBQRsYq6rNYWqQc6P2Y =lFRk -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. If the names and numbers in the bouceback messages are to be believed, however, the spammers have defeated SPF by hijacking DNS. The poor recipients never see my SPF records because they're looking at the wrong IP address. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Thu, Oct 16, 2008, [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. Did these come from Barracuda boxes? Blowback like this is hardly new or legitimate as the From and Sender header addresses are often (usually) forged in spam, and it does not do anything useful to reply to them. The forged addresses may just be something scraped from the address book of a machine running the Microsoft virus, Windows, or a deliberate ``Joe Job'' where a spammer is targeting somebody who may have caused them problems. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Common sense is genius dressed in its working clothes. -- Ralph Waldo Emerson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Yury Michurin [EMAIL PROTECTED] escribió: Hello, start with putting spf record on the domain, http://www.netdummy.net/stop-bounce-mail.html and finish with filtering bogus message-id wich was not orignated on your server with whatever software you using. I've had the spf record for a couple of years and I've started filtering. I guess I was just looking for something different. Thanks for helping me adapt to the real world. ed Regards, Yury On Thu, Oct 16, 2008 at 4:01 PM, [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. Thanks for any suggestions, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
RW [EMAIL PROTECTED] escribió: On Thu, 16 Oct 2008 08:54:55 -0700 (PDT) Luke Dean [EMAIL PROTECTED] wrote: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. I feel the same way and thanks for adding some humor to the situation. ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Thu, 16 Oct 2008 08:54:55 -0700 (PDT) Luke Dean [EMAIL PROTECTED] wrote: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Bill Campbell [EMAIL PROTECTED] escribió: On Thu, Oct 16, 2008, [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. Did these come from Barracuda boxes? Blowback like this is hardly new or legitimate as the From and Sender header addresses are often (usually) forged in spam, and it does not do anything useful to reply to them. The forged addresses may just be something scraped from the address book of a machine running the Microsoft virus, Windows, or a deliberate ``Joe Job'' where a spammer is targeting somebody who may have caused them problems. It had just got up this morning and found my mailbox full of these and lost my cool. I probably sent the email too quickly. Thanks for helping me get it together. ed Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Common sense is genius dressed in its working clothes. -- Ralph Waldo Emerson ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Luke Dean [EMAIL PROTECTED] escribió: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. If the names and numbers in the bouceback messages are to be believed, however, the spammers have defeated SPF by hijacking DNS. The poor recipients never see my SPF records because they're looking at the wrong IP address. Thanks, Matthew. I guess that is the root problem of spf, the spammers, that it is supposed to stop. It looks a bit like our economy, a loosing battle. It really make me feel impotent this morning. Have a great day, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
[EMAIL PROTECTED] wrote: RW [EMAIL PROTECTED] escribió: On Thu, 16 Oct 2008 08:54:55 -0700 (PDT) Luke Dean [EMAIL PROTECTED] wrote: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. I feel the same way and thanks for adding some humor to the situation. Most spammers aren't aiming to generate back-scatter as their primary means of disseminating their spam, so they'll do what they can to get the best chance of a successful delivery. That means sending SPF compliant e-mails where possible. It's actually quite simple for them to filter out SPF protected addresses from their target lists, so they do tend to do that, and it's typically the same list of target addresses they use for forged senders too. It's telling that both having a correct SPF record and having no SPF record at all have a zero score in SpamAssassin (ie. neutral) whereas non-compliance scores lots of spam points. Also see my point earlier about rejecting messages during the SMTP dialogue. SPF is easy to check early and lets you reject messages before acknowledging receiving them, which means a lot fewer bounce messages to (probably forged) sender addresses. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: I've just found a new and interesting spam source - legitimate bounce messages
Jeremy Chadwick [EMAIL PROTECTED] escribió: On Thu, Oct 16, 2008 at 09:01:02AM -0500, [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. The term coined for this type of mail is backscatter. There is no easy solution for this. The backscatter article on postfix.org, for example, caused our mail servers to start rejecting mail that was generated from PHP scripts and CGIs on our own systems, which makes no sense. The article: http://www.postfix.org/BACKSCATTER_README.html Thanks for the article, Jeremy. I hadn't seen it. If the backscatter is all directed to a single Email address (rather than a series of addresses, e.g. [EMAIL PROTECTED], and you have [EMAIL PROTECTED] accepted), then a solution is to reject mail with an RCPT TO of an account or virtual address that does not exist on your machine. This, of course, has a wonderful side effect: spammers now have a way to detect what Email addresses on your box legitimately accept mail, thus once they find one which never gets a bounceback, will start pounding that address to kingdom come. Let me know if you do find a reliable, decent solution that does not involve SPF or postfix header_checks or body_checks. I wish ;) Thanks again, ed -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Thu, 16 Oct 2008 11:58:44 -0500 [EMAIL PROTECTED] wrote: RW [EMAIL PROTECTED] escribi__: Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. I feel the same way and thanks for adding some humor to the situation. Actually that wasn't a joke, some people do cite that as the reason why SPF helps with backscatter, that spammers will leave your domain out of the mail from line if you publish SPF records for it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Oct 16, 2008, at 9:38 AM, RW wrote: SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. The main problem resulting in backscatter happens when forged spam from yourdomain.com get gets sent to a legit MX server which accepts the mail initially, and then generates a bounce due to later spam checking or failed delivery to an invalid user. The bounces which then get generated by the legit MX are likely to pass spam checking at yourdomain.com. Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. SPF doesn't provide a magic solution to backscatter, but it helps simplify the problem. If spam can be rejected during the SMTP phase rather than accepted, then most spam-spewing malware simply drops the attempted message rather than actually send a bounce to yourdomain.com. After all, the spammer is looking to deliver spam to lots of different mailboxes, not deliver tons of DSNs to a single mailbox or domain. Failing that, however, any bounces which are being generated are coming from or at least closer to the source of the spam, rather than coming from gmail, hotmail, etc. And if the spamming machine is forging your domain, then yourdomain.com MX boxes have a decent shot of rejecting the forgeries via hello_checks, RBLs, or other methods. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Chuck Swiger [EMAIL PROTECTED] escribió: On Oct 16, 2008, at 9:38 AM, RW wrote: SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. The main problem resulting in backscatter happens when forged spam from yourdomain.com get gets sent to a legit MX server which accepts the mail initially, and then generates a bounce due to later spam checking or failed delivery to an invalid user. The bounces which then get generated by the legit MX are likely to pass spam checking at yourdomain.com. Exactly what seems to be happening. Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. SPF doesn't provide a magic solution to backscatter, but it helps simplify the problem. It should. If spam can be rejected during the SMTP phase rather than accepted, then most spam-spewing malware simply drops the attempted message rather than actually send a bounce to yourdomain.com. After all, the spammer is looking to deliver spam to lots of different mailboxes, not deliver tons of DSNs to a single mailbox or domain. Failing that, however, any bounces which are being generated are coming from or at least closer to the source of the spam, rather than coming from gmail, hotmail, etc. And if the spamming machine is forging your domain, then yourdomain.com MX boxes have a decent shot of rejecting the forgeries via hello_checks, RBLs, or other methods. Thanks Chuck, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
RW [EMAIL PROTECTED] escribió: On Thu, 16 Oct 2008 11:58:44 -0500 [EMAIL PROTECTED] wrote: RW [EMAIL PROTECTED] escribi__: Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. I feel the same way and thanks for adding some humor to the situation. Actually that wasn't a joke, some people do cite that as the reason why SPF helps with backscatter, that spammers will leave your domain out of the mail from line if you publish SPF records for it. I see that but it still touched my funny bone but the problem is how many mail servers and admins completely ignore SPF and what happens to those who do try to comply? I'm sure that the hundreds of bounces that I have received are minimal in comparison to the delivered email. In fact many are reporting that a user is over quota Thanks, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Paul Schmehl [EMAIL PROTECTED] escribió: --On Thursday, October 16, 2008 09:01:02 -0500 [EMAIL PROTECTED] wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. The end result is that I am getting the bounce messages. I'm sure that others on this list have experienced the problem and maybe have a solution that I don't have. The messages are allowed through my obspamd/pf and pf smtp bruteforce blocking rules because they are completely legit. I guess the work around is to filter them on incoming together with our local bounce messaages util the spammers get tired of my address. We call those bounceback spam. The only solution that I know of is to tag all outgoing messages with a special header and then check for that header on all returns and reject those that don't contain the header. All legitimate bounces would contain the header because they originated with your MTA. E.g. X-Bounceback-Check: 0987923874 I have added headers for years but unfortunately these didn't originate on my servers. My email address was used as the return address for spam sent from multiple windows machines to .ru addresses. Thanks for the suggestion, Paul. ed The value of the header can be anything you want it to be, and you can change it periodically if you want to keep statistical data. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Matthew Seaman [EMAIL PROTECTED] escribió: [EMAIL PROTECTED] wrote: RW [EMAIL PROTECTED] escribió: On Thu, 16 Oct 2008 08:54:55 -0700 (PDT) Luke Dean [EMAIL PROTECTED] wrote: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. Many people recommend SPF for backscatter, but I've yet to hear a cogent argument for why it helps beyond the very optimistic hope that spammers will check that their spam is spf compliant. I feel the same way and thanks for adding some humor to the situation. Most spammers aren't aiming to generate back-scatter as their primary means of disseminating their spam, so they'll do what they can to get the best chance of a successful delivery. That means sending SPF compliant e-mails where possible. It's actually quite simple for them to filter out SPF protected addresses from their target lists, so they do tend to do that, and it's typically the same list of target addresses they use for forged senders too. It's telling that both having a correct SPF record and having no SPF record at all have a zero score in SpamAssassin (ie. neutral) whereas non-compliance scores lots of spam points. Also see my point earlier about rejecting messages during the SMTP dialogue. SPF is easy to check early and lets you reject messages before acknowledging receiving them, which means a lot fewer bounce messages to (probably forged) sender addresses. Thanks, Matthew. That I've not done due to the possibility of rejecting legit email. I'm going to revisit that decision. ed Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Thu, Oct 16, 2008 at 05:38:07PM +0100, RW wrote: On Thu, 16 Oct 2008 08:54:55 -0700 (PDT) Luke Dean [EMAIL PROTECTED] wrote: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. Just a side comment for added clarity: this ultimately depends on how the mail server administrator implemented SPF. For example, our mail servers *do not* do SPF lookups at the SMTP level (e.g. in postfix) because 1) the added complexity is not worth it, and 2) spammers are now hijacking DNS. Instead, our servers use SPF in SpamAssassin, subtracting from the spam probability score if an SPF record is found and matches appropriately. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
I've just found a new and interesting spam source - legitimate bounce messages
In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. When this happens I enable the move all messages from mailer-daemon to /dev/null rules in procmail for a day or two. And curse at the people who originated the original spam... Edwin -- Edwin Groothuis Website: http://www.mavetju.org/ [EMAIL PROTECTED] Weblog: http://www.mavetju.org/weblog/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Edwin Groothuis [EMAIL PROTECTED] escribió: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. When this happens I enable the move all messages from mailer-daemon to /dev/null rules in procmail for a day or two. And curse at the people who originated the original spam... Edwin Edwin,great idea especially the last part. I have done a good job of that today. ed -- Edwin Groothuis Website: http://www.mavetju.org/ [EMAIL PROTECTED] Weblog: http://www.mavetju.org/weblog/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
Jeremy Chadwick [EMAIL PROTECTED] escribió: On Thu, Oct 16, 2008 at 05:38:07PM +0100, RW wrote: On Thu, 16 Oct 2008 08:54:55 -0700 (PDT) Luke Dean [EMAIL PROTECTED] wrote: On Thu, 16 Oct 2008, Matthew Seaman wrote: Until the wonderful day that the entire internet abides by these rules[*], use of technologies like SPF and DKIM can discourage but not entirely prevent the spammers from joe-jobbing you. I just started getting these bouncebacks en masse this week. My mail provider publishes SPF records. SPF increases the probability of spam being rejected at the smtp level at MX servers, so my expectation would be that it would exacerbate backscatter not improve it. Just a side comment for added clarity: this ultimately depends on how the mail server administrator implemented SPF. For example, our mail servers *do not* do SPF lookups at the SMTP level (e.g. in postfix) because 1) the added complexity is not worth it, and 2) spammers are now hijacking DNS. Instead, our servers use SPF in SpamAssassin, subtracting from the spam probability score if an SPF record is found and matches appropriately. That sounds like it is definitely worth trying. Thanks, ed -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: I've just found a new and interesting spam source - legitimate bounce messages
On Fri, Oct 17, 2008 at 09:59:17AM +1100, Edwin Groothuis wrote: In the last hour, I've received over 200 legitimate bounce messages from email services as a result of someone having used or worse is using my email address in spam from multiple windows machines and ip addresses. When this happens I enable the move all messages from mailer-daemon to /dev/null rules in procmail for a day or two. And curse at the people who originated the original spam... I use a similar approach to Edward's. My old domain used to get hammered with backscatter which basically I had no choice but to accept. I was on a pop3 catch-all. If I had a regular amount of backscatter (100), I'd accept it then pass it to procmail. I found (I don't know if the OP did too) that the backscatter was generally addressed to a non-existent user, so it was easy to write rules to filter it out and send it to the bit-bucket. I also found that the backscatter was commonly addressed to people like frankn@ - close but no cigar. The following filtered out that crap: :0: * ^To:\ [[EMAIL PROTECTED] spam/new :0: * ^To:\ [EMAIL PROTECTED] spam/new In the worst case scenario, I'd find that I'd get thousands of backscattered mails (the swine must have been sending millions of messages purportedly coming from me). In this case I'd just delete all my mail off the popserver with a script. Yes, I might lose a few genuine emails but when I had thousands of backscattered mails, they'd come in the space of a couple of hours. My ultimate sanction was eventually getting a new domain (I know it's admitting defeat). I now find that I get very little backscatter on my old domain and I haven't had a mass mailing effort from it for some time. Best of luck! Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]