Hi, On Tue, 15 Jun 2004, Chuck Campbell wrote:
> I get my mail via pop3 from the server using fetchmail. One person's > email only, delivered to one location only. Pretty simple setup. > > I am getting a lot of these (attached message) types of messages, and I'm > wondering why spamassassin doen't flag them? Because they are bounce (non-delivery notification) messages from a remote system, not traditional direct spam. This is what's known as backscatter or 'bounce spam' - the condition when error messages are sent to an unrelated third party (you) due to misconfiguration or an obsolete mail architecture, e.g. one which blindly accepts messages and propogates error messages to an unverified envelope sender (or worse, to the sender in the From: header) rather than performing the checks during the SMTP transaction and returning an error code the the actual delivering system. > I've tried looking at the headers, which I've included here, to understand > what this is all about, but I'm clearly missing something. > > I've put my comments in below with my interpretation of what it all means. > Any corrections and/or tips are greatly appreciated. > > >From [EMAIL PROTECTED] Tue Jun 15 09:40:13 2004 > the domain I log in to and send email from. The local machine I am working > from. This message is from my sendmail instance right? Right. > >Return-Path: <[EMAIL PROTECTED]> > >Received: from localhost (helium.inexs.com [127.0.0.1]) > > by helium.inexs.com (8.12.8/8.12.8) with ESMTP id i5FEeCvB015911 > > for <[EMAIL PROTECTED]>; Tue, 15 Jun 2004 09:40:13 -0500 > My local machine again. Right. > >Envelope-to: [EMAIL PROTECTED] > Where this email that caused the problem was directed, a valid email account. > > >Delivery-date: Tue, 15 Jun 2004 09:36:35 -0500 > >Received: from pop3.airmail.net > > by localhost with POP3 (fetchmail-6.2.5) > > for [EMAIL PROTECTED] (single-drop); Tue, 15 Jun 2004 09:40:13 -0500 > (CDT) > came in from pop3 OK. > > >Received: from mx3.airmail.net ([209.196.77.100]) > > by mail4.iadfw.net with esmtp (Exim 4.24) > > id 1BaF3D-00069h-1f > > for [EMAIL PROTECTED]; Tue, 15 Jun 2004 09:36:35 -0500 > my email provider received this message for me. > > >Received: from mta05-svc.ntlworld.com ([62.253.162.45]) > > by mx3.airmail.net with esmtp (Exim 4.24) > > id 1BaF3U-0007ZG-F2 > > for [EMAIL PROTECTED]; Tue, 15 Jun 2004 09:36:52 -0500 > Indicates the spam target admin bounced this back to me, the apparent sender. > FYI I did not and do not send spam. Right. > >From here down I'm lost. I didn't send this message to the recipient whose > mailbox is full. How can I get spamassassin to know I didn't send it, and > subsequently dump these kinds of messages into my spam folder? > > > >To: [EMAIL PROTECTED] > >From: Mail Administrator <[EMAIL PROTECTED]> > >Reply-To: Mail Administrator <[EMAIL PROTECTED]> > >Subject: Mail System Error - Returned Mail > >Date: Tue, 15 Jun 2004 15:34:39 +0100 > >Message-ID: <[EMAIL PROTECTED]> > >MIME-Version: 1.0 > >Content-Type: multipart/report; > > report-type=delivery-status; > > Boundary="===========================_ _= > 9114074(2927)1087310079" > >X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on helium.inexs.com > >X-Spam-Level: ** > >X-Spam-Status: No, hits=2.6 required=5.0 tests=BAYES_50,BIZ_TLD, > > FVGT_u_BIZ_SITE,HTML_MESSAGE,J_CHICKENPOX_65 autolearn=no version=2.63 > >Status: RO > >Content-Length: 1920 > >Lines: 56 So the bounce is from ntlworld.com... > >--===========================_ _= 9114074(2927)1087310079 > >Content-Type: text/plain > > > >This Message was undeliverable due to the following reason: > > > >The user(s) account is temporarily over quota. > > > ><[EMAIL PROTECTED]> ... the original message was sent to this nice person ... > >Please reply to [EMAIL PROTECTED] > >if you feel this message to be in error. > > > >--===========================_ _= 9114074(2927)1087310079 > >Content-Type: message/delivery-status > > > >Reporting-MTA: dns; mta5-win.server.ntlworld.com > >Arrival-Date: Tue, 15 Jun 2004 15:34:39 +0100 > >Received-From-MTA: dns; d57-77-98.home.cgocable.net (24.57.77.98) ... from d57-77-98.home.cgocable.net (24.57.77.98) which is most probably an exploited Wintel box on an unfirewalled cable modem. Yup - a check of 24.57.77.98 against openrbl.org shows that address blacklisted to hell and back as an open proxy. So there you have it - ntlworld.net's mail servers will accept obviously junk connections from any old dynamically-allocated IP address, sit on a piece of spam until they figure out it's undeliverable, then bounce it to some random victim totally unrelated to the actual sender. hth, -- Bob
