On Sat, 30 Jan 2021, Kenneth Porter wrote:
What do others do about backscatter to their role addresses? It seems spammers have recently discovered the role addresses noc, hostmaster, and webmaster for one of my business domains and are forging them as senders. As a result, I'm seeing lots of backscatter from various spam-detectors. (This just started a week or two ago but the addresses have been around for years.)
Me too, just started a couple of days ago. SPF doesn't help, they are either using relays that ignore SPF failures for authenticated connections (and also don't validate the sender domain belongs to a client), or don't check SPF at all - essentially, open relays.
Should I bother letting SA scan the messages and consign them to my SA folder where they get auto-learned?
I'm not doing that, because it might cause legitimate "undeliverable" messages from (admittedly poorly-configured) MTAs to be classified as spam. You don't want to learn the MTA message part as "spammy".
What I'm doing right now is: if the "undeliverable" spam message is attached (it isn't always), I add it to my spam corpus and train *that* as spam, then I add the MTA that send the backscatter to my MTA's "access denied" list with a message about the backscatter.
I'd also like to know how to submit these MTAs for inclusion in one of the Spamhaus DNSBLs.
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- If you ask amateurs to act as front-line security personnel, you shouldn't be surprised when you get amateur security. -- Bruce Schneier ----------------------------------------------------------------------- 2 days until the 18th anniversary of the loss of STS-107 Columbia
