On 08/09/2011 22:50, John Hardin wrote: > On Thu, 8 Sep 2011, Steve wrote: >> @mydom.org st...@mydom.org >> I want all messages to all users delivered to steve. > > That's really discouraged these days, because spammers send a _lot_ of > mail to essentially randomly-generated addresses in the hope that > something will actually get delivered to a person with a wallet, and > if you have a catch-all rather than rejecting invalid recipients, you > actually _get_ all that spam (as you've seen). > > Disabling your catch-all would cure 90%-ish of this problem. How > critical is that catch-all to you?
Unfortunately, fairly critical. I made the decision to use a catch-all back in ~1998 (when, I'm sure, you'll tell me it was still a bad idea) but it has been used extensively for over a decade. Email addresses that are actually used conform, typically, to a fairly constrained set of regexps (but not a constrained list of valid addresses...) At the moment these regexps form the basis for spamassassin rules that add extra points to unexpected "To:" addresses - and my original thinking was that spam to invalid addresses would help auto-train Bayesian matching. At the moment, my only niggle is that when I receive a spam to multiple addresses at my domain, this (identified spam) is still delivered multiple times - even when the multiple addresses all resolve to the same local account. The only problem is that I end up storing ~10,000 spams rather than ~1000 spams per month... and that seems somewhat inefficient... given that many of these spams are identical messages. > Also: the log watcher idea wouldn't work, because it's only one > inbound message. Greylisting _would_ still delay the message and would > filter them completely if the spammer isn't retrying. I discounted the log-watcher idea as soon as I realised that the identical messages were actually the same inbound message. The greylisting shows promise (though I'm still dabbling with that - I want to make sure I get it configured correctly before going live.) My reason for optimism is that I anticipate that a spammer who sends a single mail with multiple envelope addresses, but one To: address, is likely to be using naive spamming tools... and greylisting would likely defeat them... It's an indirect approach, but one that might have the desired end result. I can cope with the delay if it only affects messages from hosts in DNS block lists. It still seems odd, to me, that the envelope address can't necessarily influence the spamassassin score... The envelope address, I suspect, is more relevant than any other address found in the headers.
