On 08/09/2011 22:50, John Hardin wrote:
> On Thu, 8 Sep 2011, Steve wrote:
>> @mydom.org st...@mydom.org
>> I want all messages to all users delivered to steve.
>
> That's really discouraged these days, because spammers send a _lot_ of
> mail to essentially randomly-generated addresses in the hope that
> something will actually get delivered to a person with a wallet, and
> if you have a catch-all rather than rejecting invalid recipients, you
> actually _get_ all that spam (as you've seen).
>
> Disabling your catch-all would cure 90%-ish of this problem. How
> critical is that catch-all to you?

Unfortunately, fairly critical.  I made the decision to use a catch-all
back in ~1998 (when, I'm sure, you'll tell me it was still a bad idea)
but it has been used extensively for over a decade.  Email addresses
that are actually used conform, typically, to a fairly constrained set
of regexps (but not a constrained list of valid addresses...) At the
moment these regexps form the basis for spamassassin rules that add
extra points to unexpected "To:" addresses - and my original thinking
was that spam to invalid addresses would help auto-train Bayesian matching.

At the moment, my only niggle is that when I receive a spam to multiple
addresses at my domain, this (identified spam) is still delivered
multiple times - even when the multiple addresses all resolve to the
same local account.  The only problem is that I end up storing ~10,000
spams rather than ~1000 spams per month... and that seems somewhat
inefficient... given that many of these spams are identical messages.

> Also: the log watcher idea wouldn't work, because it's only one
> inbound message. Greylisting _would_ still delay the message and would
> filter them completely if the spammer isn't retrying.

I discounted the log-watcher idea as soon as I realised that the
identical messages were actually the same inbound message.
The greylisting shows promise (though I'm still dabbling with that - I
want to make sure I get it configured correctly before going live.)  My
reason for optimism is that I anticipate that a spammer who sends a
single mail with multiple envelope addresses, but one To: address, is
likely to be using naive spamming tools... and greylisting would likely
defeat them... It's an indirect approach, but one that might have the
desired end result.  I can cope with the delay if it only affects
messages from hosts in DNS block lists.

It still seems odd, to me, that the envelope address can't necessarily
influence the spamassassin score... The envelope address, I suspect, is
more relevant than any other address found in the headers.

Reply via email to