The majority of the messages my servers turn away are pure spam and most are addressed to accounts that have never existed, so it's not like the addresses have been harvested from someone's infected computer. It's become common now to just try long lists of common names @domain.com to try and get spam through.
Here's a log extract from one of my scanning servers from today, none of the unknown accounts ever existed, but they did manage to guess one correct address and the message was queued, but later deleted when it was scanned and found to be spam. Dec 30 14:10:17 gateway sendmail[25325]: jBUMAAkD025325: <[EMAIL PROTECTED]>... User unknown Dec 30 14:10:17 gateway sendmail[25325]: jBUMAAkD025325: <[EMAIL PROTECTED]>... User unknown Dec 30 14:10:17 gateway sendmail[25325]: jBUMAAkD025325: <[EMAIL PROTECTED]>... User unknown Dec 30 14:10:17 gateway sendmail[25325]: jBUMAAkD025325: <[EMAIL PROTECTED]>... User unknown Dec 30 14:10:17 gateway sendmail[25325]: jBUMAAkD025325: <[EMAIL PROTECTED]>... User unknown Dec 30 14:10:17 gateway sendmail[25325]: jBUMAAkD025325: <[EMAIL PROTECTED]>... User unknown Dec 30 14:10:18 gateway sendmail[25325]: jBUMAAkD025325: <[EMAIL PROTECTED]>... User unknown Dec 30 14:10:18 gateway sendmail[25325]: jBUMAAkD025325: from=<[EMAIL PROTECTED]>, size=2119, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>, proto=SMTP, daemon=MTA, relay=pcp01924966pcs.canton01.mi.comcast.net [68.43.100.143] Dec 30 14:10:18 gateway sendmail[25325]: jBUMAAkD025325: to=<[EMAIL PROTECTED]>, delay=00:00:01, mailer=relay, pri=30432, stat=queued Dec 30 14:10:33 gateway MailScanner[9343]: Message jBUMAAkD025325 from 68.43.100.143 ([EMAIL PROTECTED]) to xxxxxxxx.com is spam, SpamAssassin (score=16.764, required 6, DISGUISE_PORN 1.83, HELO_DYNAMIC_COMCAST 3.53, HTML_50_60 0.10, HTML_FONT_BIG 0.23, HTML_MESSAGE 0.00, RCVD_IN_BL_SPAMCOP_NET 4.00, RCVD_IN_DSBL 2.77, RCVD_IN_NJABL_DUL 1.66, RCVD_IN_SORBS_DUL 0.14, RCVD_IN_XBL 2.51) Dec 30 14:10:33 gateway MailScanner[9343]: Spam Checks: Found 1 spam messages Dec 30 14:10:33 gateway MailScanner[9343]: Spam Actions: message jBUMAAkD025325 actions are delete No virus, just pure spam, these are the ones that will more than likely be mis-addressed and cause bounced messages, not virii that are using harvested addresses that are good or at least were good at some point. Bill John Kielkopf wrote: > > >I agree, it is best to have the secondary/scanning server know what >accounts are real or not, but this isn't always practical to enforce. > >Still, in the case that the secondary does attempt delivery to a >non-existent account, as long as it's already decided that it's not a >virus, the mailbox that it'll be sending the bounce message to is much >less likely to be a forged, and valid, address... and this is what >Spamcop is really trying to stop: Bounce backs, predominately from >virus' that forge the sender using a randomly chosen, but real, >address. Eliminate the virus, and you eliminate the majority of the >problem. > > >Bill Healy wrote: > >>But if there is a secondary or virus scanning only server that is a >>relay for another server it has no way of knowing which accounts are >>valid and it will accept all mail for handled domains. Then when the >>secondary MX or virus scanner tries to deliver the message to the >>primary mail server it will at that point find out if the mail is to a >>valid account. If it's not valid then the server trying to make the >>delivery will generate a bounce message back to the sender, that's the >>problem spamcop is trying to stop. >> >>The load on my spam and virus scanning servers that front end for other >>mail servers has significantly decrease now that I verify who the mail >>is going to before any spam or virus scanning. I'm not using xmail as my >>front end server for scanning, I'm using a dedicated server with >>MailScanner http://www.mailscanner.info/ to scan for virus, spam, >>phishing, banned attachments, among other things before being passed on >>to the Exchange and xMail servers. >> >>Bill >> >> >> >>>Bill Healy wrote: >>> >>> >>> >>>>If so then maybe you should look into a filter that can validate >>>>delivery addresses before accepting a message. >>>> >>>> >>>> >>>> >>>> >>>> >>>I would think that just doing virus scanning in a post-data filter on >>>the secondary MX should be enough to limit a good majority of >>>misdirected bounces that would actually hit a live mailbox. Perhaps SPF >>>would catch much of the remainder? >>> >>> >>> >> >> > >- >To unsubscribe from this list: send the line "unsubscribe xmail" in >the body of a message to [EMAIL PROTECTED] >For general help: send the line "help" in the body of a message to >[EMAIL PROTECTED] > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
