Slashdot Mirror
Bounced Email - Dealing w/ the Latest Type of Spam?
heretic108 asks: "For 3 years, I've been running a home office EXIM mailserver to handle mails on my 3 personal domains. All had been fine - I'd fastidiously configured EXIM to guard against relaying, and even now receive a clean bill of health from the various relay-checker sites. Spam levels were moderate, and mostly arrested by SpamAssassin and Thunderbird's inbuilt filters, until today. I got up this morning to find 3500+ e-mails in my inbox. All were bounces - spoofed and genuine, and came from a vast variety of IP addresses (eg lots of AOL users' IPs), which indicates they're being sent largely via compromised windows boxen, as well as from inadequately-configured corporate/ISP mailservers which don't bother to check the purported 'from' addresses against the originating domains. This hurricane continues, with 10-30 new incoming spams every minute! I've re-enabled Active Spam Killer, but this is next to useless, since ASK passes all 'bounce' messages, real or otherwise, to the mbox without challenge. I'm hoping to hear from anyone who can share success stories in dealing with such a menace, without undue complication or loss of legitimate mail. Thanks in advance for all your constructive and positive suggestions." It seems that dealing with regular Spam is almost easy in comparison to dealing with its consequences: bounced emails. Does anyone have suggestions, or filters on how to handle bounced e-mail that has resulted from someone using your e-mail address to spam someone else?
I get a lot of bounces from mail I didn't send. Things that come from postmaster or mailer-daemon aren't a big deal: send 'em all to /dev/null with procmail. The larger problem is vacation messages. I haven't figured out any good way to filter them. Ideas?
My SpamAssassin rules do a pretty good job of filterering messages about viruses I didn't send but even then I can't get 'em all. I wish there was standard for email generated in response to other emails.
I had this problem a few years ago. I received up to 20 messages (bounces, out-of-office, mailbox full, authentication request, etc.) a minute at the peak. In total I received about 100,000 messages over a few weeks before it stopped.
I called the company spamming and they "took a message". However, I was able to filter them because they were coming to a few specific random accounts, such as vxxylj@sample-domain.com and rtyylhi@sample-domain.com for example.
I could not find any other way to filter them because it seems that there are several dozen formats for bounces. That made me wish there was a standard format for bounces, or at least a standard subject line or sender address.
...
I see about 6 junk messages a month to my account.
And you see about 0 messages from Lotus Notes users. I think we'll roll out greylisting at our company later.
There are no trails. There are no trees out here.
Parent post isnt flamebait. It is the very essence of why spam filtering is a sucky solution at best. Even a single false positive is simply unacceptable! (because when you have 4million pieces of spam and 1 false positive, you're never going to notice it when you go into your "spam" folder) and it could be important! Speaking from personal experience. My father emailed me from a new email address -- he scanned my law school acceptance letter and just sent it to me, no subject line. Stupid inbox filtering (work email) thought it was spam....I realize it is anecdotal, but ALL false positives are anecdotal, and these are the exact anecdotal reasons that they arent acceptable.
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
You should dump ALL bounce messages. When was the last time you got a legit bounce message from something YOU sent? Never? Years ago?