Bounced Email - Dealing w/ the Latest Type of Spam?

heretic108 asks: "For 3 years, I've been running a home office EXIM mailserver to handle mails on my 3 personal domains. All had been fine - I'd fastidiously configured EXIM to guard against relaying, and even now receive a clean bill of health from the various relay-checker sites. Spam levels were moderate, and mostly arrested by SpamAssassin and Thunderbird's inbuilt filters, until today. I got up this morning to find 3500+ e-mails in my inbox. All were bounces - spoofed and genuine, and came from a vast variety of IP addresses (eg lots of AOL users' IPs), which indicates they're being sent largely via compromised windows boxen, as well as from inadequately-configured corporate/ISP mailservers which don't bother to check the purported 'from' addresses against the originating domains. This hurricane continues, with 10-30 new incoming spams every minute! I've re-enabled Active Spam Killer, but this is next to useless, since ASK passes all 'bounce' messages, real or otherwise, to the mbox without challenge. I'm hoping to hear from anyone who can share success stories in dealing with such a menace, without undue complication or loss of legitimate mail. Thanks in advance for all your constructive and positive suggestions." It seems that dealing with regular Spam is almost easy in comparison to dealing with its consequences: bounced emails. Does anyone have suggestions, or filters on how to handle bounced e-mail that has resulted from someone using your e-mail address to spam someone else?

Baysian Spam Filter

[Marxist+Hacker+42]

This is how I do it anyway- there are several out there but I use SpamBayes because I've got my mailserver on a Windows box.

A baysian spam filter can learn to filter ANYTHING!

Re:Baysian Spam Filter

[fm6]

So big deal. Writing an effective content-based spam filter isn't hard. Writing an effective content-based spam filter without false positives is just about impossible. If you don't mind missing some of your email, fine. But most of us don't have that luxury.

Re:Baysian Spam Filter

[Vengie]

Parent post isnt flamebait. It is the very essence of why spam filtering is a sucky solution at best. Even a single false positive is simply unacceptable! (because when you have 4million pieces of spam and 1 false positive, you're never going to notice it when you go into your "spam" folder) and it could be important! Speaking from personal experience. My father emailed me from a new email address -- he scanned my law school acceptance letter and just sent it to me, no subject line. Stupid inbox filtering (work email) thought it was spam....I realize it is anecdotal, but ALL false positives are anecdotal, and these are the exact anecdotal reasons that they arent acceptable.

Re:Baysian Spam Filter

[fm6]

Hey, everybody knows that "Flamebait" is shorthand for "You suck!"

Postmaster - /dev/null

[David+Muir+Sharnoff]

I get a lot of bounces from mail I didn't send. Things that come from postmaster or mailer-daemon aren't a big deal: send 'em all to /dev/null with procmail. The larger problem is vacation messages. I haven't figured out any good way to filter them. Ideas?

My SpamAssassin rules do a pretty good job of filterering messages about viruses I didn't send but even then I can't get 'em all. I wish there was standard for email generated in response to other emails.

Re:Postmaster - /dev/null

[AndroidCat]

What about bounces from mail you did send? You'd probably want to know when that ASAP email you sent hit a full mailbox or their server was struck by lightning.

Did you piss anyone off lately?

[HotNeedleOfInquiry]

Getting hit with a "joe job" is sometimes used as an act of revenge for a protest or flamewar. Best to keep your home email address out of the limelight for that reason.

Re:Did you piss anyone off lately?

[nocomment]

mod parent up, that's exactly what happened to him. Just be patient the wave will subside in about a week. Most mail servers are set to bounce mail after 7 days for domains that don't exist. IT will slow down some over the next days with the last bounce happening in a few days.

I too was joe-jobbed once and it is not pleasant.

Re:Did you piss anyone off lately?

[noahm]

mod parent up, that's exactly what happened to him. Just be patient the wave will subside in about a week. Most mail servers are set to bounce mail after 7 days for domains that don't exist. IT will slow down some over the next days with the last bounce happening in a few days.

Sadly, it may not subside so quickly. A couple of years ago I was really strict about reporting open relays and proxies and other spam-resenders to the ISPs responsible for the netblock on which they reside. Unfortunately, I think I sent a report to the abuse contact for some netblock that was actually controlled directly by spammers, or something like that. Ever since then, I've been under an almost constant joe-job. I don't have my mailer configured to copy postmaster on every bounce, but I see all sorts of bounce delivery attempts every day to accounts that have never existed.

All I can think of is that it's an ongoing attempt to discredit my domain. I'm sure they're not targetting me specifically at this point, but have simply added my domain to a list of domains from which they send their forged mail.

noah

I had this problem once

[waynegoode]

I had this problem a few years ago. I received up to 20 messages (bounces, out-of-office, mailbox full, authentication request, etc.) a minute at the peak. In total I received about 100,000 messages over a few weeks before it stopped.

I called the company spamming and they "took a message". However, I was able to filter them because they were coming to a few specific random accounts, such as vxxylj@sample-domain.com and rtyylhi@sample-domain.com for example.

I could not find any other way to filter them because it seems that there are several dozen formats for bounces. That made me wish there was a standard format for bounces, or at least a standard subject line or sender address.

newly obligatory twisted Dave Barry quote

[Naikrovek]

quoted from http://www.miami.com/mld/miamiherald/living/column ists/dave_barry/6649728.htm?1c
and twisted to change the subject to spam.

===

People do not like spam.

And how has the spam industry responded to this tidal wave of public hostility? It has issued this statement: "Gosh, if these people really don't want us to email them, then there's no point in our emailing them! We'd only be making them hate us more, and that's just plain stupid! We'll try to come up with a less offensive way to do business."

No, wait, that's what the spammers would say in Bizarro World, where everything is backward, and Superman is bad, and spammers contain human DNA. Here on Earth, the spammers are claiming they have a constitutional right to email people who do not want to be emailed. They base this claim on Article VX, Section iii, row 5, seat 2, of the U.S. Constitution, which states: "If anybody ever invents the Internet, Congress shall pass no law prohibiting salespeople from using it to completely fill your inbox."

Bounces are a problem

[AndroidCat]

Back in the old days, a bounce email to the "sender" of the email was the proper way to do things. Now, a straight 5xx rejection response should be given as much as possible.

Publish SPF Records

[bill_mcgonigle]

This isn't magic, but if everybody publishes SPF Records for their domains and checks them (SpamAssassin 3) joe jobs become much, much harder.

So do the right thing and publish them. 5 minutes a domain tops if you're familiar with DNS.

How to fix (Postfix)

[fsck!]

Can't say how to do this with exim because I've been using Postfix for as long as I can remember. Here's how I get around this:

show_user_unknown_table_name = no

smtpd_helo_required = yes

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unlisted_recipient,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_rbl_client relays.ordb.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client list.dsbl.org,
check_policy_service inet:127.0.0.1:60000,
permit

smtpd_data_restrictions = reject_unauth_pipelining permit

content_filter = lmtp-amavis:[127.0.0.1]:10024

This enables greylisting, antivirus via amavis, rejecting unknown users at the SMTP stage, and I also publish SPF records. These together mean I see about 6 junk messages a month to my account. There are about 100 mailboxes on this server, and I they all report about the same level of noise.

Re:How to fix (Postfix)

[Elwood+P+Dowd]

This enables greylisting

...

I see about 6 junk messages a month to my account.

And you see about 0 messages from Lotus Notes users. I think we'll roll out greylisting at our company later.

Re:How to fix (Postfix)

[Matt+Perry]

Maybe you should roll out a new MTA first. Treating temporary failure codes as permanent failures means your current MTA is broken.

Bounce Keys

Basically, you add an encrypted header to all outgoing emails which says "Yes, this email came from this server." Then, when you receive a bounce message, you check for the key. If it has it, it gets through, and if it doesn't, it gets rejected.

Here's the Exim howto http://psg.com/~brian/software/authbounce/configur e-authbounce.txt

Procmail recipe

[Matt+Perry]

This procmail recipe will at least get them out of your inbox. I got this from someone here on slashdot and I forgot to write down who it was from. Thanks anonymous slashdot procmail guru.

# This recipe catches most DSNs
:0HB
* -1^0
* 1^0 ^FROM_MAILER
* 1^0 ^Status: 4.2.0
* 1^0 ^Status: 4.4.1
* 1^0 ^Status: 4.4.2
* 1^0 ^Status: 4.4.6
* 1^0 ^Status: 4.4.7
* 1^0 ^Status: 5.0.0
* 1^0 ^Status: 5.1.1
* 1^0 ^Status: 5.1.2
* 1^0 ^Status: 5.1.6
* 1^0 ^Status: 5.2.1
* 1^0 ^Status: 5.2.2
* 1^0 ^Status: 5.2.3
* 1^0 ^Status: 5.3.5
* 1^0 ^Status: 5.4.7
* 1^0 ^Status: 5.5.0
* 1^0 ^Status: 5.7.1
* 1^0 ^554 5.0.0 Service unavailable .*
* 1^0 ^Remote host said: 550.*User unknown
* 1^0 ^Remote host said: 554.*doesn't have a yahoo.com account.*
* 1^0 ^User.*not listed in public Name & Address Book
* 1^0 ^Sorry, no mailbox here by that name.
* 1^0 ^<.*>: Unkown user:
* 1^0 ^User mailbox exceeds allowed size:
* 1^0 ^.*No matches to nameserver query
* 1^0 ^A message that you sent could not be delivered
* 1^0 ^.*550 unknown user
* 1^0 ^This is a permanent error; I've given up.
* 1^0 ^The user(s) account is temporarily over quota.
* 1^0 ^Receiver not found:.*
* 1^0 ^Requested action not taken: mailbox unavailable.
* 1^0 ^--AOL Postmaster
* 1^0 ^I'm sorry to have to inform you that the message returned
* 1^0 ^550 5.1.1 <.*>... User unknown
* 1^0 ^550 <.*>\.\.\. User unknown
* 1^0 ^Subject:.*failure notice
* 1^0 ^did not reach the following recipient\(s\):
* 1^0 ^The following recipient(s) could not be reached:
* 1^0 ^.*550 Mailbox quota exceeded
* 1^0 ^.*550 Access Denied
* 1^0 ^550 5.0.0.*Can't create output
* 1^0 ^.*There is no such addressee as
* 1^0 ^Mail Delivery Failed... User unknown
daemon-msgs

Backscatter

[bob@dB.org]

Spam lingo for this phenomenon is "backscatter" or "outscatter" (I prefer the last one, as the bounces are not actually sent "back", but to an innocent third party). Spam Links as a link collection to get you up to date at:

http://spamlinks.net/filter-bounce.htm

A nice solution is Bounce Address Tag Validation (BATV), described at:

http://www.ietf.org/internet-drafts/draft-levine-m ass-batv-00.txt

Abstract:

The envelope of Internet mail contains an RFC2821.MailFrom command, which may supply an address to be used as the recipient of transmission and delivery notices about the original message. Existing Internet mail permits unauthorized use of addresses in the MailFrom command, causing notices to be sent to unwitting and unwilling recipients. Bounce Address Tag Validation (BATV) defines an extensible mechanism for validating the MailFrom address. It also defines an initial use of that mechanism which requires no administrative overhead and no global implementation.

Send all bounce msgs to /dev/null/

[sakusha]

You should dump ALL bounce messages. When was the last time you got a legit bounce message from something YOU sent? Never? Years ago?

Re:Send all bounce msgs to /dev/null/

[Dark+Nexus]

Months ago, and barely months.

Legitimate bounces DO still happen. Not often for most people, but they are still a reality.

Re:Send all bounce msgs to /dev/null/

[DrEasy]

That's what I thought too, but I've been burnt by that. Nowadays with smart email address auto-complete features, such as what you can find in Thunderbird or Mail.app, you sometimes end up using email addresses that were incorrectly entered by *other people*.

And how do you know that you never get a legit bounce since you filter those too?

Re:Send all bounce msgs to /dev/null/

[HeghmoH]

Last week.

I e-mailed a contact address that was no longer valid. If I had just trashed the bounce, I never would have known that my e-mail had failed, and I would have assumed that the people I was trying to contact were a bunch of jerks, instead of tracking down a working address for them. This kind of stuff happens fairly often for those of us who don't live in a cave.

Re:Send all bounce msgs to /dev/null/

[SkunkPussy]

You should dump ALL bounce messages. When was the last time you got a legit bounce message from something YOU sent? Never? Years ago?

Full and mispelled hotmail accounts. fairly frequently.

Re:5 minute kill sequence for all spam

[suwain_2]

As it is, they never send the messages from a valid address - so who cares if your replying to their spam with your real address?

Except now you're causing the problem that led to this question in the first place: now you're sending crap out to random people, because, as you yourself just said, they never used a real address. It often ends up going to someone real, though.