Slashdot Mirror

← Back to Stories (view on slashdot.org)

Proper Ways to Dispose of Spam?

Posted by Cliff on from the let's-stop-wasting-bandwidth-on-useless-bounces dept.

An anonymous reader asks: "My domain name is being stolen by spammers; they forge outgoing mail using my poor innocent domain name. First, I'd like to plead with mail server administrators out there: please REJECT spam and undeliverable mail. If you reject instead of bouncing then legitimate mail senders will still know there is a problem. Second, do you have any tips for dealing with a flood of spam bounces? Exim is pitching the bounces pretty quickly, but my server is still getting overwhelmed." In the case of stolen sender addresses, SPF attempts to address this problem but has it been effective?

16 of 119 comments (clear)

  1. The toilet by antifoidulus · · Score: 3, Funny

    regardless of whether it comes out the back port or the front(both are equally likely).

    --
    Monstar L
    1. Re:The toilet by kfg · · Score: 5, Funny

      You have already failed the first rule of disposing of Spam:

      1. For goodness sake, whatever you do, don't eat the stuff!

      KFG

  2. SPF! by Alphager · · Score: 4, Informative

    Two of my domain-names are in several spammer-tools and i was inundated by spam-bounces (and auto-replies). With SPF, i am down to one bounce every now and then.

    1. Re:SPF! by stg · · Score: 3, Insightful

      That was the same in my case. I still get about the same number of bounces from spammers after adding SPF.
      The only thing that did solve it was killing all addresses I don't use and adding filters for the most common bounces.

    2. Re:SPF! by qbwiz · · Score: 3, Informative

      Right, but that post was saying that he thought that spammers would avoid forging a domain with SPF on it, because it would be more likely that their mail would be rejected. Therefore, if you add SPF to your domain, you shouldn't get as many bounces, as spammers won't want to forge that as the sender.

      --
      Ewige Blumenkraft.
  3. anyone have a domain where this DIDN'T happen? by Subgenius · · Score: 3, Insightful

    Welcome to my hell. I've had this happen to 8 of my domains over the last couple of years, typical spam runs of 30k at a time, based on all of the 'bounce back' messages that tell me 'my' mail is spam, or worse "go F** yourself, spammer" crud. SPF might fix this, but only if it was mandatory and ALL ISPs blocked non-commercial email servers (DO NOT WANT the latter to occur).

    Good Luck.

    --
    Toil is Stupid. Don't be Stupid.
    1. Re:anyone have a domain where this DIDN'T happen? by Southpaw018 · · Score: 5, Interesting

      Ahhh, I had one of those -yesterday-. We have SPF implemented, and it still doesn't work very well, alas.

      I got a call from a sysadmin somewhere in nowheresville USA. The minute I picked up the phone, the guy started berating me, since I was destroying his domain, and it was all my fault, because I'm running Exchange and obviously I was infecting him with Winblows.

      After I finally got things sorted out, I walked him through exactly how and why it wasn't our domain a'tall, which would have been obvious had he looked at the headers of any one of the thousands of emails he claimed he recieved. If he knows how to read any of them. When he realized he was wrong, he slammed the phone down midsentence.

      Point of the story: SPF is great, proper mail server administration is great, but there will always be jerks who think they know what they're doing when they don't, and they're the bane of the whole system, more like a wolf in sheep's clothing than a known enemy.

      --
      ACs are modded -6. I don't read you, I don't mod you, I don't see you. Don't like it? Don't be a coward.
  4. SPF somewhat effective by asc4 · · Score: 3, Informative

    SPF is only somewhat effective as unfortunately only some have adopted it. Still, it takes all of a few seconds to add an SPF record for your domain. It can't hurt. Also, try reporting the servers hitting you with backscatter to Spamcop. Again, it might not help much, but it can't hurt.

    1. Re:SPF somewhat effective by Albanach · · Score: 4, Informative
      The DNS system is heavily loaded worldwide now
      I'm not sure what you mean by this - surely with a properly caching nameserver, you add almost no additional load to the root nameservers by performing SPF lookups as the query never goes near them? Your own DNS servers might be heavily loaded - in which case you should can additional ones or pay for someone else to provide DNS service. DNS scales easily so that shouldn't be an issue.

      A DNS request is tiny compared to bouncing about bits of mail - if you can reject the message before even processing the body thanks to SPF you significantly reduce bandwidth consumption, much more than that spent on a DNS lookup, especially now there are so many image based spams floating about.
  5. Backup MX is to blame for some of this bouncing by artifex2004 · · Score: 4, Interesting

    It's great to set up your mail server to reject the mail up front. But many spammers know people are doing this, so they connect to backup MX, often the one with least priority. From what I've read, that's how spammers' mail blasting programs are written these days.

    Are you running your own backup MX? Probably not. It's often a generic spooler your ISP lets you use for convenience. Even if you do, does your backup MX have all your rules in place, so it knows what to reject? No, I bet not. So this backup server accepts the mail without question, then passes it to the primary, and then it gets bounced.

    We need to either have a way to give our backup MX our rulesets (which the people who run the backup servers understandably won't like), allow backup and primaries to just silently discard (which legitimate senders and receivers won't like), or, quite possibly, stop using backup MX entirely, and then if the primary goes down, the originating mail servers should do their normal pattern of retrying for 5 days, or whatever.

    Large companies who need 100% instant availability of mail shouldn't be using backup MX anyway, (I've seen backup MX servers configured to hand off to primary hourly or even daily, not to mention those that hold until the primary asks for the mail) they should be using a ring of servers sharing primary preference. I'd expect the ruleset to be identical across the ring, thus allowing for instant rejection all the time.

  6. Re:No by Neon+Spiral+Injector · · Score: 4, Informative

    You should not generate the bounce, a 5xx responce to an SMTP command is all your server should do. If it is a real mail server talking to yours it will generate the bounce for the user that is relaying through it (hopefully including the text of your 5xx reply).

  7. Re:Why the forging in the first place? by Robotech_Master · · Score: 3, Informative

    In my experience, some spammers will also forge the 'from' address to be the address of the intended recipient of the spam, and then send it to an address they know will bounce (i.e. with an autoresponder) to try to get past spam filters or something.

    --
    Editor Emeritus and Senior Writer, TeleRead.org
  8. Simple, check the Received: envelope headers by Anonymous Coward · · Score: 4, Informative

    You start by rejecting outright email for non-existant email addresses. That gets rid of all bounces that come from addresses the spammers have made up. Then you look at the Received headers of the email that you supposedly sent and validate that it did indeed come from your IP and the header is of the form that your MTA generates. If not, somebody was impersonating you and you reject the bounce. See Stopping Backscatter Email.

  9. Don't use a catch-all by Kelson · · Score: 4, Informative

    The problem of invalid bounces drops dramatically if you set up your incoming server so that invalid addressees are rejected with a "User unknown" note at SMTP time. If you're using Sendmail with a virtual user table, this is as easy as adding the following at the end of the file

    @example.com error:nouser 550 5.1.1 User unknown

    It's important to do this on the server that accepts mail from the outside. If you have a setup with an antispam/virus gateway that then relays to an internal server, you need to make the gateway aware of the valid/invalid addresses.

    By rejecting invalid senders in the SMTP transaction, you only get bounces from the few messages that forged an actual sender. In my experience, the addresses tend to look like ashawuiefgfyig@example.com, so most of the bounces will just disappear into the ether(net).

  10. Postfix Backscatter HOWTO by alanxyzzy · · Score: 4, Informative
    Knowing that a common term for this is "backscatter" may help you search for other hints and tips.

    There is a Postfix backscatter HOWTO at http://www.postfix.org/BACKSCATTER_README.html

  11. Envelope Sender Signature by mossmann · · Score: 3, Informative

    Check out the Envelope Sender Signature technique described here:

    http://howtos.linux.com/howtos/Spam-Filtering-for- MX/collateral.shtml

    The idea is to tag outgoing messages in such a way that legitimate DSNs are distinguishable from illegitimate backscatter (which can then be discarded).