I've just found a new and interesting spam source - legitimate bounce messages

eculp at casasponti.net eculp at casasponti.net
Thu Oct 16 10:19:14 PDT 2008 

Jeremy Chadwick <koitsu at FreeBSD.org> escribió:

> On Thu, Oct 16, 2008 at 09:01:02AM -0500, eculp at casasponti.net wrote:
>> In the last hour, I've received over 200 legitimate bounce messages from
>> email services as a result of someone having used or worse is using my
>> email address in spam from multiple windows machines and ip addresses.
>> The end result is that I am getting the bounce messages.  I'm sure that
>> others on this list have experienced the problem and maybe have a
>> solution that I don't have.
>>
>> The messages are allowed through my obspamd/pf and pf smtp bruteforce
>> blocking rules because they are completely legit.
>>
>> I guess the work around is to filter them on incoming together with our
>> local bounce messaages util the spammers get tired of my address.
>
> The term coined for this type of mail is "backscatter".
>
> There is no easy solution for this.  The backscatter article on
> postfix.org, for example, caused our mail servers to start rejecting
> mail that was generated from PHP scripts and CGIs on our own systems,
> which makes no sense.  The article:
>
> http://www.postfix.org/BACKSCATTER_README.html

Thanks for the article, Jeremy.  I hadn't seen it.

> If the backscatter is all directed to a single Email address (rather
> than a series of addresses, e.g. sdfkjhsfjkksjdf at yourdomain.com, and
> you have *@yourdomain.com accepted), then a solution is to reject
> mail with an RCPT TO of an account or virtual address that does not
> exist on your machine.
>
> This, of course, has a wonderful side effect: spammers now have a way to
> detect what Email addresses on your box legitimately accept mail, thus
> once they find one which never gets a bounceback, will start pounding
> that address to kingdom come.
>
> Let me know if you do find a reliable, decent solution that does not
> involve SPF or postfix header_checks or body_checks.

I wish ;)

Thanks again,

ed

>
> --
> | Jeremy Chadwick                                jdc at parodius.com |
> | Parodius Networking                       http://www.parodius.com/ |
> | UNIX Systems Administrator                  Mountain View, CA, USA |
> | Making life hard for others since 1977.              PGP: 4BD6C0CB |
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>

More information about the freebsd-questions mailing list