Date: Thu, 16 Oct 2008 09:12:52 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: eculp@casasponti.net, freebsd-questions@freebsd.org Subject: Re: I've just found a new and interesting spam source - legitimate bounce messages Message-ID: <9D30C77B8D64AF7622CA19B6@utd65257.utdallas.edu> In-Reply-To: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========F11FC1771298105E0EF8========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Thursday, October 16, 2008 09:01:02 -0500 eculp@casasponti.net wrote: > > In the last hour, I've received over 200 legitimate bounce messages > from email services as a result of someone having used or worse is > using my email address in spam from multiple windows machines and ip > addresses. The end result is that I am getting the bounce messages. > I'm sure that others on this list have experienced the problem and > maybe have a solution that I don't have. > > The messages are allowed through my obspamd/pf and pf smtp bruteforce > blocking rules because they are completely legit. > > I guess the work around is to filter them on incoming together with > our local bounce messaages util the spammers get tired of my address. > We call those "bounceback spam". The only solution that I know of is to tag=20 all outgoing messages with a special header and then check for that header on=20 all returns and reject those that don't contain the header. All legitimate=20 bounces would contain the header because they originated with your MTA. E.g. X-Bounceback-Check: 0987923874 The value of the header can be anything you want it to be, and you can change=20 it periodically if you want to keep statistical data. --=20 Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========F11FC1771298105E0EF8==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9D30C77B8D64AF7622CA19B6>