From owner-freebsd-questions@FreeBSD.ORG Thu Oct 16 14:41:44 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 504C01065687 for ; Thu, 16 Oct 2008 14:41:44 +0000 (UTC) (envelope-from prvs=pauls=168afa141@utdallas.edu) Received: from ip-relay-001.utdallas.edu (ip-relay-001.utdallas.edu [129.110.20.111]) by mx1.freebsd.org (Postfix) with ESMTP id 042098FC16 for ; Thu, 16 Oct 2008 14:41:43 +0000 (UTC) (envelope-from prvs=pauls=168afa141@utdallas.edu) X-Group: RELAYLIST X-IronPort-AV: E=Sophos;i="4.33,423,1220245200"; d="scan'208";a="417048" Received: from smtp3.utdallas.edu ([129.110.20.110]) by ip-relay-001.utdallas.edu with ESMTP; 16 Oct 2008 09:12:52 -0500 Received: from utd65257.utdallas.edu (utd65257.utdallas.edu [129.110.3.28]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp3.utdallas.edu (Postfix) with ESMTPSA id 8713C857F; Thu, 16 Oct 2008 09:12:52 -0500 (CDT) Date: Thu, 16 Oct 2008 09:12:52 -0500 From: Paul Schmehl To: eculp@casasponti.net, freebsd-questions@freebsd.org Message-ID: <9D30C77B8D64AF7622CA19B6@utd65257.utdallas.edu> In-Reply-To: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> X-Mailer: Mulberry/4.0.6 (Linux/x86) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========F11FC1771298105E0EF8==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: I've just found a new and interesting spam source - legitimate bounce messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 14:41:44 -0000 --==========F11FC1771298105E0EF8========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Thursday, October 16, 2008 09:01:02 -0500 eculp@casasponti.net wrote: > > In the last hour, I've received over 200 legitimate bounce messages > from email services as a result of someone having used or worse is > using my email address in spam from multiple windows machines and ip > addresses. The end result is that I am getting the bounce messages. > I'm sure that others on this list have experienced the problem and > maybe have a solution that I don't have. > > The messages are allowed through my obspamd/pf and pf smtp bruteforce > blocking rules because they are completely legit. > > I guess the work around is to filter them on incoming together with > our local bounce messaages util the spammers get tired of my address. > We call those "bounceback spam". The only solution that I know of is to tag=20 all outgoing messages with a special header and then check for that header on=20 all returns and reject those that don't contain the header. All legitimate=20 bounces would contain the header because they originated with your MTA. E.g. X-Bounceback-Check: 0987923874 The value of the header can be anything you want it to be, and you can change=20 it periodically if you want to keep statistical data. --=20 Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========F11FC1771298105E0EF8==========--