Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Oct 2008 09:12:52 -0500
From:      Paul Schmehl <pauls@utdallas.edu>
To:        eculp@casasponti.net, freebsd-questions@freebsd.org
Subject:   Re: I've just found a new and interesting spam source - legitimate	bounce messages
Message-ID:  <9D30C77B8D64AF7622CA19B6@utd65257.utdallas.edu>
In-Reply-To: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net>
References:  <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net>

next in thread | previous in thread | raw e-mail | index | archive | help
--==========F11FC1771298105E0EF8==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On Thursday, October 16, 2008 09:01:02 -0500 eculp@casasponti.net wrote:

>
> In the last hour, I've received over 200 legitimate bounce messages
> from email services as a result of someone having used or worse is
> using my email address in spam from multiple windows machines and ip
> addresses.  The end result is that I am getting the bounce messages.
> I'm sure that others on this list have experienced the problem and
> maybe have a solution that I don't have.
>
> The messages are allowed through my obspamd/pf and pf smtp bruteforce
> blocking rules because they are completely legit.
>
> I guess the work around is to filter them on incoming together with
> our local bounce messaages util the spammers get tired of my address.
>

We call those "bounceback spam".  The only solution that I know of is to tag=20
all outgoing messages with a special header and then check for that header on=20
all returns and reject those that don't contain the header.  All legitimate=20
bounces would contain the header because they originated with your MTA.

E.g. X-Bounceback-Check: 0987923874

The value of the header can be anything you want it to be, and you can change=20
it periodically if you want to keep statistical data.

--=20
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

--==========F11FC1771298105E0EF8==========--




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9D30C77B8D64AF7622CA19B6>