From owner-freebsd-questions@FreeBSD.ORG Thu Oct 16 17:22:37 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1881610656AB for ; Thu, 16 Oct 2008 17:22:37 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout016.mac.com (asmtpout016.mac.com [17.148.16.91]) by mx1.freebsd.org (Postfix) with ESMTP id 014BF8FC13 for ; Thu, 16 Oct 2008 17:22:36 +0000 (UTC) (envelope-from cswiger@mac.com) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Received: from cswiger1.apple.com ([17.227.140.124]) by asmtp016.mac.com (Sun Java(tm) System Messaging Server 6.3-7.03 (built Aug 7 2008; 32bit)) with ESMTPSA id <0K8U006R1DL8XY90@asmtp016.mac.com> for freebsd-questions@freebsd.org; Thu, 16 Oct 2008 10:22:20 -0700 (PDT) Message-id: <622D90E8-81AB-4A0A-9436-4662E33D117D@mac.com> From: Chuck Swiger To: RW In-reply-to: <20081016173807.64d0f24e@gumby.homeunix.com> Date: Thu, 16 Oct 2008 10:22:20 -0700 References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016145255.GA12638@icarus.home.lan> <48F75A88.1000507@infracaninophile.co.uk> <20081016173807.64d0f24e@gumby.homeunix.com> X-Mailer: Apple Mail (2.929.2) Cc: FreeBSD Mailing List Subject: Re: I've just found a new and interesting spam source - legitimate bounce messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 17:22:37 -0000 On Oct 16, 2008, at 9:38 AM, RW wrote: > SPF increases the probability of spam being rejected at the smtp > level at MX servers, so my expectation would be that it would > exacerbate > backscatter not improve it. The main problem resulting in backscatter happens when forged spam from yourdomain.com get gets sent to a legit MX server which accepts the mail initially, and then generates a bounce due to later spam checking or failed delivery to an invalid user. The bounces which then get generated by the legit MX are likely to pass spam checking at yourdomain.com. > Many people recommend SPF for backscatter, but I've yet to hear a > cogent > argument for why it helps beyond the very optimistic hope that > spammers > will check that their spam is spf compliant. SPF doesn't provide a magic solution to backscatter, but it helps simplify the problem. If spam can be rejected during the SMTP phase rather than accepted, then most spam-spewing malware simply drops the attempted message rather than actually send a bounce to yourdomain.com. After all, the spammer is looking to deliver spam to lots of different mailboxes, not deliver tons of DSNs to a single mailbox or domain. Failing that, however, any bounces which are being generated are coming from or at least closer to the source of the spam, rather than coming from gmail, hotmail, etc. And if the spamming machine is forging your domain, then yourdomain.com MX boxes have a decent shot of rejecting the forgeries via hello_checks, RBLs, or other methods. Regards, -- -Chuck