Date: Thu, 16 Oct 2008 12:29:05 -0500 From: eculp@casasponti.net To: freebsd-questions@freebsd.org Subject: Re: I've just found a new and interesting spam source - legitimate bounce messages Message-ID: <20081016122905.17qwm4xcs6kgwg88w@intranet.casasponti.net> In-Reply-To: <622D90E8-81AB-4A0A-9436-4662E33D117D@mac.com> References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016145255.GA12638@icarus.home.lan> <48F75A88.1000507@infracaninophile.co.uk> <alpine.BSF.2.00.0810160846040.473@border.lukas.is-a-geek.org> <20081016173807.64d0f24e@gumby.homeunix.com> <622D90E8-81AB-4A0A-9436-4662E33D117D@mac.com>
index | next in thread | previous in thread | raw e-mail
Chuck Swiger <cswiger@mac.com> escribió: > On Oct 16, 2008, at 9:38 AM, RW wrote: >> SPF increases the probability of spam being rejected at the smtp >> level at MX servers, so my expectation would be that it would exacerbate >> backscatter not improve it. > > The main problem resulting in backscatter happens when forged spam > from yourdomain.com get gets sent to a legit MX server which accepts > the mail initially, and then generates a bounce due to later spam > checking or failed delivery to an invalid user. The bounces which > then get generated by the legit MX are likely to pass spam checking > at yourdomain.com. Exactly what seems to be happening. >> Many people recommend SPF for backscatter, but I've yet to hear a cogent >> argument for why it helps beyond the very optimistic hope that spammers >> will check that their spam is spf compliant. > > > SPF doesn't provide a magic solution to backscatter, but it helps > simplify the problem. It should. > If spam can be rejected during the SMTP phase rather than accepted, > then most spam-spewing malware simply drops the attempted message > rather than actually send a bounce to yourdomain.com. After all, > the spammer is looking to deliver spam to lots of different > mailboxes, not deliver tons of DSNs to a single mailbox or domain. > Failing that, however, any bounces which are being generated are > coming from or at least closer to the source of the spam, rather > than coming from gmail, hotmail, etc. And if the spamming machine > is forging your domain, then yourdomain.com MX boxes have a decent > shot of rejecting the forgeries via hello_checks, RBLs, or other > methods. Thanks Chuck, edhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081016122905.17qwm4xcs6kgwg88w>