Date: Fri, 17 Oct 2008 06:53:01 +0100 From: Frank Shute <frank@shute.org.uk> To: Edwin Groothuis <edwin@mavetju.org> Cc: eculp@casasponti.net, freebsd-questions@freebsd.org Subject: Re: I've just found a new and interesting spam source - legitimate bounce messages Message-ID: <20081017055301.GA58175@melon.esperance-linux.co.uk> In-Reply-To: <20081016225917.GA92530@mavetju.org> References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016225917.GA92530@mavetju.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 17, 2008 at 09:59:17AM +1100, Edwin Groothuis wrote: > > > In the last hour, I've received over 200 legitimate bounce messages > > from email services as a result of someone having used or worse is > > using my email address in spam from multiple windows machines and ip > > addresses. > > When this happens I enable the "move all messages from mailer-daemon > to /dev/null" rules in procmail for a day or two. And curse at the > people who originated the original spam... > I use a similar approach to Edward's. My old domain used to get hammered with backscatter which basically I had no choice but to accept. I was on a pop3 catch-all. If I had a regular amount of backscatter (<100), I'd accept it & then pass it to procmail. I found (I don't know if the OP did too) that the backscatter was generally addressed to a non-existent user, so it was easy to write rules to filter it out and send it to the bit-bucket. I also found that the backscatter was commonly addressed to people like frankn@ - close but no cigar. The following filtered out that crap: :0: * ^To:\ <[<>0-9A-Za-z]+frank@esperance.* spam/new :0: * ^To:\ <frank[0-9A-Za-z]+@esperance.* spam/new In the worst case scenario, I'd find that I'd get thousands of backscattered mails (the swine must have been sending millions of messages purportedly coming from me). In this case I'd just delete all my mail off the popserver with a script. Yes, I might lose a few genuine emails but when I had thousands of backscattered mails, they'd come in the space of a couple of hours. My ultimate sanction was eventually getting a new domain (I know it's admitting defeat). I now find that I get very little backscatter on my old domain and I haven't had a mass mailing effort from it for some time. Best of luck! Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081017055301.GA58175>