Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Oct 2008 06:53:01 +0100
From:      Frank Shute <frank@shute.org.uk>
To:        Edwin Groothuis <edwin@mavetju.org>
Cc:        eculp@casasponti.net, freebsd-questions@freebsd.org
Subject:   Re: I've just found a new and interesting spam source - legitimate bounce messages
Message-ID:  <20081017055301.GA58175@melon.esperance-linux.co.uk>
In-Reply-To: <20081016225917.GA92530@mavetju.org>
References:  <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016225917.GA92530@mavetju.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 17, 2008 at 09:59:17AM +1100, Edwin Groothuis wrote:
>
> > In the last hour, I've received over 200 legitimate bounce messages
> > from email services as a result of someone having used or worse is
> > using my email address in spam from multiple windows machines and ip
> > addresses.
> 
> When this happens I enable the "move all messages from mailer-daemon
> to /dev/null" rules in procmail for a day or two. And curse at the
> people who originated the original spam...
> 

I use a similar approach to Edward's.

My old domain used to get hammered with backscatter which basically I
had no choice but to accept. I was on a pop3 catch-all.

If I had a regular amount of backscatter (<100), I'd accept it & then
pass it to procmail.

I found (I don't know if the OP did too) that the backscatter was
generally addressed to a non-existent user, so it was easy to write
rules to filter it out and send it to the bit-bucket.

I also found that the backscatter was commonly addressed to people
like frankn@ - close but no cigar. The following filtered out that
crap:

:0:
* ^To:\ <[<>0-9A-Za-z]+frank@esperance.*
spam/new

:0:
* ^To:\ <frank[0-9A-Za-z]+@esperance.*
spam/new

In the worst case scenario, I'd find that I'd get thousands of
backscattered mails (the swine must have been sending millions of
messages purportedly coming from me).

In this case I'd just delete all my mail off the popserver with a
script. Yes, I might lose a few genuine emails but when I had
thousands of backscattered mails, they'd come in the space of a couple
of hours.

My ultimate sanction was eventually getting a new domain (I know it's
admitting defeat).

I now find that I get very little backscatter on my old domain and I
haven't had a mass mailing effort from it for some time.

Best of luck!

Regards,

-- 

 Frank 


 Contact info: http://www.shute.org.uk/misc/contact.html 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081017055301.GA58175>