From owner-freebsd-questions@FreeBSD.ORG Fri Oct 17 05:53:17 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D3101065703 for ; Fri, 17 Oct 2008 05:53:17 +0000 (UTC) (envelope-from frank@esperance-linux.co.uk) Received: from mailout.zetnet.co.uk (mailout.zetnet.co.uk [194.247.47.231]) by mx1.freebsd.org (Postfix) with ESMTP id DFB518FC14 for ; Fri, 17 Oct 2008 05:53:16 +0000 (UTC) (envelope-from frank@esperance-linux.co.uk) Received: from irwell.zetnet.co.uk ([194.247.47.48] helo=zetnet.co.uk) by mailout.zetnet.co.uk with esmtp (Exim 4.63) (envelope-from ) id 1KqiGr-0007Q1-Pq; Fri, 17 Oct 2008 06:53:09 +0100 Received: from melon.esperance-linux.co.uk (54-144.adsl.zetnet.co.uk [194.247.54.144]) by zetnet.co.uk (8.14.1/8.14.1/Debian-9) with ESMTP id m9H5r6Pw025814; Fri, 17 Oct 2008 06:53:07 +0100 Received: by melon.esperance-linux.co.uk (Postfix, from userid 1001) id 33B00FCA4AD; Fri, 17 Oct 2008 06:53:01 +0100 (BST) Date: Fri, 17 Oct 2008 06:53:01 +0100 From: Frank Shute To: Edwin Groothuis Message-ID: <20081017055301.GA58175@melon.esperance-linux.co.uk> Mail-Followup-To: Edwin Groothuis , freebsd-questions@freebsd.org, eculp@casasponti.net References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016225917.GA92530@mavetju.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20081016225917.GA92530@mavetju.org> User-Agent: Mutt/1.4.2.3i X-Face: *}~{PHnDTzvXPe'wl_-f%!@+r5; VLhb':*DsX%wEOPg\fDrXWQJf|2\,92"DdS%63t*BHDyQ|OWo@Gfjcd72eaN!4%NE{0]p)ihQ1MyFNtWL X-Operating-System: FreeBSD 6.3-RELEASE-p2 i386 X-Organisation: 'http://www.shute.org.uk/' X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (zetnet.co.uk [194.247.46.1]); Fri, 17 Oct 2008 06:53:09 +0100 (BST) Cc: eculp@casasponti.net, freebsd-questions@freebsd.org Subject: Re: I've just found a new and interesting spam source - legitimate bounce messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Frank Shute List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Oct 2008 05:53:17 -0000 On Fri, Oct 17, 2008 at 09:59:17AM +1100, Edwin Groothuis wrote: > > > In the last hour, I've received over 200 legitimate bounce messages > > from email services as a result of someone having used or worse is > > using my email address in spam from multiple windows machines and ip > > addresses. > > When this happens I enable the "move all messages from mailer-daemon > to /dev/null" rules in procmail for a day or two. And curse at the > people who originated the original spam... > I use a similar approach to Edward's. My old domain used to get hammered with backscatter which basically I had no choice but to accept. I was on a pop3 catch-all. If I had a regular amount of backscatter (<100), I'd accept it & then pass it to procmail. I found (I don't know if the OP did too) that the backscatter was generally addressed to a non-existent user, so it was easy to write rules to filter it out and send it to the bit-bucket. I also found that the backscatter was commonly addressed to people like frankn@ - close but no cigar. The following filtered out that crap: :0: * ^To:\ <[<>0-9A-Za-z]+frank@esperance.* spam/new :0: * ^To:\