|
List Info
Thread: Spam as failure delivery notice
|
|
| Spam as failure delivery notice |
 
Finland |
2007-08-20 00:43:50 |
|
Hi
Not directly for Maia but we are getting
lots of failure delivery notices as spam, seems like spammer is using our
mail server-address and our sales e-mail and somehow servers are sending
failure delivery notices to our system even we have nothing todo with them
how is that possible? Any way to forbit these kind of messages?
Here is example what we get:
------ This is a copy of the message,
including all the headers. ------
Return-path: <sales sofor.com>
Received: from [69.138.26.91] (helo=c-69-138-26-91.hsd1.md.comcast.net)
by dcd.serve.co.uk with esmtp (Exim 4.62)
(envelope-from <salessofor.com>)
id 1IMzvp-0001Q6-L6
for afloatdcd.serve.co.uk; Mon, 20 Aug 2007 06:36:06 +0100
Received: from [69.138.26.91] by mail2.netservant.fi; Sun, 19 Aug 2007
14:36:26 +0800
Message-ID: <01c7e26e$527110d0$5b1a8a45sales>
From: "Ursula Messer" <salessofor.com>
To: <afloatdcd.serve.co.uk>
Subject: buy now 100mg x 30 pills $3.33 per pill
Date: Sun, 19 Aug 2007 14:36:26 +0800
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0006_01C7E233.A61238D0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1506
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
This is a multi-part message in MIME format.
------=_NextPart_000_0006_01C7E233.A61238D0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0007_01C7E233.A61238D0"
------=_NextPart_001_0007_01C7E233.A61238D0
Content-Type: text/plain;
charset=";iso-8859-2"
Content-Transfer-Encoding: quoted-printable
----------------------------8<-----------------------------------
Terveisin/Regards,
Pekka Panula, Net Servant Oy - A Sofor company
pekka.panulasofor.fi
|
| Re: Spam as failure delivery notice |
 
Canada |
2007-08-20 03:36:51 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pekka.Panulasofor.fi wrote:
> Not directly for Maia but we are getting lots of
failure delivery
> notices as spam, seems like spammer is using our mail
server-address and
> our sales e-mail and somehow servers are sending
failure delivery
> notices to our system even we have nothing todo with
them how is that
> possible? Any way to forbit these kind of messages?
This is quite common, actually--it's called a "joe
job". The spammer
uses your email address during the "MAIL FROM"
portion of the SMTP
exchange, so your email address ends up in the
"Return-Path:" header of
the spam that the victims receive. If the recipient address
doesn't
exist (which is quite often the case), the recipient's mail
server will
try to be helpful by sending a delivery failure notice to
the address in
the "Return-Path:" header--in other words, to
/you/.
Technically, then, these delivery notices are not
"spam" in the
conventional sense--they're sent by legitimate mail servers
that are
only doing their job. Your own mail server would probably
do exactly
the same thing, under the circumstances (and probably does
this many
times a day). This creates a bit of a dilemma, because you
don't really
want your Bayes database learning that delivery failure
notices look
like spam, and you don't want to report a legitimate mail
server's
legitimate output as spam--you wouldn't want other sites
reporting
/your/ delivery failure notices as spam, would you? This is
one of the
few good reasons to choose the "Delete" option,
rather than classifying
the mail as "Spam" or "Non-Spam". By
deleting it, it does not get
reported or used for Bayes training.
As for how to automatically identify such messages, the
problem isn't so
much technological as philosophical. You could, for
instance, add a few
new SpamAssassin rules in your local.cf file to match
certain text
patterns that are common in these emails, but that would
just end up
getting them quarantined as spam, which is not ideal for the
reasons
I've explained above (to say nothing of the false positive
problem this
would cause, since such a rule cannot distinguish between a
legitimate
delivery failure notice and one generated by a joe-job).
In short, there's no easy solution to the joe-job problem
that doesn't
end up shooting you in the foot at some point. Treating
these delivery
failure notices as spam will get them out of your inbox, but
it will
also teach your Bayes database that /all/ delivery failure
notices are
spam, and if you do spam reporting you'll be reporting
innocent mail
servers as spam sources.
- --
Robert LeBlanc <rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamail
guard.com/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFGyVKjGmqOER2NHewRAk/uAJ9pKN4VjbCNx5g3oyzX9klAguTU0gCg
htpB
GZB0331ype91w6e6WRVEvag=
=jZWP
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
| Re: Spam as failure delivery notice |
 
United States |
2007-08-20 06:44:46 |
|
Hi Robert,
This is also known as "back-scatter" ... hopefully an MTA will
/reject/ an attempted delivery to a bad email address instead of fully
processing the email and then bouncing it which is wasteful and not
entirely RFC behavior.
We've seen this happen with some domains and the back-scatter amounts
to 4million+ connections per hour. ; Help prevent back-scatter ! ALL
delivery attempts to bad addresses should be rejected at the SMTP RCPT
TO: stage period.
While trying to be helpful may have been a wonderful thing in the good
old days, spammers now use this as a "reflection" style technique to
deliver spam also.
--Ed
Robert LeBlanc wrote:
renaissoft.com" type="cite">
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
sofor.fi">Pekka.Panulasofor.fi wrote:
Not directly for Maia but we are getting lots of failure delivery
notices as spam, seems like spammer is using our mail server-address and
our sales e-mail and somehow servers are sending failure delivery
notices to our system even we have nothing todo with them how is that
possible? Any way to forbit these kind of messages?
This is quite common, actually--it's called a "joe job". The spammer
uses your email address during the "MAIL FROM" portion of the SMTP
exchange, so your email address ends up in the "Return-Path:" header of
the spam that the victims receive. If the recipient address doesn't
exist (which is quite often the case), the recipient's mail server will
try to be helpful by sending a delivery failure notice to the address in
the "Return-Path:" header--in other words, to /you/.
Technically, then, these delivery notices are not "spam" in the
conventional sense--they're sent by legitimate mail servers that are
only doing their job. Your own mail server would probably do exactly
the same thing, under the circumstances (and probably does this many
times a day). This creates a bit of a dilemma, because you don't really
want your Bayes database learning that delivery failure notices look
like spam, and you don't want to report a legitimate mail server's
legitimate output as spam--you wouldn't want other sites reporting
/your/ delivery failure notices as spam, would you? This is one of the
few good reasons to choose the "Delete" option, rather than classifying
the mail as "Spam" or "Non-Spam". By deleting it, it does not get
reported or used for Bayes training.
As for how to automatically identify such messages, the problem isn't so
much technological as philosophical. You could, for instance, add a few
new SpamAssassin rules in your local.cf file to match certain text
patterns that are common in these emails, but that would just end up
getting them quarantined as spam, which is not ideal for the reasons
I've explained above (to say nothing of the false positive problem this
would cause, since such a rule cannot distinguish between a legitimate
delivery failure notice and one generated by a joe-job).
In short, there's no easy solution to the joe-job problem that doesn't
end up shooting you in the foot at some point. Treating these delivery
failure notices as spam will get them out of your inbox, but it will
also teach your Bayes database that /all/ delivery failure notices are
spam, and if you do spam reporting you'll be reporting innocent mail
servers as spam sources.
- --
Robert LeBlanc renaissoft.com"><rjlrenaissoft.com>
Renaissoft, Inc.
Maia Mailguard <http://www.maiamailguard.com/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
iD8DBQFGyVKjGmqOER2NHewRAk/uAJ9pKN4VjbCNx5g3oyzX9klAguTU0gCghtpB
GZB0331ype91w6e6WRVEvag=
=jZWP
-----END PGP SIGNATURE-----
_______________________________________________
Maia-users mailing list
renaissoft.com">Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
--
-----------------------------------------------------------
EAS Enterprises LLC
World Class Web and Email Hosting Solutions
www.easent.net
|
| Re: Spam as failure delivery notice |
|
2007-08-27 09:29:43 |
Pekka.Panulasofor.fi wrote:
>
> Hi
>
> Not directly for Maia but we are getting lots of
failure delivery
> notices as spam, seems like spammer is using our mail
server-address
> and our sales e-mail and somehow servers are sending
failure delivery
> notices to our system even we have nothing todo with
them how is that
> possible? Any way to forbit these kind of messages?
>
>
There are a good bit of things you can do to reduce this...
see:
http:/
/www.postfix.org/BACKSCATTER_README.html
Some of these are good, some are extreme.
_______________________________________________
Maia-users mailing list
Maia-usersrenaissoft.com
http://www.renaissoft.com/mailman/listinfo/maia-users
|
|
[1-4]
|
|