Re: Do we need a "Joe job" bounce message blacklist?

[Justin Mason <jm...@jmason.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Steve Prior writes:
> My domain geekster.com has been Joe jobbed for the last couple
> of weeks.  In spite of the fact that I responsibly created SPF
> records for my domain, I am getting flooded with bounce messages
> from other mail systems that don't understand most spam from
> addresses are forged.  Fortunatly AOL seems to have wizened up
> since the last time this happened to me.
> 
> It seems to me that email domains that email such bounce messages
> or spam fighting techniques that send back a confirmation message
> are now part of the problem rather than the solution, but since
> the confirmation messages do shield THEIR users from spam they
> don't care what it's doing to the rest of us.  I'm wondering if
> a blacklist of known domains which send out stupid bounce messages
> or confirm emails would provide some incentive for cleaning them up.

A BL would probably be helpful -- but sadly some *really big* networks
(Earthlink's challenge-response) and companies (Fortune 500s) produce
these bounces, too, so it'd have serious FP potential, since those mail
relay IP addresses produce both the bounces and the legit mail.

There's a ruleset to catch bounces, challenges and bogus virus warnings;
Tim Jackson's bogus-virus-warnings.cf.  That's what I use (now heavily
modified locally).

We're also considering that it may be worthwhile to get some kind of
ruleset for these as an "official" builtin part of SpamAssassin; this'd be
optional, since it needs a little work on the user side to change from
simple 2-class ham/spam classification to multi-class
ham/spam/bogus-bounce/bogus-virus-warning/bogus-cr classification, but I
think it'd be very useful in many places.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFCl3FrMJF5cimLx9ARAhOYAJ4kImeXVYCsk/P0/+cJoJiySYMgoACdFkkP
ghabLeTb+GfEKmMqHAWJ+9Q=
=dIUe
-----END PGP SIGNATURE-----

Re: Do we need a "Joe job" bounce message blacklist?

[Steve Prior <sp...@geekster.com>]

Justin Mason wrote:

> A BL would probably be helpful -- but sadly some *really big* networks
> (Earthlink's challenge-response) and companies (Fortune 500s) produce
> these bounces, too, so it'd have serious FP potential, since those mail
> relay IP addresses produce both the bounces and the legit mail.
> - --j.

My suggestion had a bit of activism included.  I don't want to reject just
the bounce messages from these mail systems, I want to reject ALL mail from
those systems, but do so at the MTA level so I'm not causing the annoying
bounce problem I'm trying to solve.  Companies who have these bounce
messages and confirmation emails are actually doing damage to innocent bystanders
(at the moment myself, but it is ALWAYS happening somewhere), and the
company producing the messages doesn't know or have incentive to care what
they are doing to others.

It really bugs me to get a message from a system claiming to be fighting
spam and requiring confirmation when in fact I apparently do more to fight
spam than they did (by implementing SPF for my domains and NOT sending back
stupid incorrect bounces).

I think that these companies need to see that all email from them is refused
from their domains as long as they keep offending, and that will give them
the required motivation to fix their systems.

If I sound a bit ticked at the moment - I really am, not only do I get Mr Wiggly
type spams intended for my domain, but I'm also getting it forwarded/bounced to me
from lots of others and that much Mr Wiggly isn't good for anyone...

Steve

Re: Do we need a "Joe job" bounce message blacklist?

[ma...@gmail.com]

On 5/27/05, Justin Mason <jm...@jmason.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Steve Prior writes:
> > My domain geekster.com has been Joe jobbed for the last couple
> > of weeks.  In spite of the fact that I responsibly created SPF
> > records for my domain, I am getting flooded with bounce messages
> > from other mail systems that don't understand most spam from
> > addresses are forged.  Fortunatly AOL seems to have wizened up
> > since the last time this happened to me.
> >
> > It seems to me that email domains that email such bounce messages
> > or spam fighting techniques that send back a confirmation message
> > are now part of the problem rather than the solution, but since
> > the confirmation messages do shield THEIR users from spam they
> > don't care what it's doing to the rest of us.  I'm wondering if
> > a blacklist of known domains which send out stupid bounce messages
> > or confirm emails would provide some incentive for cleaning them up.
> 
> A BL would probably be helpful -- but sadly some *really big* networks
> (Earthlink's challenge-response) and companies (Fortune 500s) produce
> these bounces, too, so it'd have serious FP potential, since those mail
> relay IP addresses produce both the bounces and the legit mail.

Note that there's an alternative, if you run your own MTA, which is to
use separate header From and bounce addresses.  What I do for my
regular email (not this gmail account), is to use bounce addresses of
the form <dm...@mailavenger.org>, where COOKIE is a
cryptographic cookie, basically the encryption of an expiration date
21 days in the future.  I only accept bounce messages to addresses of
that form, and if the COOKIE has expired.  If you try to email my
regular email address from <>, the mail is rejected.

Note that many mail systems support such extension addresses.  For
example, if your username is dm, sendmail by default delivers
dm+ANYTHING to you.  Qmail has a similar feature with dm-ANYTHING (but
you have to create a .qmail-default file in your home directory).

Doing this for larger sites (where you don't have one Unix account per
user) might be a bit harder, but if SES ever takes off, you could use
that.

David