You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2004/07/22 19:01:54 UTC

Re: blowback procmail rule 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Daniel Quinlan writes:
> If any of you have a problem with blowback (bounces from forged spam and
> viruses), this procmail rule should pretty much solve it.

Ah.  I'm already using a simpler version, which just looks for my IPs in
bounce messages and ignores them if they aren't present.

BTW, there's still an aspect of blowback that isn't covered by those;
namely the "we found a virus in your mail!!!!!11" messages sent from
<Mr...@example.com> instead of from <>.   Since those seem
to be a wide variety of sending addresses (often invalid), wordings, and
subject lines, they're quite tricky to catch.  (that's what the VBOUNCE_
rules are good at catching.)

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFA//MCQTcbUG5Y7woRAuslAJ4oLgH/GKkJJ/OnNRjJZNjnz1YcEwCfYpS2
cDQ/zATGScc6y5xwwdqu60E=
=aFaU
-----END PGP SIGNATURE-----

Re: blowback procmail rule

Posted by Daniel Quinlan <qu...@pathname.com>.
jm@jmason.org (Justin Mason) writes:

> Ah.  I'm already using a simpler version, which just looks for my IPs in
> bounce messages and ignores them if they aren't present.

Yeah, that might work.  If I recall correctly, I found a few blowbacks
that had my IP in the bounce message (where my MTA did an SMTP reject
and a blowback later came all the way back to me).  I wanted to use
features that meant me, as a person, sent the mail.
 
> BTW, there's still an aspect of blowback that isn't covered by those;
> namely the "we found a virus in your mail!!!!!11" messages sent from
> <Mr...@example.com> instead of from <>.  Since those
> seem to be a wide variety of sending addresses (often invalid),
> wordings, and subject lines, they're quite tricky to catch.  (that's
> what the VBOUNCE_ rules are good at catching.)

True.  I actually used VBOUNCE for this test: I counted Return-path:
headers and doing MAILER-DAEMON@ and the null sender covers 97% or
something like that.  postmaster@ was #3.

The "virus" names like you mention were *all* over the map, but I only
had one or two hits of each (looking at 18 months of ham), so I didn't
bother.  (Note: I also catch a fair number of those just by filtering
viruses, since maybe 1/3 of them forward back the virus.)

Daniel

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/