You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2004/07/22 19:01:54 UTC
Re: blowback procmail rule
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel Quinlan writes:
> If any of you have a problem with blowback (bounces from forged spam and
> viruses), this procmail rule should pretty much solve it.
Ah. I'm already using a simpler version, which just looks for my IPs in
bounce messages and ignores them if they aren't present.
BTW, there's still an aspect of blowback that isn't covered by those;
namely the "we found a virus in your mail!!!!!11" messages sent from
<Mr...@example.com> instead of from <>. Since those seem
to be a wide variety of sending addresses (often invalid), wordings, and
subject lines, they're quite tricky to catch. (that's what the VBOUNCE_
rules are good at catching.)
- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFA//MCQTcbUG5Y7woRAuslAJ4oLgH/GKkJJ/OnNRjJZNjnz1YcEwCfYpS2
cDQ/zATGScc6y5xwwdqu60E=
=aFaU
-----END PGP SIGNATURE-----
Re: blowback procmail rule
Posted by Daniel Quinlan <qu...@pathname.com>.
jm@jmason.org (Justin Mason) writes:
> Ah. I'm already using a simpler version, which just looks for my IPs in
> bounce messages and ignores them if they aren't present.
Yeah, that might work. If I recall correctly, I found a few blowbacks
that had my IP in the bounce message (where my MTA did an SMTP reject
and a blowback later came all the way back to me). I wanted to use
features that meant me, as a person, sent the mail.
> BTW, there's still an aspect of blowback that isn't covered by those;
> namely the "we found a virus in your mail!!!!!11" messages sent from
> <Mr...@example.com> instead of from <>. Since those
> seem to be a wide variety of sending addresses (often invalid),
> wordings, and subject lines, they're quite tricky to catch. (that's
> what the VBOUNCE_ rules are good at catching.)
True. I actually used VBOUNCE for this test: I counted Return-path:
headers and doing MAILER-DAEMON@ and the null sender covers 97% or
something like that. postmaster@ was #3.
The "virus" names like you mention were *all* over the map, but I only
had one or two hits of each (looking at 18 months of ham), so I didn't
bother. (Note: I also catch a fair number of those just by filtering
viruses, since maybe 1/3 of them forward back the virus.)
Daniel
--
Daniel Quinlan
http://www.pathname.com/~quinlan/