You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by Apache Wiki <wi...@apache.org> on 2008/04/16 21:11:09 UTC

[Spamassassin Wiki] Update of "VBounceRuleset" by JustinMason

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Spamassassin Wiki" for change notification.

The following page has been changed by JustinMason:
http://wiki.apache.org/spamassassin/VBounceRuleset

The comment on the change is:
add more detail, make it more FAQ-y

------------------------------------------------------------------------------
  = Virus Bounce Ruleset =
+ 
+ Backscatter is mail you didn't ask to receive, generated by legitimate, non-spam-sending systems in response to spam. Here are some examples, [http://www.spamresource.com/2007/02/backscatter-what-is-it-how-do-i-stop-it.html courtesy of Al Iverson]:
+ 
+   * Misdirected "undeliverable email" bounce messages from spam runs, from mail servers who "accept then bounce" instead of rejecting mail during the SMTP transaction.
+   * Misdirected virus/worm "OMG your mail was infected!" email notifications from virus scanners.
+   * Misdirected "please confirm your subscription" requests from mailing lists that allow email-based signup requests.
+   * Out of office or vacation autoreplies and autoresponders.
+   * Challenge requests from "Challenge/Response" anti-spam software. Maybe C/R software works great for you, but it generates significant backscatter to people you don't know.
+ 
+ It used to be OK to send some of these types of mail -- but no longer. Nowadays, due to the rise in backscatter caused by spammer/malware abuse, it is no longer considered good practice to "accept then bounce" mail from an SMTP session, or in any other way respond by mail to an unauthorized address of the mail's senders.
+ 
+ == How do I block it? ==
  
  There's a ruleset to block joe-job, virus-blowback, and spam-blowback bounce
  messages (a.k.a. "backscatter"), which is included in SpamAssassin 3.2.0.  It
  provides the following rules:
  
- {{{__}}}MY_SERVERS_FOUND: a whitelisted relay a la "whitelist_bounce_relays" was
+  * {{{__}}}MY_SERVERS_FOUND: a whitelisted relay a la "whitelist_bounce_relays" was found
- found
  
- BOUNCE_MESSAGE: an MTA-generated bounce from a non-whitelisted relay, "message was undeliverable" etc.
+  * BOUNCE_MESSAGE: an MTA-generated bounce from a non-whitelisted relay, "message was undeliverable" etc.
  
- CRBOUNCE_MESSAGE: Challenge-response bounce message from a non-whitelisted relay, eg. "please confirm your message was not spam"
+  * CRBOUNCE_MESSAGE: Challenge-response bounce message from a non-whitelisted relay, eg. "please confirm your message was not spam"
  
- VBOUNCE_MESSAGE: a virus-scanner-generated bounce from a non-whitelisted relay, e.g. "You sent a virus"
+  * VBOUNCE_MESSAGE: a virus-scanner-generated bounce from a non-whitelisted relay, e.g. "You sent a virus"
  
- ANY_BOUNCE_MESSAGE: any of the *BOUNCE_MESSAGE types above
+ * ANY_BOUNCE_MESSAGE: any of the *BOUNCE_MESSAGE types above will also trigger this
  
- If you are using SA 3.2.0, just enable the {{{loadplugin Mail::SpamAssassin::Plugin::VBounce}}} line in {{{/etc/mail/spamassassin/v320.pre}}}, and set a 'whitelist_bounce_relays' line as per step 3 below.
+ {{{__}}}MY_SERVERS_FOUND inhibits the other 4 rules from firing.
  
- If you are using SA 3.1.x, you can install the ruleset as follows:
+ == Setup ==
  
+ ''If you are using SA 3.2.x,'' just enable the {{{loadplugin Mail::SpamAssassin::Plugin::VBounce}}} line in {{{/etc/mail/spamassassin/v320.pre}}}, and skip to the 'whitelist_bounce_relays' line in step 3 below.
+ 
+ ''If you are using SA 3.1.x,'' you can install the ruleset as follows:
+ 
- 1. Download [http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_vbounce.cf?revision=482200&pathrev=482207 20_vbounce.cf] and [http://taint.org/x/2007/VBounce.pm VBounce.pm] from jm's rules sandbox.
+ 1. Download [http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_vbounce.cf?revision=482200&pathrev=482207 20_vbounce.cf] and [http://taint.org/x/2007/VBounce.pm VBounce.pm].
  
  2. Save both files to your '''/etc/mail/spamassassin''' directory.
  
@@ -37, +52 @@

  This is used to 'rescue' legitimate bounce messages that were generated in
  response to mail you really *did* send. If a bounce message is found, and it
  contains one of these hostnames in a 'Received' header in the bounced message, it will not be marked as a blowback virus-bounce.
+ 
+ Note that if you do not add this line, the *BOUNCE_MESSAGE rules will
+ never fire!  You have to specify at least one whitelisted relay for it
+ to operate.
  
  4. Run '''spamassassin --lint''' and ensure it works.
  
@@ -67, +86 @@

  '''VBounce.pm''' and '''20_vbounce.cf''' from '''/etc/mail/spamassassin''', so
  that it doesn't clash with the released version.
  
+ == Further Steps ==
+ 
+ If you're using Postfix, and volumes of backscatter at your mailserver are
+ very high, you can also block incoming backscatter during the SMTP transaction.
+ [http://taint.org/2007/05/30/164456a.html This blog post] describes how
+ to do it.
+ 
+ == What About My Own Bounces? ==
+ 
+ You might be worried that the VBounce ruleset will block bounces sent in response to your own mail. As long as the error conditions are flagged during the SMTP transaction (as they should be nowadays), and you've specified your own mailserver(s) in ‘whitelist_bounce_relays', you're fine.
+