You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Steve Prior <sp...@geekster.com> on 2005/05/27 19:09:21 UTC
Do we need a "Joe job" bounce message blacklist?
My domain geekster.com has been Joe jobbed for the last couple
of weeks. In spite of the fact that I responsibly created SPF
records for my domain, I am getting flooded with bounce messages
from other mail systems that don't understand most spam from
addresses are forged. Fortunatly AOL seems to have wizened up
since the last time this happened to me.
It seems to me that email domains that email such bounce messages
or spam fighting techniques that send back a confirmation message
are now part of the problem rather than the solution, but since
the confirmation messages do shield THEIR users from spam they
don't care what it's doing to the rest of us. I'm wondering if
a blacklist of known domains which send out stupid bounce messages
or confirm emails would provide some incentive for cleaning them up.
Any thoughts?
Steve
Re: Do we need a "Joe job" bounce message blacklist?
Posted by Steven Dickenson <st...@mrchuckles.net>.
Matthew S. Cramer wrote:
> If an email is from <> or <MAILER-DAEMON> then I check the mail for a
> line that looks like /^Received.*one.of.our.ip.addresses/. If it
> doesn't have the line, then I reject the mail with a 554 and "Bounced
> message did not originate here."
>
> This has eliminated all the bogus bounces of spam and bogus virus
> alerts. I think virtually all MTAs include original message headers
> when bouncing (even the ones that are sending the bogus spam and virus
> bounces) so we haven't had any issues with this for the 6 months we've
> been doing it. Theoretically a legitimate bounce that didn't include
> the original message headers would be rejected, but then it should end
> up with the postmaster of the original bouncer and they will see the
> cause of the error and fix their MTA. But if that has happened to us,
> no one has complained.
This sounds too good to be true. Anyone care to collect some DSN's and
NDR's from various MTA's and test this out?
Matt, I assume you're rejected after DATA, so this in theory shouldn't
throw off sender verification callouts?
- S
Re: Do we need a "Joe job" bounce message blacklist?
Posted by "Matthew S. Cramer" <ms...@armstrong.com>.
On Mon, May 30, 2005 at 11:48:53AM -0400, Kevin Peuhkurinen wrote:
> Matthew S. Cramer wrote:
>
> >If an email is from <> or <MAILER-DAEMON> then I check the mail for a
> >line that looks like /^Received.*one.of.our.ip.addresses/. If it
> >doesn't have the line, then I reject the mail with a 554 and "Bounced
> >message did not originate here."
>
> I was intrigued by this idea and started looking at some of the mail
> coming in from the <> address. One thing I've noticed is that lots of
> "Read reciept"s are sent using this address. Have you done something
> to allow these through or do you reject them as well?
Here is my perl code for MIMEDefang. I took this from something
another member of that list had posted.
# Confirm bounces originated from Armstrong
if ($Sender =~ /^<>$|^mailer-daemon\@/i) {
my $found = 0;
my $receivedline = 0;
# Skip header
if (open(IN,"./INPUTMSG")) {
while(<IN>) {
s/[\r\n]+//g;
last if /^$/;
}
# Search body
while(<IN>) {
next unless /Received:/i;
$receivedline++;
# Look for our ip-range.
if (/x\.y\.z\./) {
$found++;
last;
}
}
close IN;
if ($receivedline && !$found) {
return action_bounce("Bounced message has no Received line from Armstrong");
}
}
}
So to answer the couple of questions - this doesn't break DSN since I am
looking for the Received line itself. Hope that clarifies some
things.
Matt
--
Matthew S. Cramer <ms...@armstrong.com> Office: 717-396-5032
Infrastructure Security Analyst Fax: 717-396-5590
Armstrong World Industries, Inc. Cell: 717-917-7099
Re: Do we need a "Joe job" bounce message blacklist?
Posted by Kevin Peuhkurinen <ke...@meridiancu.ca>.
Matthew S. Cramer wrote:
>If an email is from <> or <MAILER-DAEMON> then I check the mail for a
>line that looks like /^Received.*one.of.our.ip.addresses/. If it
>doesn't have the line, then I reject the mail with a 554 and "Bounced
>message did not originate here."
>
>
I was intrigued by this idea and started looking at some of the mail
coming in from the <> address. One thing I've noticed is that lots of
"Read reciept"s are sent using this address. Have you done something
to allow these through or do you reject them as well?
Re: Do we need a "Joe job" bounce message blacklist?
Posted by Dan Hollis <go...@anime.net>.
On Fri, 27 May 2005, Matthew S. Cramer wrote:
> You could probably do this with a SA rule. I do it with MIMEDefang
> milter.
>
> If an email is from <> or <MAILER-DAEMON> then I check the mail for a
> line that looks like /^Received.*one.of.our.ip.addresses/. If it
> doesn't have the line, then I reject the mail with a 554 and "Bounced
> message did not originate here."
care to share? :-)
sounds like it should be simple to filter @ebay.com /
@paypal.com "announcements" that dont originate from ebay.com too.
-Dan
Re: Do we need a "Joe job" bounce message blacklist?
Posted by "Matthew S. Cramer" <ms...@armstrong.com>.
On Fri, May 27, 2005 at 12:16:52PM -0500, evan@coolrunningconcepts.com wrote:
> I think this is an awesome idea!
>
> I hate getting stupid emails about how my spam or virus was rejected from
> someone I've never heard of. I can't very well be sending out Outlook
> viruses
> from a Linux box!
>
> Its just adding to the problem of wasting bandwith with worthless mail.
You could probably do this with a SA rule. I do it with MIMEDefang
milter.
If an email is from <> or <MAILER-DAEMON> then I check the mail for a
line that looks like /^Received.*one.of.our.ip.addresses/. If it
doesn't have the line, then I reject the mail with a 554 and "Bounced
message did not originate here."
This has eliminated all the bogus bounces of spam and bogus virus
alerts. I think virtually all MTAs include original message headers
when bouncing (even the ones that are sending the bogus spam and virus
bounces) so we haven't had any issues with this for the 6 months we've
been doing it. Theoretically a legitimate bounce that didn't include
the original message headers would be rejected, but then it should end
up with the postmaster of the original bouncer and they will see the
cause of the error and fix their MTA. But if that has happened to us,
no one has complained.
Matt
--
Matthew S. Cramer <ms...@armstrong.com> Office: 717-396-5032
Infrastructure Security Analyst Fax: 717-396-5590
Armstrong World Industries, Inc. Cell: 717-917-7099
Re: Do we need a "Joe job" bounce message blacklist?
Posted by Antonio DeLaCruz <td...@homenet.tzo.com>.
Actually, you can forward viruses from a Linux box if the virus is an
attachment
or embedded in the message. It makes no difference what OS you are using when
you send the message. Linux only protects us from the viruses that want to
harm Windows.
Thanks,
Antonio DeLaCruz
Quoting evan@coolrunningconcepts.com:
> I think this is an awesome idea!
>
> I hate getting stupid emails about how my spam or virus was rejected from
> someone I've never heard of. I can't very well be sending out
> Outlook viruses
> from a Linux box!
>
> Its just adding to the problem of wasting bandwith with worthless mail.
>
> -- Evan
>
> Quoting Steve Prior <sp...@geekster.com>:
>
>> My domain geekster.com has been Joe jobbed for the last couple
>> of weeks. In spite of the fact that I responsibly created SPF
>> records for my domain, I am getting flooded with bounce messages
>> from other mail systems that don't understand most spam from
>> addresses are forged. Fortunatly AOL seems to have wizened up
>> since the last time this happened to me.
>>
>> It seems to me that email domains that email such bounce messages
>> or spam fighting techniques that send back a confirmation message
>> are now part of the problem rather than the solution, but since
>> the confirmation messages do shield THEIR users from spam they
>> don't care what it's doing to the rest of us. I'm wondering if
>> a blacklist of known domains which send out stupid bounce messages
>> or confirm emails would provide some incentive for cleaning them up.
>>
>> Any thoughts?
>> Steve
>>
>
>
>
Re: Do we need a "Joe job" bounce message blacklist?
Posted by ev...@coolrunningconcepts.com.
I think this is an awesome idea!
I hate getting stupid emails about how my spam or virus was rejected from
someone I've never heard of. I can't very well be sending out Outlook viruses
from a Linux box!
Its just adding to the problem of wasting bandwith with worthless mail.
-- Evan
Quoting Steve Prior <sp...@geekster.com>:
> My domain geekster.com has been Joe jobbed for the last couple
> of weeks. In spite of the fact that I responsibly created SPF
> records for my domain, I am getting flooded with bounce messages
> from other mail systems that don't understand most spam from
> addresses are forged. Fortunatly AOL seems to have wizened up
> since the last time this happened to me.
>
> It seems to me that email domains that email such bounce messages
> or spam fighting techniques that send back a confirmation message
> are now part of the problem rather than the solution, but since
> the confirmation messages do shield THEIR users from spam they
> don't care what it's doing to the rest of us. I'm wondering if
> a blacklist of known domains which send out stupid bounce messages
> or confirm emails would provide some incentive for cleaning them up.
>
> Any thoughts?
> Steve
>
Re: Do we need a "Joe job" bounce message blacklist?
Posted by ma...@gmail.com.
On 5/27/05, Justin Mason <jm...@jmason.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Steve Prior writes:
> > My domain geekster.com has been Joe jobbed for the last couple
> > of weeks. In spite of the fact that I responsibly created SPF
> > records for my domain, I am getting flooded with bounce messages
> > from other mail systems that don't understand most spam from
> > addresses are forged. Fortunatly AOL seems to have wizened up
> > since the last time this happened to me.
> >
> > It seems to me that email domains that email such bounce messages
> > or spam fighting techniques that send back a confirmation message
> > are now part of the problem rather than the solution, but since
> > the confirmation messages do shield THEIR users from spam they
> > don't care what it's doing to the rest of us. I'm wondering if
> > a blacklist of known domains which send out stupid bounce messages
> > or confirm emails would provide some incentive for cleaning them up.
>
> A BL would probably be helpful -- but sadly some *really big* networks
> (Earthlink's challenge-response) and companies (Fortune 500s) produce
> these bounces, too, so it'd have serious FP potential, since those mail
> relay IP addresses produce both the bounces and the legit mail.
Note that there's an alternative, if you run your own MTA, which is to
use separate header From and bounce addresses. What I do for my
regular email (not this gmail account), is to use bounce addresses of
the form <dm...@mailavenger.org>, where COOKIE is a
cryptographic cookie, basically the encryption of an expiration date
21 days in the future. I only accept bounce messages to addresses of
that form, and if the COOKIE has expired. If you try to email my
regular email address from <>, the mail is rejected.
Note that many mail systems support such extension addresses. For
example, if your username is dm, sendmail by default delivers
dm+ANYTHING to you. Qmail has a similar feature with dm-ANYTHING (but
you have to create a .qmail-default file in your home directory).
Doing this for larger sites (where you don't have one Unix account per
user) might be a bit harder, but if SES ever takes off, you could use
that.
David