anything usefull to do with a joe-jobed domain?

[Arvid Picciani <ae...@exys.org>]

Hi,
I'm currently convincing my boss to throw away a domain that receives so 
much backscatter, its useless to try filtering the legitimate mail.  
Could i do anything useful with it?
Spamtrap won't work since 99.99% of mails are backscatter from 
"legitimate"  hosts. Can't block those.
Maybe a backscatter list wants them?

Re: anything usefull to do with a joe-jobed domain?

[RW <rw...@googlemail.com>]

On Fri, 19 Jun 2009 13:52:58 +0100
"richard@buzzhost.co.uk" <ri...@buzzhost.co.uk> wrote:

> http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation
> 
> Should be possible to make that domain usable again with some work :-)

It doesn't solve the whole problem though, it just tells you which of
the backscatter mails are legitimate DSNs. The problem of identifying
backerscatter in the first place seems to be getting harder.

I was recently joe-jobed by a botnet in India and got a lot of
backscatter that was hard to identify. There were a lot of DSNs without
proper mime headers, and many of them had odd return-path addresses and
a huge variety of subject patterns - including some in foreign
languages, and asian character sets.   

I also got a lot of CR mail. A few of these have special headers
but most are pretty hard to filter, because they use the same kind of
language as website verification messages.

Re: anything usefull to do with a joe-jobed domain?

["richard@buzzhost.co.uk" <ri...@buzzhost.co.uk>]

On Fri, 2009-06-19 at 13:32 +0200, Arvid Picciani wrote:
> Hi,
> I'm currently convincing my boss to throw away a domain that receives so 
> much backscatter, its useless to try filtering the legitimate mail.  
> Could i do anything useful with it?
> Spamtrap won't work since 99.99% of mails are backscatter from 
> "legitimate"  hosts. Can't block those.
> Maybe a backscatter list wants them?
> 
Not tried sender verification? I know the Barracuda Spam (LOL 'And
Virus') "FIREWALL" offers this (but the broke it..) They have called it
BATV

works in combination with custom SA rules that block all NDR type
messages unless they have a signature in the 'from' field;

from=<btv1==421f28ad911==> (here it's broke as the rest of the from is
missing)

Signaure is build on some weak hash churned from:
batv_expire_time
batv_shared_secret

When I first noticed it I thought 'Wow, Barracuda have done something
good'. I was then sent a link by a T2 at Barracuda showing me where they
stole it from. Sigh.....

http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

Should be possible to make that domain usable again with some work :-)

Re: anything usefull to do with a joe-jobed domain?

[Benny Pedersen <me...@junc.org>]

On Fri, June 19, 2009 13:32, Arvid Picciani wrote:
> Maybe a backscatter list wants them?

set MX to 127.0.0.1 problem resolved :)

atleast for you, wonder how many host doing things thay are not aware of
in terms of spam problems created (we dont scan mails outgoing from our
host is the worst case of managedment)

-- 
xpoint