Re: possible idea for backscatter problem

[Justin Mason <jm...@jmason.org>]

Matt Kettler writes:
> .rp wrote:
> > One of the users (actually the boss) had the email address harvested and we got clobbered 
> > by backscatter. Looking at the emails of the various 'unable to deliver' type messages, I saw 
> > what these could be filtered on, but don't know how to write up and implement the rule 
> > outside of procmail. I don't want to use procmail for this since it I think it would be an 
> > expensive routine for procmail to run.
> >
> > In the body of the 'unable to deliver' message, the original message is quoted. One of the 
> > lines quoted is the Message-ID: header from the original. The format of this line is always 
> > wrong as it does not contain the FQDN that our server appends to the end of the hash 
> > number , following the '@' symbol .
> >
> > So, need a rule that would parse the "Message-ID:" in the body (or attachment) and not 
> > header, and look for the @FQDN 
> > Is this rule already out in the wild?
> >   
> (note: your To: was the bogofilter list, but this appeared on 
> spamassassin-users as well.. It looks like you bcc'ed the SA list.  
> Anyway, I'm answering on the SA list because that's where I picked up 
> the message from)
> 
> Not that I know of, but it would be fairly quick as a spamassassin rule.
> 
> You'd likely need a meta of some sort.
> 
> Theoretically, something like this should work. I'm leveraging some of 
> the stock ruleset here, by reusing BOUNCE_MESSAGE to detect if the 
> message really is a bounce, make sure it is in your ruleset.

Actually, that's overkill -- BOUNCE_MESSAGE _already_ does this.

the VBounce plugin is intended to catch backscatter -- bounces in response
to mail you didn't send -- so it'll ignore bounces in response to mail you
_did_ send, by parsing the bounced message's Received: headers and looking
for the mailserver's name in there.

See the FAQ for more info...

--j.

Re: possible idea for backscatter problem

[Matt Kettler <mk...@verizon.net>]

Justin Mason wrote:
> Matt Kettler writes:
>   
>> .rp wrote:
>>     
>>> One of the users (actually the boss) had the email address harvested and we got clobbered 
>>> by backscatter. Looking at the emails of the various 'unable to deliver' type messages, I saw 
>>> what these could be filtered on, but don't know how to write up and implement the rule 
>>> outside of procmail. I don't want to use procmail for this since it I think it would be an 
>>> expensive routine for procmail to run.
>>>
>>> In the body of the 'unable to deliver' message, the original message is quoted. One of the 
>>> lines quoted is the Message-ID: header from the original. The format of this line is always 
>>> wrong as it does not contain the FQDN that our server appends to the end of the hash 
>>> number , following the '@' symbol .
>>>
>>> So, need a rule that would parse the "Message-ID:" in the body (or attachment) and not 
>>> header, and look for the @FQDN 
>>> Is this rule already out in the wild?
>>>   
>>>       
>> (note: your To: was the bogofilter list, but this appeared on 
>> spamassassin-users as well.. It looks like you bcc'ed the SA list.  
>> Anyway, I'm answering on the SA list because that's where I picked up 
>> the message from)
>>
>> Not that I know of, but it would be fairly quick as a spamassassin rule.
>>
>> You'd likely need a meta of some sort.
>>
>> Theoretically, something like this should work. I'm leveraging some of 
>> the stock ruleset here, by reusing BOUNCE_MESSAGE to detect if the 
>> message really is a bounce, make sure it is in your ruleset.
>>     
>
> Actually, that's overkill -- BOUNCE_MESSAGE _already_ does this.
>   

Whoops.. good point. I didn't read the code, I just saw the name and 
assumed it did just what it says, and nothing more.


So, really all .rp needs to do is enable the vbounce plugin (which is 
loaded by default )

Re: possible idea for backscatter problem

[Shane Williams <sh...@shanew.net>]

On Thu, 8 May 2008, Justin Mason wrote:

> Matt Kettler writes:
>> .rp wrote:
>>
>>> So, need a rule that would parse the "Message-ID:" in the body (or attachment) and not
>>> header, and look for the @FQDN
>>> Is this rule already out in the wild?
>>>
>> You'd likely need a meta of some sort.
>>
>> Theoretically, something like this should work. I'm leveraging some of
>> the stock ruleset here, by reusing BOUNCE_MESSAGE to detect if the
>> message really is a bounce, make sure it is in your ruleset.
>
> Actually, that's overkill -- BOUNCE_MESSAGE _already_ does this.
>
> the VBounce plugin is intended to catch backscatter -- bounces in response
> to mail you didn't send -- so it'll ignore bounces in response to mail you
> _did_ send, by parsing the bounced message's Received: headers and looking
> for the mailserver's name in there.

Pardon my ignorance if I'm just not understanding this right, but my
impression is that there's a possibility that messages marked the
BOUNCE_MESSAGE could be legitimate bounces (just not bounces generated
by a whitelisted server).  Certainly I've read plenty of people on
this list advise against raising the vbounce rule scores as a way to
combat this new wave of seemingly intentional bounce spam, but rather
to filter all the bounces off to a separate folder.

But, doesn't the existence of a Message ID in the text of the bounce
that has a bogus or malformed email address provide a stronger
indication that this is not a valid bounce?  In which case, such email
could be scored higher, rather than just sent to a bounce folder,
which is really what many of us would rather be doing with these
messages?

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew@shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew