From owner-freebsd-questions@FreeBSD.ORG Thu Oct 16 17:29:42 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8892D10656A7 for ; Thu, 16 Oct 2008 17:29:42 +0000 (UTC) (envelope-from eculp@casasponti.net) Received: from ns2.bafirst.com (72-12-2-19.static.networktel.net [72.12.2.19]) by mx1.freebsd.org (Postfix) with ESMTP id F0DF08FC1F for ; Thu, 16 Oct 2008 17:29:41 +0000 (UTC) (envelope-from eculp@casasponti.net) Received: from casasponti.net ([201.155.7.3]) by ns2.bafirst.com with esmtp; Thu, 16 Oct 2008 12:29:38 -0500 id 000D52D3.48F77A03.000021B0 Received: from localhost (localhost [127.0.0.1]) (uid 80) by casasponti.net with local; Thu, 16 Oct 2008 12:29:05 -0500 id 00130C12.48F779E1.00010DDD Received: from dsl-189-190-8-164.prod-infinitum.com.mx (dsl-189-190-8-164.prod-infinitum.com.mx [189.190.8.164]) by intranet.casasponti.net (Horde Framework) with HTTP; Thu, 16 Oct 2008 12:29:05 -0500 Message-ID: <20081016122905.17qwm4xcs6kgwg88w@intranet.casasponti.net> Date: Thu, 16 Oct 2008 12:29:05 -0500 From: eculp@casasponti.net To: freebsd-questions@freebsd.org References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <20081016145255.GA12638@icarus.home.lan> <48F75A88.1000507@infracaninophile.co.uk> <20081016173807.64d0f24e@gumby.homeunix.com> <622D90E8-81AB-4A0A-9436-4662E33D117D@mac.com> In-Reply-To: <622D90E8-81AB-4A0A-9436-4662E33D117D@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (5.0-cvs) X-Remote-Browser: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.17) Gecko/20080925 Firefox/2.0.0.17 X-IMP-Server: 201.155.7.3 X-Originating-IP: 189.190.8.164 X-Originating-User: eculp@casasponti.net Subject: Re: I've just found a new and interesting spam source - legitimate bounce messages X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Oct 2008 17:29:42 -0000 Chuck Swiger escribi=F3: > On Oct 16, 2008, at 9:38 AM, RW wrote: >> SPF increases the probability of spam being rejected at the smtp >> level at MX servers, so my expectation would be that it would exacerbate >> backscatter not improve it. > > The main problem resulting in backscatter happens when forged spam =20 > from yourdomain.com get gets sent to a legit MX server which accepts =20 > the mail initially, and then generates a bounce due to later spam =20 > checking or failed delivery to an invalid user. The bounces which =20 > then get generated by the legit MX are likely to pass spam checking =20 > at yourdomain.com. Exactly what seems to be happening. >> Many people recommend SPF for backscatter, but I've yet to hear a cogent >> argument for why it helps beyond the very optimistic hope that spammers >> will check that their spam is spf compliant. > > > SPF doesn't provide a magic solution to backscatter, but it helps =20 > simplify the problem. It should. > If spam can be rejected during the SMTP phase rather than accepted, =20 > then most spam-spewing malware simply drops the attempted message =20 > rather than actually send a bounce to yourdomain.com. After all, =20 > the spammer is looking to deliver spam to lots of different =20 > mailboxes, not deliver tons of DSNs to a single mailbox or domain. =20 > Failing that, however, any bounces which are being generated are =20 > coming from or at least closer to the source of the spam, rather =20 > than coming from gmail, hotmail, etc. And if the spamming machine =20 > is forging your domain, then yourdomain.com MX boxes have a decent =20 > shot of rejecting the forgeries via hello_checks, RBLs, or other =20 > methods. Thanks Chuck, ed