Date: Thu, 16 Oct 2008 12:22:18 -0500 From: eculp@casasponti.net To: freebsd-questions@freebsd.org Subject: Re: I've just found a new and interesting spam source - legitimate bounce messages Message-ID: <20081016122218.17qwm4xcs6kgwg88w@intranet.casasponti.net> In-Reply-To: <9D30C77B8D64AF7622CA19B6@utd65257.utdallas.edu> References: <20081016090102.17qwm4xcs6f4so8ok@intranet.casasponti.net> <9D30C77B8D64AF7622CA19B6@utd65257.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul Schmehl <pauls@utdallas.edu> escribi=F3: > --On Thursday, October 16, 2008 09:01:02 -0500 eculp@casasponti.net wrote: > >> >> In the last hour, I've received over 200 legitimate bounce messages >> from email services as a result of someone having used or worse is >> using my email address in spam from multiple windows machines and ip >> addresses. The end result is that I am getting the bounce messages. >> I'm sure that others on this list have experienced the problem and >> maybe have a solution that I don't have. >> >> The messages are allowed through my obspamd/pf and pf smtp bruteforce >> blocking rules because they are completely legit. >> >> I guess the work around is to filter them on incoming together with >> our local bounce messaages util the spammers get tired of my address. >> > > We call those "bounceback spam". The only solution that I know of =20 > is to tag all outgoing messages with a special header and then check =20 > for that header on all returns and reject those that don't contain =20 > the header. All legitimate bounces would contain the header because =20 > they originated with your MTA. > > E.g. X-Bounceback-Check: 0987923874 I have added headers for years but unfortunately these didn't =20 originate on my servers. My email address was used as the return =20 address for spam sent from multiple windows machines to .ru addresses. Thanks for the suggestion, Paul. ed > > The value of the header can be anything you want it to be, and you =20 > can change it periodically if you want to keep statistical data. > > --=20 > Paul Schmehl (pauls@utdallas.edu) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081016122218.17qwm4xcs6kgwg88w>