There are 3 different type of NDR's caused by joe jobs.
 
All 3 are comming back not from spammy servers but from legit servers bouncing spam messages with wrong recipient addresses. (so far nothing new)
 
I've identified the following 3 types
 
a.) NDR with the part of the original spam message in the body (usualy the header and some lines of the original body)
In the best case some content filter is able to detect enough in this original header to catch it as spam.
As I can understand it would be usefull to have an external test that is able ot search in the body of this NDRs for IP-addresses that are part of the original header and run them against the configured IP4R tests. So this will be a task (and test) for Declude itself and not an external test.
 
b.) NDR with the original spam message as attachment
It would be usefull if Declude would be able to detect such attached messages and re-run the entire test on this attached message instead of the NDR, and the apply the resulting action to the entire NDR.
 
c.) NDR's without any source of the original message.
Difficult. Theoretically something like Declude "JoeJack" could work. Means counting the number of NDR's in a certain time range. If more then x messages between y minutes are comming in to a single users mailbox then mark this NDR's as spam.
 
Up to now this all is theory and as I've seen joe jobs are comming and going. If someone is victim of a joe job it becomes urgent until there are no more NDR's...
 
Markus
 
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Fisher
Sent: Friday, November 05, 2004 11:40 PM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Joe Job Filters

Does anyone have a filter that works well on stopping Joe Job bounces (preferably while not stopping legit bounces...)?

Reply via email to