RE: [Declude.JunkMail] Forged-Spam Backscatter
What is the reccommended entry in global.cfg for this filter... Does it also need an entry in $default$.junkmail files(s) Thanks, Jim Comerford <http://www.sbsnet.com/images/1px.gif> <http://www.sbsnet.com/images/sbs65.jpg> Successful Business Solutions, Inc. PO Box 310 Gillette, NJ 07933 phone 908-322-5123 fax 908-517-9318 <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] <http://www.sbsnet.com/> www.sbsnet.com _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker Sent: Friday, April 04, 2008 2:01 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Forged-Spam Backscatter I have posted the backscatter filters we use under the download section of Declude, any feedback is welcome. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, April 03, 2008 6:42 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Forged-Spam Backscatter Symantec says that backscatter-as-deliberate-spam-technique is back in vogue. See their April State of Spam Report http://www.symantec.com/enterprise/security_response/weblog/2008/04/post_8.h tml Andrew. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, April 03, 2008 12:43 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Forged-Spam Backscatter Jim - I'm running the exact same set up as you are. We had the same problem about two weeks ago. I don't know if this made much difference or not, but I noticed the domains that we were seeing this with did not have any SPF records in place. So when I saw this sudden increase come through, I added a strict SPF policy for that domain. The backscatter for that domain all but stopped. A few days later, a different domain was targeted - without an SPF record - and adding one seemed to cure that. This happened a few more times, with the results all the same. I'm not at an expert level to say whether this did or did not do the trick. Perhaps it was just coincidental. All the new domains that are set up and running services through us get strict SPF records put in place from the start. However, the older domains that have been around for a while - that didn't have SPF in place - were the ones that seemed to have had the problem. And since then, we haven't had any more problems with that. I can't say for sure that them having their email addresses on their websites was the problem for sure or not. For what it's worth, my "new" policy is to not put email addresses on public websites. Anyway, just thought I would throw that out there. Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Comerford Sent: Thursday, April 03, 2008 1:46 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Forged-Spam Backscatter Over the last several weeks we have seen a dramatic increase in spam hitting our server. From about 70,000 mails a day to around 110,000 /day. Most destined for our users is getting properly filtered by declude. What is getting thru is backscatter from spam that is forging addresses from domains we host. It seems just about any address that is posted on a website seems to be being used to forge outgoing spam (not from our server) -- and is generating all sorts of bounce messages. I suspect there is not much I can do to block this backscatter without blocking legit bounce messages... but I thought I'd ask. Here is our config: Imail 8.22 Declude 4.3.64 invURIBL 3.1.1 Sniffer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.<<1px.gif>><>
Re: [Declude.JunkMail] Forged-Spam Backscatter
Hi Kevin, This doesn't have anything to do with incoming mail servers, only outgoing. Also, there should be just one SPF record per domain. So assuming you send mail for myriadnetwork.com as well, and either domain can send outbound mail through any of the servers listed in the MX records for both domains, then you would want exactly two SPF DNS TXT records: SPF record for rogersbenefit.com rogersbenefit.com. IN TXT "v=spf1 mx:rogersbenefit.com mx:myriadnetwork.com ~all" SPF record for myriadnetwork.com myriadnetwork.com. IN TXT "v=spf1 mx:rogersbenefit.com mx:myriadnetwork.com ~all" Note that if your outbound mail servers are different from your MX records, then the above records are incorrect. You can restrict this further if you have only one server that sends outbound mail, as you mentioned, but this gives you the flexibility to use any of the servers listed as the MX for outbound mail for the two domains. Note that the SPF records are specified as soft fail. If you are certain that no other server will send mail for those domains, then you can change soft fail (~all) to hard fail (-all). Hope this helps, Darin. - Original Message - From: "Kevin Rogers" <[EMAIL PROTECTED]> To: Sent: Thursday, April 03, 2008 8:51 PM Subject: Re: [Declude.JunkMail] Forged-Spam Backscatter I'm looking for a little help creating SPF records. I'm trying to use the tools at openspf.org. We only have one server that sends out mail for our domain. We have a secondary server that accepts email sent to our domain if our primary server is down (myriadnetwork.com). After going through the creation tool, it generated: To be put in our zone file: rogersbenefit.com. IN TXT "v=spf1 a mx mx:rogersbenefit.com ~all" To be put in our DNS records: mail.rogersbenefit.com. IN TXT "v=spf1 a -all" mx2.myriadnetwork.com. IN TXT "v=spf1 a -all" We host our DNS records at Network Solutions. If anyone else uses NetSol for the DNS records, how do we go about adding these lines to our DNS records? And also, is it recommended to use the "all" modifier or not? Kevin Jim Comerford wrote: > > ... but I noticed the domains that we were seeing this with did not > have any SPF records in place. So when I saw this sudden increase > come through, I added a strict SPF policy for that domain. The > backscatter for that domain all but stopped. ... > > > > Good thing to check... the latest domain to get hit did NOT have an > SPF record (and this seems to have been the worst so far)... BUT MOST > of the ones that did get hit - did have an SPF record and we still get > backscatter. > > > > We typically add SPF on all domains.. but in reviewing we had missed a > couple of them. > > > > Hopefully the Filter that David is referring to will help. > > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Forged-Spam Backscatter
I have posted the backscatter filters we use under the download section of Declude, any feedback is welcome. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Thursday, April 03, 2008 6:42 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Forged-Spam Backscatter Symantec says that backscatter-as-deliberate-spam-technique is back in vogue. See their April State of Spam Report http://www.symantec.com/enterprise/security_response/weblog/2008/04/post_8.h tml Andrew. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Todd Richards Sent: Thursday, April 03, 2008 12:43 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Forged-Spam Backscatter Jim - I'm running the exact same set up as you are. We had the same problem about two weeks ago. I don't know if this made much difference or not, but I noticed the domains that we were seeing this with did not have any SPF records in place. So when I saw this sudden increase come through, I added a strict SPF policy for that domain. The backscatter for that domain all but stopped. A few days later, a different domain was targeted - without an SPF record - and adding one seemed to cure that. This happened a few more times, with the results all the same. I'm not at an expert level to say whether this did or did not do the trick. Perhaps it was just coincidental. All the new domains that are set up and running services through us get strict SPF records put in place from the start. However, the older domains that have been around for a while - that didn't have SPF in place - were the ones that seemed to have had the problem. And since then, we haven't had any more problems with that. I can't say for sure that them having their email addresses on their websites was the problem for sure or not. For what it's worth, my "new" policy is to not put email addresses on public websites. Anyway, just thought I would throw that out there. Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Comerford Sent: Thursday, April 03, 2008 1:46 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Forged-Spam Backscatter Over the last several weeks we have seen a dramatic increase in spam hitting our server. From about 70,000 mails a day to around 110,000 /day. Most destined for our users is getting properly filtered by declude. What is getting thru is backscatter from spam that is forging addresses from domains we host. It seems just about any address that is posted on a website seems to be being used to forge outgoing spam (not from our server) -- and is generating all sorts of bounce messages. I suspect there is not much I can do to block this backscatter without blocking legit bounce messages... but I thought I'd ask. Here is our config: Imail 8.22 Declude 4.3.64 invURIBL 3.1.1 Sniffer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Forged-Spam Backscatter
I'm looking for a little help creating SPF records. I'm trying to use the tools at openspf.org. We only have one server that sends out mail for our domain. We have a secondary server that accepts email sent to our domain if our primary server is down (myriadnetwork.com). After going through the creation tool, it generated: To be put in our zone file: rogersbenefit.com. IN TXT "v=spf1 a mx mx:rogersbenefit.com ~all" To be put in our DNS records: mail.rogersbenefit.com. IN TXT "v=spf1 a -all" mx2.myriadnetwork.com. IN TXT "v=spf1 a -all" We host our DNS records at Network Solutions. If anyone else uses NetSol for the DNS records, how do we go about adding these lines to our DNS records? And also, is it recommended to use the "all" modifier or not? Kevin Jim Comerford wrote: ... but I noticed the domains that we were seeing this with did not have any SPF records in place. So when I saw this sudden increase come through, I added a strict SPF policy for that domain. The backscatter for that domain all but stopped. ... Good thing to check... the latest domain to get hit did NOT have an SPF record (and this seems to have been the worst so far)... BUT MOST of the ones that did get hit - did have an SPF record and we still get backscatter. We typically add SPF on all domains.. but in reviewing we had missed a couple of them. Hopefully the Filter that David is referring to will help. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Forged-Spam Backscatter
Symantec says that backscatter-as-deliberate-spam-technique is back in
vogue. See their April State of Spam Report
http://www.symantec.com/enterprise/security_response/weblog/2008/04/post
_8.html
Andrew.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Todd Richards
Sent: Thursday, April 03, 2008 12:43 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Forged-Spam Backscatter
Jim -
I'm running the exact same set up as you are. We had the same
problem about two weeks ago. I don't know if this made much difference
or not, but I noticed the domains that we were seeing this with did not
have any SPF records in place. So when I saw this sudden increase come
through, I added a strict SPF policy for that domain. The backscatter
for that domain all but stopped. A few days later, a different domain
was targeted - without an SPF record - and adding one seemed to cure
that. This happened a few more times, with the results all the same.
I'm not at an expert level to say whether this did or did not do
the trick. Perhaps it was just coincidental. All the new domains that
are set up and running services through us get strict SPF records put in
place from the start. However, the older domains that have been around
for a while - that didn't have SPF in place - were the ones that seemed
to have had the problem. And since then, we haven't had any more
problems with that.
I can't say for sure that them having their email addresses on
their websites was the problem for sure or not. For what it's worth, my
"new" policy is to not put email addresses on public websites.
Anyway, just thought I would throw that out there.
Todd
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Jim Comerford
Sent: Thursday, April 03, 2008 1:46 PM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Forged-Spam Backscatter
Over the last several weeks we have seen a dramatic increase in
spam hitting our server. From about 70,000 mails a day to around
110,000 /day.
Most destined for our users is getting properly filtered by
declude.
What is getting thru is backscatter from spam that is forging
addresses from domains we host. It seems just about any address that is
posted on a website seems to be being used to forge outgoing spam (not
from our server) -- and is generating all sorts of bounce messages.
I suspect there is not much I can do to block this backscatter
without blocking legit bounce messages... but I thought I'd ask.
Here is our config:
Imail 8.22
Declude 4.3.64
invURIBL 3.1.1
Sniffer
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
RE: [Declude.JunkMail] Forged-Spam Backscatter
... but I noticed the domains that we were seeing this with did not have any SPF records in place. So when I saw this sudden increase come through, I added a strict SPF policy for that domain. The backscatter for that domain all but stopped. ... Good thing to check... the latest domain to get hit did NOT have an SPF record (and this seems to have been the worst so far)... BUT MOST of the ones that did get hit - did have an SPF record and we still get backscatter. We typically add SPF on all domains.. but in reviewing we had missed a couple of them. Hopefully the Filter that David is referring to will help. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Forged-Spam Backscatter
The filter deals with Backscatter. Jon is the issue you are talking about is your mail server bouncing messages? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jon Lucas Sent: Thursday, April 03, 2008 3:59 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Forged-Spam Backscatter Will the filter keep spoofed email senders from getting into the queue manager in IMail? the format I am seeing is like bipweks@ <mailto:[EMAIL PROTECTED]> mailto:[EMAIL PROTECTED] Behalf Of David Barker Sent: Thursday, April 03, 2008 12:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Forged-Spam Backscatter We use 2 filters to address the issue which work well for us. I will make them available on our website this week. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Comerford Sent: Thursday, April 03, 2008 2:46 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Forged-Spam Backscatter Over the last several weeks we have seen a dramatic increase in spam hitting our server. From about 70,000 mails a day to around 110,000 /day. Most destined for our users is getting properly filtered by declude. What is getting thru is backscatter from spam that is forging addresses from domains we host. It seems just about any address that is posted on a website seems to be being used to forge outgoing spam (not from our server) -- and is generating all sorts of bounce messages. I suspect there is not much I can do to block this backscatter without blocking legit bounce messages... but I thought I'd ask. Here is our config: Imail 8.22 Declude 4.3.64 invURIBL 3.1.1 Sniffer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Forged-Spam Backscatter
Will the filter keep spoofed email senders from getting into the queue manager in IMail? the format I am seeing is like bipweks@mailto:[EMAIL PROTECTED] Behalf Of David Barker Sent: Thursday, April 03, 2008 12:25 PM To: declude.junkmail@declude.com Subject: RE: [Declude.JunkMail] Forged-Spam Backscatter We use 2 filters to address the issue which work well for us. I will make them available on our website this week. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Comerford Sent: Thursday, April 03, 2008 2:46 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Forged-Spam Backscatter Over the last several weeks we have seen a dramatic increase in spam hitting our server. From about 70,000 mails a day to around 110,000 /day. Most destined for our users is getting properly filtered by declude. What is getting thru is backscatter from spam that is forging addresses from domains we host. It seems just about any address that is posted on a website seems to be being used to forge outgoing spam (not from our server) -- and is generating all sorts of bounce messages. I suspect there is not much I can do to block this backscatter without blocking legit bounce messages... but I thought I'd ask. Here is our config: Imail 8.22 Declude 4.3.64 invURIBL 3.1.1 Sniffer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Forged-Spam Backscatter
Jim - I'm running the exact same set up as you are. We had the same problem about two weeks ago. I don't know if this made much difference or not, but I noticed the domains that we were seeing this with did not have any SPF records in place. So when I saw this sudden increase come through, I added a strict SPF policy for that domain. The backscatter for that domain all but stopped. A few days later, a different domain was targeted - without an SPF record - and adding one seemed to cure that. This happened a few more times, with the results all the same. I'm not at an expert level to say whether this did or did not do the trick. Perhaps it was just coincidental. All the new domains that are set up and running services through us get strict SPF records put in place from the start. However, the older domains that have been around for a while - that didn't have SPF in place - were the ones that seemed to have had the problem. And since then, we haven't had any more problems with that. I can't say for sure that them having their email addresses on their websites was the problem for sure or not. For what it's worth, my "new" policy is to not put email addresses on public websites. Anyway, just thought I would throw that out there. Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Comerford Sent: Thursday, April 03, 2008 1:46 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Forged-Spam Backscatter Over the last several weeks we have seen a dramatic increase in spam hitting our server. From about 70,000 mails a day to around 110,000 /day. Most destined for our users is getting properly filtered by declude. What is getting thru is backscatter from spam that is forging addresses from domains we host. It seems just about any address that is posted on a website seems to be being used to forge outgoing spam (not from our server) -- and is generating all sorts of bounce messages. I suspect there is not much I can do to block this backscatter without blocking legit bounce messages... but I thought I'd ask. Here is our config: Imail 8.22 Declude 4.3.64 invURIBL 3.1.1 Sniffer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Forged-Spam Backscatter
Same here, we normally run 100 or so messages a min @ 70% spam, now seeing peaks of 400-500 @ 97% Seems much worse in the last 2 weeks or so. I think that we all have lots of company. Herb Darrell ([EMAIL PROTECTED]) wrote: Jim, While others may cringe regarding this, but some of the backscatter I have had to deal with (excess of 500-1000 messages a minute at times) I have had to put filters in place to delete null senders for periods of time. Darrell Jim Comerford wrote: Over the last several weeks we have seen a dramatic increase in spam hitting our server. From about 70,000 mails a day to around 110,000 /day. Most destined for our users is getting properly filtered by declude. What is getting thru is backscatter from spam that is forging addresses from domains we host. It seems just about any address that is posted on a website seems to be being used to forge outgoing spam (not from our server) -- and is generating all sorts of bounce messages. I suspect there is not much I can do to block this backscatter without blocking legit bounce messages... but I thought I'd ask. Here is our config: Imail 8.22 Declude 4.3.64 invURIBL 3.1.1 Sniffer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- Herb Guenther Lanex, LLC www.lanex.com (262)789-0966x102 Office (262)780-0424 Cell (off hours or if out of office) This e-mail is confidential and is for the use of the intended recipient(s)only. If you are not an intended recipient please advise us of our error by return e-mail then delete this e-mail and any attached files. You may not copy, disclose or use the contents in any way. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Forged-Spam Backscatter
We use 2 filters to address the issue which work well for us. I will make them available on our website this week. David B From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Comerford Sent: Thursday, April 03, 2008 2:46 PM To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Forged-Spam Backscatter Over the last several weeks we have seen a dramatic increase in spam hitting our server. From about 70,000 mails a day to around 110,000 /day. Most destined for our users is getting properly filtered by declude. What is getting thru is backscatter from spam that is forging addresses from domains we host. It seems just about any address that is posted on a website seems to be being used to forge outgoing spam (not from our server) -- and is generating all sorts of bounce messages. I suspect there is not much I can do to block this backscatter without blocking legit bounce messages... but I thought I'd ask. Here is our config: Imail 8.22 Declude 4.3.64 invURIBL 3.1.1 Sniffer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
RE: [Declude.JunkMail] Forged-Spam Backscatter
I have been having exactly the same problem on both mail servers. Both are. Imail 8.15 Declude 4.3.64 invURIBL 3.1.1 Sniffer Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.net LEGAL DISCLAIMER - This message may contain confidential, proprietary or legally privileged information and is intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby informed that you must not use, disseminate, copy it in any form or take any action in reliance on it. If you have received this message in error please delete it and any copies of it and notify it to the sender. AVISO LEGAL - Este mensaje puede contener informacion confidencial, en propiedad o legalmente protegida y esta dirigida unicamente para el uso de la persona destinataria. Si usted no es la persona destinataria de este mensaje, por la presente se le comunica que no debe usar, difundir, copiar de ninguna forma, ni emprender ninguna accion en relacion con ella. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Comerford Sent: 03 April 2008 20:46 To: declude.junkmail@declude.com Subject: [Declude.JunkMail] Forged-Spam Backscatter Over the last several weeks we have seen a dramatic increase in spam hitting our server. From about 70,000 mails a day to around 110,000 /day. Most destined for our users is getting properly filtered by declude. What is getting thru is backscatter from spam that is forging addresses from domains we host. It seems just about any address that is posted on a website seems to be being used to forge outgoing spam (not from our server) -- and is generating all sorts of bounce messages. I suspect there is not much I can do to block this backscatter without blocking legit bounce messages... but I thought I'd ask. Here is our config: Imail 8.22 Declude 4.3.64 invURIBL 3.1.1 Sniffer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Forged-Spam Backscatter
Jim, While others may cringe regarding this, but some of the backscatter I have had to deal with (excess of 500-1000 messages a minute at times) I have had to put filters in place to delete null senders for periods of time. Darrell Jim Comerford wrote: Over the last several weeks we have seen a dramatic increase in spam hitting our server. From about 70,000 mails a day to around 110,000 /day. Most destined for our users is getting properly filtered by declude. What is getting thru is backscatter from spam that is forging addresses from domains we host. It seems just about any address that is posted on a website seems to be being used to forge outgoing spam (not from our server) -- and is generating all sorts of bounce messages. I suspect there is not much I can do to block this backscatter without blocking legit bounce messages... but I thought I'd ask. Here is our config: Imail 8.22 Declude 4.3.64 invURIBL 3.1.1 Sniffer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- -- Check out http://www.invariantsystems.com for utilities for Declude, Imail, mxGuard, and ORF. IMail/Declude Overflow Queue Monitoring, SURBL/URI integration, MRTG Integration, and Log Parsers. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
[Declude.JunkMail] Forged-Spam Backscatter
Over the last several weeks we have seen a dramatic increase in spam hitting our server. From about 70,000 mails a day to around 110,000 /day. Most destined for our users is getting properly filtered by declude. What is getting thru is backscatter from spam that is forging addresses from domains we host. It seems just about any address that is posted on a website seems to be being used to forge outgoing spam (not from our server) -- and is generating all sorts of bounce messages. I suspect there is not much I can do to block this backscatter without blocking legit bounce messages... but I thought I'd ask. Here is our config: Imail 8.22 Declude 4.3.64 invURIBL 3.1.1 Sniffer --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
