Re: Undeliverable mails
On Wed, 2008-06-04 at 18:24 +0200, Benny Pedersen wrote: On Wed, June 4, 2008 17:11, mouss wrote: If they can't configure their system to reject invalid recipients at smtp time, there is no hope that they will setup SPF checking correctly! it was olso my conclusion after i have writed it :-) You might be surprised , but that is not exactly true. I have seen a lot of backscatter from Cisco Ironports. Most Ironport boxes dont do any address verification at the time accepting mail, and then send NDR's. But if these are getting SPF fail, then these messaged may get discarded as spam ( I assume ) And this may happen with a lot of other outsourced antispam vendors too
Re: Undeliverable mails
- Original Message - From: John Hardin [EMAIL PROTECTED] To: Obantec Support [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Sent: Wednesday, June 04, 2008 6:06 PM Subject: Re: Undeliverable mails On Wed, 4 Jun 2008, Obantec Support wrote: i looked over the above and my server seems to conform but it still scores low on an example email. X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on my.mailserver.net X-Spam-Level: *** X-Spam-Status: No, score=3.6 required=4.5 tests=ANY_BOUNCE_MESSAGE,AWL, BAYES_99,BOUNCE_MESSAGE autolearn=no version=3.2.4 VBOUNCE is not intended to mark bounces as spammy by itself, it's intended to _identify_ them. In your delivery chain post-SA you'd look for ANY_BOUNCE_MESSAGE in X-Spam-Status and then either deliver to a bounces for review folder, or drop the message. You could, however, add a meta-rule that adds points for messages hitting both ANY_BOUNCE_MESSAGE and BAYES_99, if you trust your bayes. I'd say that's a pretty good indicator of a bounced spam. Perhaps: meta BOUNCED_SPAM (ANY_BOUNCE_MESSAGE BAYES_99) score BOUNCED_SPAM 4.0 how do i impliment the above? Mark -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A sword is never a killer, it is but a tool in the killer's hands. -- Lucius Annaeus Seneca (Martial) 4BC-65AD --- 14 days until SWMBO's Birthday
Re: Undeliverable mails
ram wrote: You might be surprised , but that is not exactly true. I have seen a lot of backscatter from Cisco Ironports. Most Ironport boxes dont do any address verification at the time accepting mail, and then send NDR's. But if these are getting SPF fail, then these messaged may get discarded as spam ( I assume ) discarding would not be reasonable. They can however discard the bounce in case of SPF/DKIM fail (or any other heuristics). but do they really do that? There is still a risk to discard a legitimate bounce (a lot of SPF records do not match reality: they may not be updated, they may not include all relays, ... etc). I'm not sure a vendor can take this road currently (they can offer this as an option, but will the admin ever notice or understand it?). Also this would assume that the final server does address validation at smtp time. but this is not always true. so the appliance will not know whether the address was valid or not, and the final server sends a bounce after accepting the message from the appliance. And this may happen with a lot of other outsourced antispam vendors too While MSPs may have mitigation methods (Postini relays in real time unless the final site is down, dyndns discards mail to invalid recipients, ...), a lot of backscatter is generated by their customers (the final server accepts then bounces).
Re: Undeliverable mails
On Thu, June 5, 2008 10:10, Obantec Support wrote: meta BOUNCED_SPAM (ANY_BOUNCE_MESSAGE BAYES_99) score BOUNCED_SPAM 4.0 how do i impliment the above? put them in user_prefs or local.cf Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Undeliverable mails
Am 2008-06-04 10:45:20, schrieb Dan Barker: I can read 10 messages, I can't read 200. The bounces I see are usually due to messages sent by my webserver (password request) by folks who type their What about updating your Webserver script first, to let users type the password twice? Greetings Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: Undeliverable mails
On Wed, June 4, 2008 16:04, Jack Gostl wrote: Does anyone have any suggestions? http://old.openspf.org/wizard.html?mydomain=argoscomp.comsubmit=Go%21 could be a start and use pypolicyd-spf for testing and if you get mails from remote [EMAIL PROTECTED] then contackt them if recived path match domain undelivered mails is remote problems Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
RE: Undeliverable mails
That's exactly what VBounce is for. If a bounce message does not contain your MTA, it's either backscatter (safe to delete) or useless (from AOHell, for example). If you can't track the source, you don't need to see it. I get about 10 legitimate bounces a day, and VBounce takes care of about 200 backscatter. I can read 10 messages, I can't read 200. The bounces I see are usually due to messages sent by my webserver (password request) by folks who type their email address incorrectly. The Backscatter was a big problem until I started using the VBounce rules. Trying to educate the sysadmins producing the backscatter is a hopeless cause (imo). Dan _ From: Jack Gostl [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2008 10:05 AM To: spam Subject: Undeliverable mails I'm not sure if this can even be handled, but I thought I'd put it out there. Someone is using our email address to originate spam. We are getting bombed with Mail undeliverable etc. messages from failed spam delivery attempts. This morning I check my inbox and found almost 100 of these since last night. I'm not sure what can be done about this. I'm a bit squeamish about just knocking this stuff out in procmail. Does anyone have any suggestions?
RE: Undeliverable mails
On Wed, June 4, 2008 16:45, Dan Barker wrote: Trying to educate the sysadmins producing the backscatter is a hopeless cause (imo). first problem to solve is bounce and not reject if sysadmins wonder why there server bounces alot of mail we could reduce the problem there maybe i am ignorant on that spf is helpfull it is when used, but if not used its not much help :/ Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Undeliverable mails
Benny Pedersen wrote: On Wed, June 4, 2008 16:45, Dan Barker wrote: Trying to educate the sysadmins producing the backscatter is a hopeless cause (imo). first problem to solve is bounce and not reject you mean the opposite. if sysadmins wonder why there server bounces alot of mail we could reduce the problem there Many don't even know about it until they get a lot of complaints or their server crashes because of the bounce handling, or is blocklisted... and while you can try to educate those who were detected to generate backscatter, it's impossible to educate those who will setup new servers in the future! The need for a license to administer a mail server should be required :) maybe i am ignorant on that spf is helpfull it is when used, but if not used its not much help :/ If they can't configure their system to reject invalid recipients at smtp time, there is no hope that they will setup SPF checking correctly!
Re: Undeliverable mails
- Original Message - From: Benny Pedersen [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Wednesday, June 04, 2008 3:17 PM Subject: Re: Undeliverable mails On Wed, June 4, 2008 16:04, Jack Gostl wrote: Does anyone have any suggestions? http://old.openspf.org/wizard.html?mydomain=argoscomp.comsubmit=Go%21 could be a start i looked over the above and my server seems to conform but it still scores low on an example email. X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on my.mailserver.net X-Spam-Level: *** X-Spam-Status: No, score=3.6 required=4.5 tests=ANY_BOUNCE_MESSAGE,AWL, BAYES_99,BOUNCE_MESSAGE autolearn=no version=3.2.4 Mark and use pypolicyd-spf for testing and if you get mails from remote [EMAIL PROTECTED] then contackt them if recived path match domain undelivered mails is remote problems Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Undeliverable mails
On Wed, June 4, 2008 17:11, mouss wrote: If they can't configure their system to reject invalid recipients at smtp time, there is no hope that they will setup SPF checking correctly! it was olso my conclusion after i have writed it :-) Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Undeliverable mails
On Wed, 4 Jun 2008, Obantec Support wrote: i looked over the above and my server seems to conform but it still scores low on an example email. X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on my.mailserver.net X-Spam-Level: *** X-Spam-Status: No, score=3.6 required=4.5 tests=ANY_BOUNCE_MESSAGE,AWL, BAYES_99,BOUNCE_MESSAGE autolearn=no version=3.2.4 VBOUNCE is not intended to mark bounces as spammy by itself, it's intended to _identify_ them. In your delivery chain post-SA you'd look for ANY_BOUNCE_MESSAGE in X-Spam-Status and then either deliver to a bounces for review folder, or drop the message. You could, however, add a meta-rule that adds points for messages hitting both ANY_BOUNCE_MESSAGE and BAYES_99, if you trust your bayes. I'd say that's a pretty good indicator of a bounced spam. Perhaps: meta BOUNCED_SPAM (ANY_BOUNCE_MESSAGE BAYES_99) score BOUNCED_SPAM 4.0 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A sword is never a killer, it is but a tool in the killer's hands. -- Lucius Annaeus Seneca (Martial) 4BC-65AD --- 14 days until SWMBO's Birthday
Re: Undeliverable mails
On Wednesday, June 4, 2008, 7:04:50 AM, Jack Gostl wrote: I'm not sure if this can even be handled, but I thought I'd put it out there. Someone is using our email address to originate spam. We are getting bombed with Mail undeliverable etc. messages from failed spam delivery attempts. This morning I check my inbox and found almost 100 of these since last night. I'm not sure what can be done about this. I'm a bit squeamish about just knocking this stuff out in procmail. Does anyone have any suggestions? Check out Justin's blog: http://taint.org/2007/01/10/141434a.html taint.org: Justin Mason’s Weblog How to deal with joe-jobs and massive bounce storms January 10, 2007 at 2:14 pm As I’ve noted before, we still have a major problem with sites generating bounce/backscatter storms in response to forged mail — whether deliberately targeted, as a “Joe-Job”, or as a side-effect attempts to evade over-simplistic sender address verification as seen in spam, viruses, and so on. [...] It helped us. Jeff C. -- Jeff Chan mailto:[EMAIL PROTECTED] http://www.surbl.org/
