Re: Dramatic increase in bounce messages to forged addresses
Benny Pedersen wrote: On Wed, April 2, 2008 21:34, mouss wrote: Anyone knows if backscatterer.org list is safe? If so, one can reject mail if the envelope sender is empty and the client is listed there. http://rfc-ignorant.org/policy-dsn.php I've posted to rfc-discuss to get this clarified. I would prefer if the part that says If the rejection message clearly indicates the reason for denial as not being something related to the null-envelope (or above-mentioned timeout) ("{ip} rejected as listed on the MAPS RBL", etc.), then that spam-blocking shall not be considered grounds to list a domain. is extended so that dsn listing would not apply if a "reasonable" criteria is used.
Re: Dramatic increase in bounce messages to forged addresses
On Wed, April 2, 2008 21:34, mouss wrote: > Anyone knows if backscatterer.org list is safe? If so, one can reject > mail if the envelope sender is empty and the client is listed there. http://rfc-ignorant.org/policy-dsn.php Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: Dramatic increase in bounce messages to forged addresses
On Thu, 3 Apr 2008, Michael Scheidell wrote: I say death penalty to spammers. That's going to be the only truly effective solution. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The question of whether people should be allowed to harm themselves is simple. They *must*. -- Charles Murray --- 10 days until Thomas Jefferson's 265th Birthday
Re: Dramatic increase in bounce messages to forged addresses
-- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer Charter member, ICSA labs anti-spam consortium > From: Mark Martinec <[EMAIL PROTECTED]> > Organization: J. Stefan Institute > Date: Thu, 3 Apr 2008 14:09:51 +0200 > To: > Subject: Re: Dramatic increase in bounce messages to forged addresses > >> Yes, we have also seen it on many of our clients domains. > > Same here. > > Does anyone have operational experience with a scheme of labeling > envelope sender addresses to recognize legitimate bounces to own mail, > such as the BATV scheme (Bounce Address Tag Validation): > http://mipassoc.org/batv/ > http://sourceforge.net/projects/batv-milter > > What does such a scheme break? Do any mailing list management sw > use envelope sender address for membership verification (instead of > using author address in a From header field, or maybe in Sender)? > Also looks like ot would 100% break CR systems. Originating email address would be new every day, would send a challenge every day, if response is in form of email reply (if user didn't have web access) email send back might have different name it it also. Would break whitelisting, etc. Good effort, and vbounce only helps 'a little' and is a royal pain to set up on 600 servers, all using different domains, all using different outbound vs mx records. I say death penalty to spammers. _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Dramatic increase in bounce messages to forged addresses
Hi Mark, At 05:09 03-04-2008, Mark Martinec wrote: Does anyone have operational experience with a scheme of labeling envelope sender addresses to recognize legitimate bounces to own mail, such as the BATV scheme (Bounce Address Tag Validation): http://mipassoc.org/batv/ http://sourceforge.net/projects/batv-milter What does such a scheme break? Do any mailing list management sw As someone else pointed out, it can be a problem if the receiving end implements greylisting. It may also be a problem if mail from the domain doesn't always go through the outbound servers that do the tagging. You might also run into problems if the receiving end does any validation based on the envelope sender. If your mail server is overwhelmed by bounces, BATV can help to reduce the load as, unlike SPF, it doesn't rely on the other end implementing the technology. Regards, -sm
Re: Dramatic increase in bounce messages to forged addresses
Mark Martinec writes: > > Yes, we have also seen it on many of our clients domains. > > Same here. > > Does anyone have operational experience with a scheme of labeling > envelope sender addresses to recognize legitimate bounces to own mail, > such as the BATV scheme (Bounce Address Tag Validation): > http://mipassoc.org/batv/ > http://sourceforge.net/projects/batv-milter > > What does such a scheme break? Do any mailing list management sw > use envelope sender address for membership verification (instead of > using author address in a From header field, or maybe in Sender)? Embarrassingly, BATV breaks the ASF's ezmlm setup, which relies on the MAIL FROM address to determine sender identity and list membership. I think that's a bug in the ASF code. Apparently it's otherwise quite useful, but you will need to maintain a "whitelist" of BATV-excluded recipients... --j.
Re: Dramatic increase in bounce messages to forged addresses
> > Yes, we have also seen it on many of our clients domains. On 03.04.08 14:09, Mark Martinec wrote: > Does anyone have operational experience with a scheme of labeling > envelope sender addresses to recognize legitimate bounces to own mail, > such as the BATV scheme (Bounce Address Tag Validation): > http://mipassoc.org/batv/ > http://sourceforge.net/projects/batv-milter > > What does such a scheme break? Do any mailing list management sw > use envelope sender address for membership verification (instead of > using author address in a From header field, or maybe in Sender)? it's quite possible. I am afraid ot greylisting problems instead... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Due to unexpected conditions Windows 2000 will be released in first quarter of year 1901
Re: Dramatic increase in bounce messages to forged addresses
> Yes, we have also seen it on many of our clients domains. Same here. Does anyone have operational experience with a scheme of labeling envelope sender addresses to recognize legitimate bounces to own mail, such as the BATV scheme (Bounce Address Tag Validation): http://mipassoc.org/batv/ http://sourceforge.net/projects/batv-milter What does such a scheme break? Do any mailing list management sw use envelope sender address for membership verification (instead of using author address in a From header field, or maybe in Sender)? Mark
Re: Dramatic increase in bounce messages to forged addresses
Yes, we have also seen it on many of our clients domains. Vbounce helps. -- Michael Scheidell, CTO >|SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer Charter member, ICSA labs anti-spam consortium _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Dramatic increase in bounce messages to forged addresses
Matus UHLAR - fantomas wrote: On Wed, 2 Apr 2008, Justin Mason wrote: John Hardin writes: On Tue, 1 Apr 2008, William Terry wrote: Is there anything I can do to mitigate this? Do you publish SPF records? Logically this should have an effect, but in real-world terms, it doesn't. So don't worry about it. On 02.04.08 09:06, John Hardin wrote: Sure it won't if nobody ever publishes any SPF records. and they don't publish SPF since "nobody uses them" and they don't use SPF because "spammers also use SPF" which they understand as "SPF is useless" some people don't publish SPF because there are not enough incentives to do so. Other people don't publish SPF because they don't want to! some even remove the records they published before: http://www.circleid.com/posts/spf_loses_mindshare/ anyway, I don't think this list is appropriate for debating SPF pros and cons... people are someetimes incredibly dumb when it comes to technologies. Instead, try enabling the vbounce ruleset... Certainly, do that. But *also* publish SPF records so that the people who *do* check SPF have a chance to reject forgeries proactively. Agreed, just do it.
Re: Dramatic increase in bounce messages to forged addresses
> On Wed, 2 Apr 2008, Justin Mason wrote: > > >John Hardin writes: > >>On Tue, 1 Apr 2008, William Terry wrote: > >> > >>>Is there anything I can do to mitigate this? > >> > >>Do you publish SPF records? > > > >Logically this should have an effect, but in real-world terms, it > >doesn't. So don't worry about it. On 02.04.08 09:06, John Hardin wrote: > Sure it won't if nobody ever publishes any SPF records. and they don't publish SPF since "nobody uses them" and they don't use SPF because "spammers also use SPF" which they understand as "SPF is useless" people are someetimes incredibly dumb when it comes to technologies. > >Instead, try enabling the vbounce ruleset... > > Certainly, do that. But *also* publish SPF records so that the people who > *do* check SPF have a chance to reject forgeries proactively. Agreed, just do it. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue.
Re: Dramatic increase in bounce messages to forged addresses
Jo Rhett wrote: On Apr 2, 2008, at 12:34 PM, mouss wrote: no tuning on your side will help solving problems at the other side. For example, I found that hotmail cache the value Yes, they cache the results of that DNS query for exactly how long you tell them to. This is not my observation. After moving the MTA to another box, hotmail started discarding mail. testing for more than two weeks didn't change anything. I never sat up a TTL of two weeks. I have already seen "abusive" dns cache at large sites. this is why I suspect this was a cache issue. but I may be wrong. Anyway, other broken spf implementations/setups were reported. so I am not very confident... If you want the SPF record cached less, reduce the TTL on that record. I don't remember, but I think it was 12 or 24 hours. that's less than 2 weeks even counting jet lag around the globe.
Re: Dramatic increase in bounce messages to forged addresses
On Apr 2, 2008, at 12:34 PM, mouss wrote: no tuning on your side will help solving problems at the other side. For example, I found that hotmail cache the value Yes, they cache the results of that DNS query for exactly how long you tell them to. If you want the SPF record cached less, reduce the TTL on that record. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Dramatic increase in bounce messages to forged addresses
Martin Gregorie wrote: On Wed, 2008-04-02 at 10:08, Justin Mason wrote: John Hardin writes: On Tue, 1 Apr 2008, William Terry wrote: Is there anything I can do to mitigate this? Do you publish SPF records? Logically this should have an effect, but in real-world terms, it doesn't. So don't worry about it. SPF has worked well for me, but it has to be set up right. Use http://www.kitterman.com/spf/validate.html to define and test your SPF record. no tuning on your side will help solving problems at the other side. For example, I found that hotmail cache the value and if you add an authroized MTA, it won't be accepted (hotmail silently discarded mail from the new MTA, so I had to relay hotmail mail using the old MTA). I suspect there are other brokerage out there, and this doesn't encourage me to setup SPF records anymore... Problems are better solved at the source. we hope that misconfigured sites will be informed and will fix their setup. If not, blacklisting seems to be the only way (as even filtering isn't effective since some NDRs do not contain enough information). Anyone knows if backscatterer.org list is safe? If so, one can reject mail if the envelope sender is empty and the client is listed there.
Re: Dramatic increase in bounce messages to forged addresses
On Wed, 2008-04-02 at 10:08, Justin Mason wrote: > John Hardin writes: > > On Tue, 1 Apr 2008, William Terry wrote: > > > > > Is there anything I can do to mitigate this? > > > > Do you publish SPF records? > > Logically this should have an effect, but in real-world terms, it doesn't. > So don't worry about it. > SPF has worked well for me, but it has to be set up right. Use http://www.kitterman.com/spf/validate.html to define and test your SPF record. Martin
Re: Dramatic increase in bounce messages to forged addresses
On Wed, 2 Apr 2008, Justin Mason wrote: John Hardin writes: On Tue, 1 Apr 2008, William Terry wrote: Is there anything I can do to mitigate this? Do you publish SPF records? Logically this should have an effect, but in real-world terms, it doesn't. So don't worry about it. Sure it won't if nobody ever publishes any SPF records. Instead, try enabling the vbounce ruleset... Certainly, do that. But *also* publish SPF records so that the people who *do* check SPF have a chance to reject forgeries proactively. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Public Education: the bureaucratic process of replacing an empty mind with a closed one. -- Thorax --- 11 days until Thomas Jefferson's 265th Birthday
Re: Dramatic increase in bounce messages to forged addresses
>> i see other types of backscatter that could be solved by using spf > > only if spammers check spf before forging addresses, which I doubt... I can say that since I started publishing SPF records at $DAYJOB we've seen a gigantic reduction in backscatter. I think many spammers do try to avoid using forged addresses from domains that publish DKIM/SPF records; that's a simple check they can run to increase the chance of their spew hitting inboxes instead of /dev/null. -- Dave Pooser Cat-Herder-in-Chief,Pooserville.com "Jon, the CIA's credibility has never been lower. Crazy people no longer believe the CIA is implanting a chip in their heads to listen to their dreams. They just don't think they can pull it off. It's a sad day for America when even our paranoid schizophrenics realize they don't need to wear the aluminum foil hats anymore." -- Ed Helms, "The Daily Show"
Re: Dramatic increase in bounce messages to forged addresses
On Wed, 2008-04-02 at 10:42 +0200, mouss wrote: > Benny Pedersen wrote: > > On Wed, April 2, 2008 02:06, William Terry wrote: > > > >> I mostly lurk here, gleaning bits of wisdom from those far more > >> knowledgeable than me, however... > >> > > > > i have no clue either :-) > > > > > >> I am getting a dramatic increase in bounce messages with my domain > >> forged sent to me. At least some of the messages still retain the > >> headers so I can tell that we did not originate the message. I also > >> know that there is probably little I can do to keep them coming. > >> > > > > http://openspf.org/ one could add spf to domain, and hope bouncers get a > > clue > > when bouncing and not rejecting spam :/ > > > > > > if they had a clue, they wouldn't accept-then-bounce. > >> I'm just wondering if anyone else is seeing a dramatic rise in these > >> messages? Is there anything I can do to mitigate this? > >> > > > > i see other types of backscatter that could be solved by using spf > > > > only if spammers check spf before forging addresses, which I doubt... > I think they do. Because a SPF_FAIL would land their mail in spam folders I have had been flooded with backscatter before on domains that didnt have SPF records. The moment I put SPF records I saw backscatter disappear. It may have neen coincidental that spammers stopped forging that domain and moved on BTW , How does vbounce work , Is there a good link somewhere ? >
Re: Dramatic increase in bounce messages to forged addresses
John Hardin writes: > On Tue, 1 Apr 2008, William Terry wrote: > > > Is there anything I can do to mitigate this? > > Do you publish SPF records? Logically this should have an effect, but in real-world terms, it doesn't. So don't worry about it. Instead, try enabling the vbounce ruleset... --j.
Re: Dramatic increase in bounce messages to forged addresses
Benny Pedersen wrote: On Wed, April 2, 2008 02:06, William Terry wrote: I mostly lurk here, gleaning bits of wisdom from those far more knowledgeable than me, however... i have no clue either :-) I am getting a dramatic increase in bounce messages with my domain forged sent to me. At least some of the messages still retain the headers so I can tell that we did not originate the message. I also know that there is probably little I can do to keep them coming. http://openspf.org/ one could add spf to domain, and hope bouncers get a clue when bouncing and not rejecting spam :/ if they had a clue, they wouldn't accept-then-bounce. I'm just wondering if anyone else is seeing a dramatic rise in these messages? Is there anything I can do to mitigate this? i see other types of backscatter that could be solved by using spf only if spammers check spf before forging addresses, which I doubt...
Re: Dramatic increase in bounce messages to forged addresses
John Hardin wrote: On Tue, 1 Apr 2008, William Terry wrote: Is there anything I can do to mitigate this? Do you publish SPF records? We haven't as of yet. I have been looking at it though since this last burst of backscatter. Any idea how widely SPF record checking has been adopted out there? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Dramatic increase in bounce messages to forged addresses
On Wed, April 2, 2008 02:06, William Terry wrote: > I mostly lurk here, gleaning bits of wisdom from those far more > knowledgeable than me, however... i have no clue either :-) > I am getting a dramatic increase in bounce messages with my domain > forged sent to me. At least some of the messages still retain the > headers so I can tell that we did not originate the message. I also > know that there is probably little I can do to keep them coming. http://openspf.org/ one could add spf to domain, and hope bouncers get a clue when bouncing and not rejecting spam :/ > I'm just wondering if anyone else is seeing a dramatic rise in these > messages? Is there anything I can do to mitigate this? i see other types of backscatter that could be solved by using spf Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
RE: Dramatic increase in bounce messages to forged addresses
I'll second that - a tremendous increase At 08:15 PM 4/1/2008, Kurt Buff wrote: Yup. Big rise over the past two weeks. Kurt > -Original Message- > From: William Terry [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 01, 2008 17:07 > To: users@spamassassin.apache.org > Subject: Dramatic increase in bounce messages to forged addresses > > > I mostly lurk here, gleaning bits of wisdom from those far more > knowledgeable than me, however... > > I am getting a dramatic increase in bounce messages with my domain > forged sent to me. At least some of the messages still retain the > headers so I can tell that we did not originate the message. I also > know that there is probably little I can do to keep them coming. > > I'm just wondering if anyone else is seeing a dramatic rise in these > messages? Is there anything I can do to mitigate this? > > Thanks. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > Best Regards, Jeff Koch, Intersessions
Re: Dramatic increase in bounce messages to forged addresses
On Tue, 1 Apr 2008, William Terry wrote: Is there anything I can do to mitigate this? Do you publish SPF records? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Where We Want You To Go Today 07/05/07: Microsoft patents in-OS adware architecture incorporating spyware, profiling, competitor suppression and delivery confirmation (U.S. Patent #20070157227) --- Today: April Fools' day
RE: Dramatic increase in bounce messages to forged addresses
Yup. Big rise over the past two weeks. Kurt > -Original Message- > From: William Terry [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 01, 2008 17:07 > To: users@spamassassin.apache.org > Subject: Dramatic increase in bounce messages to forged addresses > > > I mostly lurk here, gleaning bits of wisdom from those far more > knowledgeable than me, however... > > I am getting a dramatic increase in bounce messages with my domain > forged sent to me. At least some of the messages still retain the > headers so I can tell that we did not originate the message. I also > know that there is probably little I can do to keep them coming. > > I'm just wondering if anyone else is seeing a dramatic rise in these > messages? Is there anything I can do to mitigate this? > > Thanks. > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > >