Our users are getting hundreds of these!
One of the problems is that the actual spam email is sometimes not
attached. But interestly enough we are usually sent the email header of the
original email. From that we (the humans) can easily spot that the IP
address of the mailserver claiming to be ours is, in fact, not. So, if that
line in the returned email header can be parsed perhaps a program can
validate the IP address.
Only a suggestion - I'm sure a lot harder in real life.
SPF only works in these instances if (1) the domain users know what
mailservers they might use amd (2) the mailserver that received the
original SMTP connection analyzes SPF before accepting the connection and
doesn't just bounce the email back to the sender.
At 07:28 PM 4/10/2008, Jason Haar wrote:
I think we've detoured from the actual problem?
The fact is that lots of spam is now being sent to other sites, pretending
to be from (collectively) our email addresses, so that we get the bounces
containing the spam. And SA isn't marking these messages as spam, whereas
if it was directly sent the same spam, it would.
So how do we fix this situation? What about getting SA to "detach" the
associated bounced message as a separate message and score that instead? I
know I can casually just say that - doing is a different matter - but
isn't that really the only answer to this problem?
How are others (successfully) handling backscatter? Moving bounces into
yet another separate folder isn't a solution for our users - and I'm sure
the same applies elsewhere. Spam is spam...
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Best Regards,
Jeff Koch, Intersessions