[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OT - has my email domain been hijacked?



On Wed, 2005-09-14 at 23:55 -0700, Schlaegel wrote:
> On 9/14/05, kevin kempter dataintellect com
> <kevin kempter dataintellect com> wrote:
> > Thanks for the info.
> > 
> > Can you send me info on what a spam assasin filter to catch these will need to
> > look like?
> 
> Here are some rules I added to my user_prefs file after setting
> "allow_user_rules 1" in local.cf.
> 
> My goal was to insure the joe-job bounces were deleted, not remove
> spam, which I receive little of. I turned off Bayes and neutered
> auto_whitelist. I would have completely turned off auto_whitelist if I
> could have figured out how. The rules still need to have their score
> adjusted, as most of the matches are guaranteed bounces.
> 
> I based the rules on my large collection of bounce messages and
> http://permalink.gmane.org/gmane.discuss/5381
> 
> # From bounce matches
> 
> header   BOUNCE_FROM_MAILER_DAEMON    From =~ /mailer-daemon/i
> describe BOUNCE_FROM_MAILER_DAEMON    From: mailer-daemon, probably an
> automated message
> score    BOUNCE_FROM_MAILER_DAEMON    5
> 
> header   BOUNCE_FROM_BLACKHOLE    From =~ /blackhole/i
> describe BOUNCE_FROM_BLACKHOLE    From: blackhole, probably an automated message
> score    BOUNCE_FROM_BLACKHOLE    5
> 
> header   BOUNCE_FROM_POSTMASTER    From =~ /postmaster/i
> describe BOUNCE_FROM_POSTMASTER    From: postmaster, probably an
> automated message
> score    BOUNCE_FROM_POSTMASTER    5
> 
> header   BOUNCE_FROM_POST_OFFICE    From =~ /Post Office/i
> describe BOUNCE_FROM_POST_OFFICE    From: Post Office, probably an
> automated message
> score    BOUNCE_FROM_POST_OFFICE    5
> 
> header   BOUNCE_FROM_MAIL_DELIVERY_SYSTEM    From =~ /Mail Delivery System/i
> describe BOUNCE_FROM_MAIL_DELIVERY_SYSTEM    From: Mail Delivery
> System, probably an automated message
> score    BOUNCE_FROM_MAIL_DELIVERY_SYSTEM    5
> 
> header   BOUNCE_FROM_MAIL_DELIVERY_SUBSYSTEM    From =~ /Mail Delivery
> Subsystem/i
> describe BOUNCE_FROM_MAIL_DELIVERY_SUBSYSTEM    From: Mail Delivery
> Subsystem, probably an automated message
> score    BOUNCE_FROM_MAIL_DELIVERY_SUBSYSTEM    5
> 
> header   BOUNCE_FROM_MAIL_ADMINISTRATOR    From =~ /Mail Administrator/i
> describe BOUNCE_FROM_MAIL_ADMINISTRATOR    From: Mail Administrator,
> probably an automated message
> score    BOUNCE_FROM_MAIL_ADMINISTRATOR    5
> 
> header   BOUNCE_FROM_SYSTEM_ADMINISTRATOR    From =~ /System Administrator/i
> describe BOUNCE_FROM_SYSTEM_ADMINISTRATOR    From: System
> Administrator, probably an automated message
> score    BOUNCE_FROM_SYSTEM_ADMINISTRATOR    5
> 
> header   BOUNCE_FROM_INTERNET_MAIL_DELIVERY    From =~ /Internet Mail Delivery/i
> describe BOUNCE_FROM_INTERNET_MAIL_DELIVERY    From: Internet Mail
> Delivery, probably an automated message
> score    BOUNCE_FROM_INTERNET_MAIL_DELIVERY    5
> 
> header   BOUNCE_FROM_MAIL    From =~ /mail/i
> describe BOUNCE_FROM_MAIL    From: mail, possibly an automated message
> score    BOUNCE_FROM_MAIL    1
> 
> 
> # Subject bounce matches
> 
> header   BOUNCE_FAILURE_NOTICE        Subject =~ /failure notice/i
> describe BOUNCE_FAILURE_NOTICE        Subject: 'failure notice', bounce message
> score    BOUNCE_FAILURE_NOTICE        5
> 
> header   BOUNCE_DELIVERY_STATUS_NOTIFICATION Subject =~ /delivery
> status notification/i
> describe BOUNCE_DELIVERY_STATUS_NOTIFICATION Subject: 'Delivery status
> notification', probably bounce
> score    BOUNCE_DELIVERY_STATUS_NOTIFICATION 1
> 
> header   BOUNCE_DELIVERY_FAILED    Subject =~ /delivery failed/i
> describe BOUNCE_DELIVERY_FAILED    Subject: 'delivery failed', bounce message
> score    BOUNCE_DELIVERY_FAILED    1
> 
> header   BOUNCE_MAIL_DELIVERY_FAILED Subject =~ /Mail delivery failed/i
> describe BOUNCE_MAIL_DELIVERY_FAILED Subject: 'Mail delivery failed',
> bounce message
> score    BOUNCE_MAIL_DELIVERY_FAILED 5
> 
> header   BOUNCE_UNDELIVERABLE      Subject =~ /Undeliverable:/i
> describe BOUNCE_UNDELIVERABLE      Subject: Undeliverable
> score    BOUNCE_UNDELIVERABLE      1
> 
> header   BOUNCE_RETURNED_MAIL    Subject =~ /Returned mail/i
> describe BOUNCE_RETURNED_MAIL    Subject: 'Returned mail', bounce message
> score    BOUNCE_RETURNED_MAIL    5
> 
> header   BOUNCE_MAIL_COULD_NOT_BE_DELIVERED    Subject =~ /Mail could
> not be delivered/i
> describe BOUNCE_MAIL_COULD_NOT_BE_DELIVERED    Subject: 'Mail could
> not be delivered', bounce message
> score    BOUNCE_MAIL_COULD_NOT_BE_DELIVERED    5
> 
> header   BOUNCE_UNDELIVERED_MAIL    Subject =~ /Undelivered Mail/i
> describe BOUNCE_UNDELIVERED_MAIL    Subject: 'Undelivered Mail', bounce message
> score    BOUNCE_UNDELIVERED_MAIL    5
> 
> header   BOUNCE_RETURNED_TO_SENDER    Subject =~ /Returned to Sender/i
> describe BOUNCE_RETURNED_TO_SENDER    Subject: 'Returned to Sender',
> bounce message
> score    BOUNCE_RETURNED_TO_SENDER    5
> 
> use_bayes 0
> fold_headers 0
> auto_whitelist_factor 0

Does this not result in the trashing of *all* bounces, not just
backscatter?

Note that the term "Joe Job" really applies to cases where the spammer
is deliberately trying to pass off the spam as originating by the
purported sender, typically to try to cause trouble for the purported
sender - see
http://searchcio.techtarget.com/sDefinition/0,,sid19_gci917469,00.html
for some history - whereas most spam sent with forged sender addresses
is just a result of the spammer picking domains at random, with no
particular malicious intent regarding the domains he/she is forging.

The OP could get rid of most of his problem simply by turning off the
catch-all mailbox and using only specific addresses in his domain.
Backscatter hitting non-existent addresses would then be rejected by his
mail server.

Paul.
-- 
Paul Howarth <paul city-fan org>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]