Sorry to divert people from the Microsoft bashing but I'd thought I'd bring this up again. I mentioned a few months ago about Mailwasher forging bounces, anyway I was hoping they would go away or their latest version would fix the problem but it doesn't appear that way. Checking our outgoing queues around 50% of emails waiting to go out appear to be mailwasher forgeries ( bounces from our mail servers are elsewhere) and I'm getting a little worried. I really try hard to get customer email delivered and I don't what "normal" email to get delayed when it gets stuck behind mailwasher junk. Just wondering what others are doing? Private email is okay. I'm trying to avoid blocking or deleting them if I can. One suggestion was to forward them all to feedback(a)mailwasher.net :) . The other problem is that it is fairly hard to actually pick these messages out from others in the queue safely. Maybe I can sic the fraud squad on Mr Bolton for forging my email address. FDrom their FAQ: Q. How does MailWasher bounce messages? A. MailWasher uses an algorithm to determine the best route to send the bounced message back (from, reply to, return path) and actually sends the bounce back via your isp's postmaster, so it looks exactly like it has come from your isp and not from you at your address. If the spammer has used a fake address, then your bounce message will itself be bounced back to the postmaster and you won't receive the bounced bounce email. -- Simon Lyall. | Newsmaster | Work: simon.lyall(a)ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon(a)darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Wed, Oct 02, 2002 at 01:40:04PM +1200, Simon Lyall wrote:
A. MailWasher uses an algorithm to determine the best route to send the bounced message back (from, reply to, return path) and actually sends the bounce back via your isp's postmaster
This isn't an AUP violation here? Forging email from an address other than yours? I would just disallow lusers from injecting such bogons. I would argue allowing this sets a unnerving precedent of sorts. Does this actually work? I mean, since most spam doesn't have a valid return-path, bounces are mostly useless. --cw (who has been archiving spam for years) - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
I have a couple of mailboxes im bouncing because of spam volume. Depends on the creed of the spammer I guess. Some genuine dont see the point in continuing to spam non existant addresses and stop. Some set fake reply-to headers and dont care. For those that bounce-the-bounce and come back to postmaster, I start firewalling their MTA from my network. Solves the problem :P Course, ISPs might not necessarily want to do that... (we all know how controversial RBLs are.) But yes, if forging mail headers is in breach of your AUP id ask your abuse guy to contact the client and ask them to disable that feature of mailwasher; and advise them that failing to do so will result in immediate account suspension for breaching T&C. Tends to work :) Mark. At 06:50 p.m. 1/10/2002 -0700, Chris Wedgwood wrote:
On Wed, Oct 02, 2002 at 01:40:04PM +1200, Simon Lyall wrote:
A. MailWasher uses an algorithm to determine the best route to send the bounced message back (from, reply to, return path) and actually sends the bounce back via your isp's postmaster
This isn't an AUP violation here?
Forging email from an address other than yours? I would just disallow lusers from injecting such bogons. I would argue allowing this sets a unnerving precedent of sorts.
Does this actually work? I mean, since most spam doesn't have a valid return-path, bounces are mostly useless.
--cw (who has been archiving spam for years)
- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Wed, Oct 02, 2002 at 02:24:04PM +1200, Mark Foster wrote:
I have a couple of mailboxes im bouncing because of spam volume. Depends on the creed of the spammer I guess.
Why not throw alway all of that email then and never bounce it?
Some genuine dont see the point in continuing to spam non existant addresses and stop. Some set fake reply-to headers and dont care.
Nope. I don't mean to be rude (but I can't help who I am)... I don't believe this for a second. Unless some is like 0.0001% or something.
For those that bounce-the-bounce and come back to postmaster, I start firewalling their MTA from my network.
Seems pointless, spam comes from all over.
Solves the problem :P Course, ISPs might not necessarily want to do that... (we all know how controversial RBLs are.)
IMO, RBLs are almost useless now. I stopped using all of them a while ago and now spam works to *my* advantage. FWIW, I have several domains and addresses which get *only* spam, I mean nothing but spam. Never any real email. And I get a lot of spam, hundreds if not thousands of messages a week sometimes. Now, I used to reject all this email --- yet it *never* stopped coming, even after a couple of years of nothing but rejection. I removed A and MX records for months, that didn't help either. Within minutes of restoring those addresses functionality, I got spam. None of my efforts to prevent this even slowed the rate at which it comes. This is why I simply don't believe mailwasher works, because I know it *doesn't* :P Now I accept all this spam to these 'spam trap addresses'. I use it to train filters which I then apply to my inbox. I use no RBL because I *want* all the spam I can get. The more spam I get, the better I train my filters that keep spam out of my inbox --- and it works great so far. IF there is a popular spam going about that my filters would miss, chances are one of the spam-traps will get it first, and thus my filters will adapt to it before it hits my inbox. --cw - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Tue, 1 Oct 2002, Chris Wedgwood wrote:
Now I accept all this spam to these 'spam trap addresses'.
Isn't your "anti-spam" strategy based on you having more or less free bandwidth? IOW, wouldn't work in NZ. -- Juha Saarinen - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Wed, Oct 02, 2002 at 03:23:45PM +1200, Juha Saarinen wrote:
Isn't your "anti-spam" strategy based on you having more or less free bandwidth? IOW, wouldn't work in NZ.
Free? Hell no, it cost somelike like $800US/month. --cw - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Wed, 2 Oct 2002, Juha Saarinen wrote:
On Tue, 1 Oct 2002, Chris Wedgwood wrote:
Now I accept all this spam to these 'spam trap addresses'.
Isn't your "anti-spam" strategy based on you having more or less free bandwidth? IOW, wouldn't work in NZ.
Spam doesn't take up much bandwidth. Most spam is only a few kilobytes in size and anything over 15 kilobytes is pretty uncommon. A bunch of spam I have lying around (14299 messages) averages in size at only 6812 bytes. Only 3% were bigger than 20 kilobytes. So even if you get 1000 spams per day thats just 205 Megabytes per month. The problem is the load on machines, people's time filtering it out and the false positives. For example one spammer sent us (over the weekend) 450,000 (approx) emails over 3 days. All of these were from (the same) bogus domain (optprofessional.com) . -- Simon Lyall. | Newsmaster | Work: simon.lyall(a)ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon(a)darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Wed, Oct 02, 2002 at 04:03:49PM +1200, Simon Lyall wrote:
For example one spammer sent us (over the weekend) 450,000 (approx) emails over 3 days. All of these were from (the same) bogus domain (optprofessional.com) .
So why did you accept them? --cw - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 16:56 02/10/02, Chris Wedgwood wrote:
On Wed, Oct 02, 2002 at 04:03:49PM +1200, Simon Lyall wrote:
For example one spammer sent us (over the weekend) 450,000 (approx) emails over 3 days. All of these were from (the same) bogus domain (optprofessional.com) .
So why did you accept them?
Because he occasionally would like to have a weekend off... Bart Kindt Manager, Network Operations Director, The Internet Group Limited New Zealand - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Wed, Oct 02, 2002 at 05:00:04PM +1200, Bart Kindt wrote:
Because he occasionally would like to have a weekend off...
And?
220 mx1.clear.net.nz -- Server ESMTP (CLEAR Net)
ehlo lies.org
250-mx1.clear.net.nz
250-8BITMIME
250-PIPELINING
250-DSN
250-XDFLG
250-ENHANCEDSTATUSCODES
250-HELP
250-SAML
250-SEND
250-SOML
250-TURN
250-XSTA
250-XLOOP ECA5EFC954D260A84AAC76A6D892DE71
250-ETRN
250-RELAY
250 SIZE 0
mail from:
On Tue, 1 Oct 2002, Chris Wedgwood wrote:
On Wed, Oct 02, 2002 at 04:03:49PM +1200, Simon Lyall wrote:
For example one spammer sent us (over the weekend) 450,000 (approx) emails over 3 days. All of these were from (the same) bogus domain (optprofessional.com) .
So why did you accept them?
Because I thought he would go away after the first day. Also we very much avoid blocking email to customers. Except for a very small list (less than 10 ) of sites we accept all email that comes in. Spam is only blocked for customers who subscribe to the anti-spam service and they are able to look at whats been blocked and retrieve it for up to 20 days afterways. People do not accept their email being blocked and get VERY paranoid if they think email is not getting through. Dropping people's email to the floor is not an option in an ISP situation. At least IMHO, other people may have different ideas but I know at leasts one ISP used to lose customers due to the heavy spam filtering. The ones that were blocked were *only* blocked because the volume or nature of their email was causing load issues for our servers. w.r.t RBLs we use them as part of our anti-spam service, useful ones include bl.spamcop.net and kr.cluecentral.net and cn.cluecentral.net. What software are you using for filtering? Some sort of Bayesian type thing? -- Simon Lyall. | Newsmaster | Work: simon.lyall(a)ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon(a)darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Wed, Oct 02, 2002 at 05:26:23PM +1200, Simon Lyall wrote:
Because I thought he would go away after the first day. Also we very much avoid blocking email to customers.
Except the domain is bogus... how much legitimate email do you get bogus domains and how much spam do you get with bogus domains?
People do not accept their email being blocked and get VERY paranoid if they think email is not getting through. Dropping people's email to the floor is not an option in an ISP situation.
Except here the domain is bogus and it clearly wasn't email (it was spam).
w.r.t RBLs we use them as part of our anti-spam service, useful ones include bl.spamcop.net and kr.cluecentral.net and cn.cluecentral.net.
I found that there was still plenty of spam coming using various RBLs and that the false-positive rate is too high. So I started trying to think of ways to put the spam I get to use.
What software are you using for filtering? Some sort of Bayesian type thing?
Originally is was something I made up, then I tried a pseudo-Bayesian filter (based on the now infamous Paul Graham article). I then decided to do it a little differently as I wanted to do things that present tools didn't allow such as: word aging, different treatment of header and body tokens, pseudo-canonicalization of HTML text and attachments (ie. don't use HTML tags raw, actually tread what would be rendered "kinky" in red as "kinky" and "c/RED:kinky" so that not only is the word "kinky" going to count here as a bad word, it will doubly count if in HTML it would be rendered in red. As a side-effect, I decode attachments so that if the body is text but base64 encoded, I pull out the decoded tokens and am ignorant to the encoded type. On top of that, I get spam from various sources and teach it with that in the hopes that if a burst of messages is going about, one of the traps will see it first and increase the likelihood of catching it when it is actually sent to me. Now, this assume that any spam sent to me will also be sent to others, many others, and that it will look somewhat like previous spam email messages I have gotten --- but so far, that seems, to be a reasonable guess. I can think of other things to do aswell, but I've gotten bored with it :) --cw - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 23:43 1/10/02 -0700, Chris Wedgwood wrote:
On Wed, Oct 02, 2002 at 05:26:23PM +1200, Simon Lyall wrote:
Because I thought he would go away after the first day. Also we very much avoid blocking email to customers.
Except the domain is bogus... how much legitimate email do you get bogus domains and how much spam do you get with bogus domains?
I have to agree here. By definition email should have a return address if it is "genuine". If the domain name of the "from" address doesn't even exist, then its almost a sure bet that the email is bogus, and I see no reason it should be accepted. Most MTA's seem to default to this action as well. Regards, Simon - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Thu, 3 Oct 2002, Simon Byrnand wrote:
I have to agree here. By definition email should have a return address if it is "genuine". If the domain name of the "from" address doesn't even exist, then its almost a sure bet that the email is bogus, and I see no reason it should be accepted. Most MTA's seem to default to this action as well.
I guess you don't get email from people who post to newsgroups, most of them use bogus addresses so if they reply via email to a post the address will not be legit ( john(a)notihug.co.nz.nospam sort of thing ). Checking around I also came across: From: Promos(a)Glengarry Wines Which appears to be a legit little mailout sent last week from e-wine(a)Glengarry.co.nz . I didn't see any others in the search. Our spam filtering also has a "No MX for From address" rules that helps block those. Still if you feel comfortable blocking customer's email on that basis I guess it's your choice. -- Simon Lyall. | Newsmaster | Work: simon.lyall(a)ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon(a)darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Thu, Oct 03, 2002 at 11:11:27AM +1200, Simon Lyall wrote:
From: Promos(a)Glengarry Wines
That's a header. What was the envelope-sender/return-path? My guess is since most NZ ISPs with any level of clue reject email from bogus senders, the sender-envelope was sane or that Glengarry will realize they made a mistake and correct it. In general this applies to anyone sending email with a bogus sender-envelope; so many places will reject this that the problem is rare and tends to be corrected early.
Our spam filtering also has a "No MX for From address" rules that helps block those. Still if you feel comfortable blocking customer's email on that basis I guess it's your choice.
What legitimate email? One incidence of a 'maybe' from Glengarry which they would presumably have fixed if it really is a mistake... I guess I'm missing something here ... but it seems to me like you could avoid the mailwasher and load problems you are seeing in about half the amount of effort it takes to bitch on nznog about it. --cw - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Tue, 1 Oct 2002, Chris Wedgwood wrote:
On Wed, Oct 02, 2002 at 04:03:49PM +1200, Simon Lyall wrote:
For example one spammer sent us (over the weekend) 450,000 (approx) emails over 3 days. All of these were from (the same) bogus domain (optprofessional.com) .
So why did you accept them?
Because I thought he would go away after the first day. Also we very much avoid blocking email to customers.
Except for a very small list (less than 10 ) of sites we accept all email that comes in. Spam is only blocked for customers who subscribe to the anti-spam service and they are able to look at whats been blocked and retrieve it for up to 20 days afterways.
People do not accept their email being blocked and get VERY paranoid if they think email is not getting through. Dropping people's email to the floor is not an option in an ISP situation. At least IMHO, other people may have different ideas but I know at leasts one ISP used to lose customers due to the heavy spam filtering.
The ones that were blocked were *only* blocked because the volume or nature of their email was causing load issues for our servers.
w.r.t RBLs we use them as part of our anti-spam service, useful ones include bl.spamcop.net and kr.cluecentral.net and cn.cluecentral.net.
What software are you using for filtering? Some sort of Bayesian type thing?
-- Simon Lyall. | Newsmaster | Work: simon.lyall(a)ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon(a)darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
http://www.ietf.org/rfc/rfc2505.txt To whit: 2.9. Verify "MAIL From:" The MTA SHOULD be able to perform a simple "sanity check" of the "MAIL From:" domain and refuse to receive mail if that domain is nonexistent (i.e. does not resolve to having an MX or an A record). If the DNS error is temporary, TempFail, the MTA MUST return a 4xx Return Code (Temporary Error). If the DNS error is an Authoritative NXdomain (host/domain unknown) the MTA SHOULD still return a 4xx Return Code (since this may just be primary and secondary DNS not being in sync) but it MAY allow for an 5xx Return Code (as configured by the sysadmin). It doesn't actually say that you must drop mail from nonexistant domains, but it certainly implies that those sending mail with nonexistant domains shouldn't be suprised if their mail does get dropped. Cheers Si On Wed, Oct 02, 2002 at 05:26:23PM +1200, Simon Lyall said: - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 14:00 3/10/02 +1200, Simon Blake wrote:
http://www.ietf.org/rfc/rfc2505.txt
To whit:
2.9. Verify "MAIL From:"
The MTA SHOULD be able to perform a simple "sanity check" of the "MAIL From:" domain and refuse to receive mail if that domain is nonexistent (i.e. does not resolve to having an MX or an A record). If the DNS error is temporary, TempFail, the MTA MUST return a 4xx Return Code (Temporary Error). If the DNS error is an Authoritative NXdomain (host/domain unknown) the MTA SHOULD still return a 4xx Return Code (since this may just be primary and secondary DNS not being in sync) but it MAY allow for an 5xx Return Code (as configured by the sysadmin).
Interesting.
It doesn't actually say that you must drop mail from nonexistant domains, but it certainly implies that those sending mail with nonexistant domains shouldn't be suprised if their mail does get dropped.
It doesn't get dropped, it gets rejected. If the MTA that rejected it was the one the end user was connecting to during the attempted send of the message (EG their ISP's outgoing server) their email client won't even be able to send the message - they will immediately get an error. Both Outlook Express and Eudora will display this error, not sure about others. However if the one rejecting it was the destination MTA then the sending MTA will not be able to deliver it, and will have to generate a bounce. Unfortunately, since the envelope-sender address is invalid, it has nowhere to bounce it to, except the postmaster.... (However, any other kind of "normal" bounces, like the destination address not existing will never bounce to the right place either, so the senders email configuration is "broken") Regards, Simon - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Hi all :) Just to make everyone's day... the new Netguide has a copy of MailWasher on the cover CD. Sigh. Richard -- Richard Stevenson Systems Specialist Xtra Limited http://www.xtra.co.nz Email: richard.stevenson(a)team.xtra.co.nz Phone: +64 9 3555231 Mobile: +64 25 2903101 Fax: +64 9 3555260 Pager: +64 26 100155 This email is for the person(s) identified above, and is confidential to the sender and the person(s). No one else is authorised to use or disseminate this email or its contents. The email or its contents do not necessarily represent the views of Xtra Limited or Telecom. - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Mon, 7 Oct 2002, Richard Stevenson wrote:
Hi all :)
Just to make everyone's day... the new Netguide has a copy of MailWasher on the cover CD. Sigh.
Right next to Bonzai Buddy... sacrilege. -- Juha Saarinen - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 20:32 7/10/02 +1300, Juha Saarinen wrote:
On Mon, 7 Oct 2002, Richard Stevenson wrote:
Hi all :)
Just to make everyone's day... the new Netguide has a copy of MailWasher on the cover CD. Sigh.
Right next to Bonzai Buddy... sacrilege.
You've got a bit of a Bonzai Buddy fetish going there Juha, by the large number of posts of yours that have mentioned him in the last couple of months... Are you sure you aren't a closet admirer ? ;-) Regards, Simon - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On 8 Oct 2002 at 9:26, Simon Byrnand wrote:
At 20:32 7/10/02 +1300, Juha Saarinen wrote:
On Mon, 7 Oct 2002, Richard Stevenson wrote:
Hi all :)
Just to make everyone's day... the new Netguide has a copy of MailWasher on the cover CD. Sigh.
Right next to Bonzai Buddy... sacrilege.
You've got a bit of a Bonzai Buddy fetish going there Juha, by the large number of posts of yours that have mentioned him in the last couple of months...
Are you sure you aren't a closet admirer ? ;-)
Closet, closest, whatever... -- Dan Langille I'm looking for a computer job: http://www.freebsddiary.org/dan_langille.php - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Well, this is probably a list AUP violation as well, but.... what we do is inform the customer that forging headers is a breach of our T&C, and repeated violations will result in the closure of their account. Most don't realise the problems they're causing; once its explained to them, they stop doing it. I spoke with the software author some time ago about this issue, and he was reluctant to disable it. FWIW, I do believe that issues that impact ISP performance should be on topic here. This new worm has definitely tested our mail system - total viruses intercepted for Oct is currently sitting at 1500.... Gordon Smith CCNA Network Operations Manager MoreNet Ltd - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
At 13:40 2/10/2002, Simon Lyall wrote:
Just wondering what others are doing? Private email is okay. I'm trying to avoid blocking or deleting them if I can. One suggestion was to forward them all to feedback(a)mailwasher.net :) . The other problem is that it is fairly hard to actually pick these messages out from others in the queue safely.
echo "feedback(a)mailwasher.net" > /var/qmail/control/doublebounceto :-) -- Steve. - To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (11)
-
Bart Kindt -
Chris Wedgwood -
Dan Langille -
Gordon Smith -
Juha Saarinen -
Mark Foster -
Richard Stevenson -
Simon Blake -
Simon Byrnand -
Simon Lyall -
Steve Phillips