procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Dealing with current backscatter spam

2008-10-17 15:08:35
from [Professional Software Engineering] [Permanent Link] 
At 14:04 2008-10-17 -0400, Charles Gregory wrote:

On Wed, 15 Oct 2008, Michelle Konzack wrote:
> 2200 legitim messages against 38.000 spams.
> To day afternoon I have goten again over 30.000 unique backscatter.

Maybe I can help. One characteristic of 'backscatter' is that because it
is generated by legitimate MTA's a great many of them QUOTE at least the
haders of the bounced e-mail in the body.
I'll go a step farther here: Some spams that INTEND to propogate via the bounce use "Content-Return: allowed". I've yet to see that header on legitimate email.
The X-Mailer header identifying mailers you don't use is another good mechanism to use - if you don't use AOL or MS Outbreak, why should bounces claiming to be from you claim you sent a message with these clients? 


:0
* ^FROM_MAILER
{
        # Since when would a mailer-daemon SPECIFY a return path for a message
        # which itself is a bounce?  That's just asking for a loop.
        :0B
* ^Return-Path:[ ]*mailer-daemon@(host|anotherhost)\.domain\.tld 
        {
                SPAMVAL="+150"
                SPAMMISHNESS="${SPAMMISHNESS}${SPAMVAL}"
SPAMNOTES="${SPAMNOTES}SPAM: ${SPAMVAL} MAILER BOUNCE: return-path${NL}" 
        }


        # This header is appearing increasingly on reflected spam - the
        # intent is to request that the entire message be bounced, rather
        # than truncated to just the headers, ensuring that the spam content
        # is delivered to the bounce recipient.
        :0B
        * ^Content-Return:[     ]*allowed
        {
                SPAMVAL="+200"
                SPAMMISHNESS="${SPAMMISHNESS}${SPAMVAL}"
SPAMNOTES="${SPAMNOTES}SPAM: ${SPAMVAL} MAILER BOUNCE: content-return${NL}" 
        }

        # if a legitimate bounce is suppsed to be for a message YOU sent,
        # check to see that it doesn't specify an X-Mailer that you know YOU
        # don't use.  This works for personal mail, but isn't effective for
        # a systemwide filter, since many users may use different mailers.
        :0
* B ?? ^X-Mailer:[ ]*(CME-V|Microsoft Outlook|AdSend|The Bat!|AOL|Internet Mail|Juno|Novell|PMMail|Winbiff) 
        {
                SPAMVAL="+200"
                SPAMMISHNESS="${SPAMMISHNESS}${SPAMVAL}"
SPAMNOTES="${SPAMNOTES}SPAM: ${SPAMVAL} MAILER BOUNCE: x-mailer${NL}" 
        }
}

---
 Sean B. Straw / Professional Software Engineering

 Procmail disclaimer: <http://www.professional.org/procmail/disclaimer.html>
 Please DO NOT carbon me on list replies.  I'll get my copy from the list.

____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Dealing with current backscatter spam, Charles Gregory
Next by Date:  Re: Dealing with current backscatter spam, Neil
Previous by Thread:  Re: Dealing with current backscatter spam, Charles Gregory
Next by Thread:  Re: Dealing with current backscatter spam, Michelle Konzack
Indexes:  [Date] [Thread] [Top] [All Lists]