procmail
[Top] [All Lists]

Re: Dealing with current backscatter spam

2008-10-27 16:04:33
Am 2008-10-17 10:21:43, schrieb Professional Software Engineering:
        (big, bad internet)
        (mailserver)
        (GSM)
        (workstation + procmail)

Unfortunately this!

The only thing I can do is to code some perl/php stuff and put it in  my
FTP/Web space which is on the same server, install a  cronjob  and  kill
this crap but maybe my Hostingprovider can install procmail for me and I
can download the messages from the IMAP into my FTP/Web space filter  it
there and then pack it up into compressed packages of 100 message  which
then I can download using scp...

Okay, so the GSM problem is solved?

No, I can not get my message anymore or send  message  which  mean,  the
delay between "receiving", "answering" and "sending" of messages continu
with a delay of 2-4 days since I can go  only  all  2-4  days  into  the
Internet Cafe

Do you honestly think that some admin who can't secure their mailserver is 
going to notice that they're getting a bunch of bounces BACK to 
them?  Really - they apparently didn't notice that they're being used as a 

Oh, I have already filles up some "postmaster"  accounts...  Hmmm,  they
have accepted arround 200-400 messages from me but now I  get  something
like "Mailbox full"   ;-)

relay in the first place.  And, you'd be generating THAT MUCH MORE TRAFFIC 
that you're grumbling you are paying for.

Currently I am running a small Perl application from my CGI directory of
my Web-Server which works more or less...

I kill ANY message which come from "MAILER-DAEMON", "noreply" "root" and
"postmaster"  which  do  not  come  from   <freenet.de>,  <*debian.org>,
<server4.pinguin-hosting.de> <rwth-aachen.de> or other  domains  sending
me possibel "legitim" bounces.

Is this ONE email source address of yours, or are they using random 
addresses at your domain?  Widespread use of wildcard addressing at domains 

No, they are targeting <linux4michelle> in the domains  <freenet.de>  my
old ISP and now <tamay-dogan.net> my new own domain and VServer.

leads to an enormous spam hit for people, because spammers don't need to 
use a legitimate address to get mail to you, and when they forge with a 
randomized address, they still manage to bounce someplace.

I was thinking this too, but MY mailserver can accept  ANY  "localparts"
for ANY subdomains inside <tamay-dogan.net> IF the  message  COMES  from
one serve inside this domain.

So I can send out a message to you using

    <pse(_at_)samba3(_dot_)private(_dot_)tamy-dogan(_dot_)net>

which is my intranet server but you will never be able to reach or  spam
this domain.

If you're getting bounces for messages you didn't send, perhaps you should 
be checking the content for references to From: with your address and no 
reference to your legitimate sending servers in the embedded Received: 
lines.

The From: lines in the attached messages are  always  one  of  my  VALID
emails and you know, a search with google on <linux4michelle> which give
you MANY hits...

Consider using a subdomain, such as mail.tamay-dogan.net for your 

This domain should normaly exist...

email.  REJECT all mail to the base domain, except perhaps abuse and 
postmaster (or provide a link to a webpage explaining how to contact those 
roles).  This will sharply reduce the amount of crap you get, because 
spammers tend to use the base domains - they're not bright enough to look 
around for required mailhosts.

Do you mean, then using an E-Mail like 
<linux4michelle(_at_)mail(_dot_)t-d(_dot_)net>?
But Spamers will spam this mail too or do I misunderstand something?

Then, as you get backscatter, it'll cut off those hosts responsible for the 
bulk of it.  You could have the perl script generate automatic email 
notifications every few days of processing for hosts which have been 
listed, delisted, and listed again (meaning it wasn't a one-time hiccup) - 
do whois lookups, or standard RFC postmaster or abuse addresses at those 
domains.

I did this sort of thing with my Vermicide worm defence mechanism for 
Apache.  An attempt to compromise my hosts would trigger a script which 
would perform whois and netblock lookups, and notify responsible parties, 
with cacheing of the attempt so that I wouldn't be tagged as a spammer for 
sending the notifications.

This is a nice Idea...


My backscatter spamcount is now arround  98.000 ~ 1.5 GByte  of  traffic
since Friday 2008-10-10.

If I ventured a guess, it'd be that your massive sigline must have irked 
somebody.

Since The last weekend the ammount of same is drastical  reduced...  Get
arround 1800 per day now..

Thanks, Greetings and nice Day/Evening
    Michelle Konzack
    Systemadministrator
    24V Electronic Engineer
    Tamay Dogan Network
    Debian GNU/Linux Consultant


-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack   Apt. 917                  ICQ #328449886
+49/177/9351947    50, rue de Soultz         MSN LinuxMichi
+33/6/61925193     67100 Strasbourg/France   IRC #Debian (irc.icq.com)

____________________________________________________________
procmail mailing list   Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail