Hi Larry,
No - I had no "catch all" up until today (when I switched "catch all"
on so as to feed my abuse reporting script with the message bodies)
Those 50,000+ bounce spams each day have all been rejected, but since
one of the afflicted domains is on my slow home DSL line, even the
load of rejecting all this crap has a negative impact, and after
3+months I've decided it's time to try and stop it!
There's the occasional mention in news.admin.net-abuse.sightings of
other forged sender addresses using the same dictionary as they are
using on mine, but really nothing of significance - which given the
insane volume, makes me even more suspicious...
What do you think? Should I flip the switch and start sending these
abuse reports? See below for a sample of what I propose to send:
Kind Regards,
Chris
--------- proposed automated abuse report -----------
From: Chris <postmaster(_at_)mydomain(_dot_)example(_dot_)com>
To: "abuse" <abuse(_at_)rr(_dot_)com>, "abuse" <abuse(_at_)parasun(_dot_)com>,
"postmaster" <postmaster(_at_)parasun(_dot_)net>, "abuse"
<abuse(_at_)parasun(_dot_)net>, "postmaster"
<postmaster(_at_)solanne(_dot_)parasun(_dot_)net>, "abuse"
<abuse(_at_)solanne(_dot_)parasun(_dot_)net>
Subject: Abuse report - please read carefully
You have sent me the spam shown below. This abuse report is sent to
several people, and you are one of the following people (A or B):-
A) 24.73.38.195, 204.174.16.4
You have a user with a spam-sending zombie virus on their PC if
you can see an IP address you own in the offending spam below.
Please take these actions:
1. Contact them to clean their PC
2. block your customer from accessing mail servers other than your
own (firewall their port 25)
B) 204.174.16.15
You operate a misconfigured email server which is bouncing spam
emails back to innocent third parties (me) if you own the mail
server that delivered the spam below. Here is how this occurs:
i) the spammer identifies your mail server as a vulnerable spam
relay, and loads your IP address into their spamming software or
spam-sending zombie network.
ii) the spammer selects a victim to receive their spam (in this
case: me), then originates an email to your mail server, using
the "From:" address of their intended victim, and deliberately
choosing a non-existent recipient on your system.
iii) Your system incorrectly accepts the email to this
deliberately bogus recipient, then wrongly "bounces" the
entire message back to the intended victim (me) - effectively
delivering the spam on behalf of the spammer.
Please take these actions:
1. Do not accept emails to bogus recipients.
2. Do not accept emails from forged senders: here is how to easily
reject forged emails: http://www.openspf.org/
3. Do not send bounce messages in response to forged emails
4. Do not "bounce" the body of any emails (bounce only the headers
if you have to bounce anything at all) - this prevents spammers
using you to re-send their spam bodies.
If you wish to reply to me, please put the word "human" in your reply
subject, so I can find your email amongst the tens of thousands of
spams I am getting each day.
Here is the offending message with all headers:-
Received: from solanne.parasun.net (solanne.parasun.net [204.174.16.15])
by mydomain.example.com (8.12.8/8.12.8) with ESMTP id jAR0VMlB000613
for <angular(_at_)mydomain(_dot_)example(_dot_)com>; Sun, 27 Nov 2005
00:31:23 GMT
Received: from exim by solanne.parasun.net with local (Exim 4.43)
id 1EgARw-0002W9-04
for angular(_at_)mydomain(_dot_)example(_dot_)com; Sat, 26 Nov 2005
16:31:24 -0800
X-Failed-Recipients: futurework(_at_)mindlink(_dot_)bc(_dot_)ca
Auto-Submitted: auto-generated
From: Mail Delivery System <Mailer-Daemon(_at_)solanne(_dot_)parasun(_dot_)net>
To: angular(_at_)mydomain(_dot_)example(_dot_)com
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1EgARw-0002W9-04(_at_)solanne(_dot_)parasun(_dot_)net>
Date: Sat, 26 Nov 2005 16:31:24 -0800
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
futurework(_at_)mindlink(_dot_)bc(_dot_)ca
unknown account futurework(_at_)mindlink(_dot_)bc(_dot_)ca
------ This is a copy of the message, including all the headers. ------
Return-path: <angular(_at_)mydomain(_dot_)example(_dot_)com>
Received: from deep.mindlink.net ([204.174.16.4] helo=deep.parasun.net)
by solanne.parasun.net with esmtp (Exim 4.43)
id 1EgARv-0002Vf-St
for futurework(_at_)mindlink(_dot_)bc(_dot_)ca; Sat, 26 Nov 2005
16:31:23 -0800
Received: from 195-38.73-24.tampabay.res.rr.com ([24.73.38.195])
by deep.parasun.net with smtp (Exim 4.43)
id 1EgARu-0007qp-3j
for futurework(_at_)mindlink(_dot_)bc(_dot_)ca; Sat, 26 Nov 2005
16:31:23 -0800
Received: from unknown (HELO batted [192.168.84.25])
by 195-38.73-24.tampabay.res.rr.com with SMTP; Sat, 26 Nov 2005 19:31:15
-0500
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="=_f4ca7a44c3167670ae014136b64834e8"
Message-Id:
<11038495738(_dot_)24386110963(_at_)195-38(_dot_)73-24(_dot_)tampabay(_dot_)res(_dot_)rr(_dot_)com>
Date: Sat, 26 Nov 2005 19:31:14 -0500
To: <futurework(_at_)mindlink(_dot_)bc(_dot_)ca>
From: <angular(_at_)mydomain(_dot_)example(_dot_)com>
Subject: headline news
--=_f4ca7a44c3167670ae014136b64834e8
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
<img src=3Dcid:c375d2f4bab9674116559054515b815b>
--=_f4ca7a44c3167670ae014136b64834e8
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="pohd.gif"
Content-ID: <c375d2f4bab9674116559054515b815b>
R0lGODdhrgGuAYQAAAAAAP////8AAP9OTv9oaP98fP+Njf+bm/+np/+zs/+9vf/Hx//Q0P/Z2f/h
4f/p6f/x8fHx8enp6eHh4dnZ2dDQ0MfHx729vbOzs6enp5ubm42NjXx8fGhoaE5OTgAAACwAAAAA
<snip>
lXLZQRIBna5SRYppJcYuapkhOgVmNpZZznq59i6GBl6eXSkCMladtr7mIE7WZvVJEHPKDu+Cosbt
NXdbwVWyhgAAOw==
--=_f4ca7a44c3167670ae014136b64834e8--
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com