|
|
 Up |
|
|
  |
Author: AlAl
Date: Feb 8, 2007 08:52
>>My abuse mailbox, for example, gets wayyyy more spam than abuse
>>reports, for example. I've had to resort to tagging the inbound mail
>>with Spamhaus Zen to help make it easier to sort out. This isn't the
>>first company I've worked for where this was the case; so I'm fairly
>>sure I'm not alone here.
>
> Do you ever get any legitimage abuse reports from
> sites listed on Zen? If not, why not reject them?
Because I just started using it and my data on "legitimate reports
from sites listed on Zen" only goes back a week or so. Also because I
do the Zen lookup after the mail has already been accepted, as I don't
run the edge inbound mail server, and it would be gauche to generate
an after-the-fact bounce. Eventually, I may silently discard mail from
Zen-listed sites, if/when I'm assured that the long term false
positive rate is near-nil.
|
| Show full article (1.18Kb) |
|
| |
no comments
|
|
|
Author: Shmuel (Seymour J.) MetzShmuel (Seymour J.) Metz
Date: Feb 8, 2007 05:33
>Don't know if yahoo uk is better than the us one,
Possibly worse.
>About abusive behavior, and after verification it only occurs to me
>one situation, assuming that in both cases the "victim" is a
>spamtrap and that our server bounces the un-routeable mails:
Any NDN to a forged address is abuse. The scenario that you described
is a classic mail loop due to failure to follow RFC 2821. Also, there
are two victims.
>1.1. a spammer sends the victim an address stating that it is from
>vandal@ acutron.info, which of course is not true.
If you send an NDN to vandal@ acutron.info then it is also a victim.
>1.2. The victim receives, does a rev ptr, sees that the address is
>bullshit and discards the mail.
What if it is a FCrDNS?
>2.2. The victim receives, and bounces the mail stating that it is a
>fake or that the address does not exist to vandal@ acutron.info.
|
| Show full article (2.04Kb) |
|
| |
no comments
|
|
|
Author: John DoeJohn Doe
Date: Feb 8, 2007 04:46
Hal Murray grunted:
> I'm on one large technical list that gets ~30 OOO messages
> sent to me each time I contribute something.
Heh - sounds like bugtraq...
I've participated there a few times and was deluged with OOO replies, no
such user etc. replies each time.
--
The e-mail address in the From: header of this post is valid.
Add [NANAE] to the Subject: of any correspondence or said
correspondence will be deleted unread.
|
| |
|
no comments
|
|
|
Author: Shmuel (Seymour J.) MetzShmuel (Seymour J.) Metz
Date: Feb 8, 2007 04:45
>It's rather easy to make UCEProtect ban someone through a denial of
>service attack.
Not against a poperly configured mail server.
>3) Mycorp.com Mail server gets such spam. Reads header,
So your MTA does not comply with RFC 2821?
If Mycorp.com is accepting e-mail with invalid destinations and
subsequently bouncing it to a forged address then it is a spam vector
and *should* be listed.
>I am getting really tired of this happening.
Then fix your MTA.
Nor should they, because the servers listed in your scenario are
servers that should be listed.
>because it makes their RBL look better
|
| Show full article (2.55Kb) |
|
no comments
|
|
|
|
|
|
Author: John DoeJohn Doe
Date: Feb 8, 2007 01:54
Laurence F. Sheldon, Jr. grunted:
> I got to thinking--how the h*ll do you tell if you are looking at
> backscatter?
>
> And the answer is--as receiver of it you can't.
Actually, you can. Very easily.
If you receive a message saying that a mail you never sent in the first
place was not delivered because the recipient's mailbox is full, because
the recipient's address does not exists or because it was a virus, and
if the message (usually attached to the notification) does indeed claim
to be from you but originates from a network or geographic location
you've never used/been to, then it's either an elaborate forgery on the
behalf of a spammer, or it's backscatter.
Next, if the point of origin of the suspected backscatter is related to
the unreachable original recipient (eg: something sent to a wanadoo user
and the notification coming from wanadoo's network) then you can be 99%%
sure it's backscatter.
|
| Show full article (1.34Kb) |
|
no comments
|
|
|
Author: Hal MurrayHal Murray
Date: Feb 7, 2007 14:41
Nice, thanks.
I'd call it outscatter rather than backscatter. (but leave a note
about the other names) If it went "back" where it came from we
wouldn't have a problem.
You might divide the list into two piles: black and gray.
Black means there is no excuse for doing them. Gray
means you will get in trouble but there isn't a fix that
the mail sysadmin can install that will totally cure the problem.
For example, eliminating OOO crap may require a corporate
culture change.
It would help to list the common setups that do accept-then-bounce
and provides links to solutions.
--
These are my opinions, not necessarily my employer's. I hate spam.
|
| Show full article (1.16Kb) |
|
2 Comments |
|
|
Author: Stephen SatchellStephen Satchell
Date: Feb 7, 2007 05:58
Al wrote:
> On Feb 5, 10:05 am, s...@ panix.com (Seth Breidbart) wrote:
> >>> uceprotect.net obviously doesn't care because it makes their RBL look
>>> better because more people are listed. >> Your telepathizer needs new batteries.
>
> Har.
>
> On another note, instead of arguing with the one angry dude who hasn't
> come back here to reply since posting four days ago, perhaps y'all
> could throw out some best practices on how to prevent backscatter?
>
> I've written up an article about backscatter; what it is and how to
> stop it.
> http://www.spamresource.com/2007/02/backscatter-what-is-it-how-do-i-stop-it.html
> I'd appreciate feedback, pointers to more info, or tips on how a site
> can prevent it.
>
> Specifically, what should JGwinner's site be doing differently to ...
|
| Show full article (1.94Kb) |
|
no comments
|
|
|
Author: barcarossabarcarossa
Date: Feb 7, 2007 05:50
Ru Igarashi escreveu:
>> I post from yahoo because I don't want to expose one of my regular
>> mail accounts, just in case ;-)
>
> Just in case of what? It's not like any of your admin role account
> addresses can't be guessed; they're supposed to be fairly standard
> or recognizable in the first place. So a spammer that decides to
> target your servers won't have to see the address here to start
> spamming the role accounts.
>
Understand that it is my personal option to do that. You are right,
there is a published mail address, but it is not so easily searchable
as one advertised on a mailing list, depends on the degree of
protection of the list against address harvesting.
|
| Show full article (3.50Kb) |
|
no comments
|
|
|
|
|
|
Author: AlAl
Date: Feb 7, 2007 05:48
On Feb 6, 8:42 pm, Ru Igarashi wrote:
>> I post from yahoo because I don't want to expose one of my regular
>> mail accounts, just in case ;-)
>
> Just in case of what? It's not like any of your admin role account
> addresses can't be guessed; they're supposed to be fairly standard
> or recognizable in the first place. So a spammer that decides to
> target your servers won't have to see the address here to start
> spamming the role accounts.
Nonetheless, indiscriminate usenet harvesting is rampant, and has been
that way for the past million years or so. It's not unreasonable for
somebody to choose to post to usenet with an alternate or disposable
address. I do so myself, and everybody who matters knows who I am
anyway, too. That's not the point. "Could be guessed" is quite
different than "easily harvestable." The former means that somebody
who wants to target you specifically still can. The latter means your
address gets scooped up indiscriminately. It has no connection to
preventing issues from people who want to target you specifically.
|
| Show full article (2.11Kb) |
|
1 Comment |
|
|
|
|
|
|
