[BUGS] Forged-sender bounce spam: how to avoid/mitigate?

Andrew Reilly areilly at bigpond.net.au
Fri Sep 26 13:12:07 EST 2008 

On Thu, Sep 25, 2008 at 06:47:30PM +1000, Peter Jeremy wrote:
> On 2008-Sep-25 13:39:40 +1000, Andrew Reilly <areilly at bigpond.net.au> wrote:
> >Aargh!  I don't know what, if anything, I'm doing wrong, but
> >I'm attracting an awful lot of forged-sender bounce mail at the
> >moment:
> 
> I saw a lot starting a few weeks ago but nothing like the volume you
> are getting and it seems to have tapered off.

I admit that it seems to come and go in waves.  Today there's
not much at all, so far.  There's been more than one wave,
though.

> > of the 4500 or so messages in my freebsd mailing list
> >incoming folder, 3300 or so were this sort of spam.
> 
> Assuming your mail distribution is working, that means that the
> mails are actually bouncing through the FreeBSD mailing lists -
> I don't think I'm seeing any via that path.  What mailing list(s)
> are you seeing them on.

Not bounced through the mailing lists, but direct to my SMTP
server.  I'm doing subscription-name based pre-filtering (I
subscribe to the FreeBSD lists as andrew-freebsd@, and messages
are filtered off into a separate "in" box automatically.  I
could almost add a filter that just threw away all mail that
didn't have the list as the sender, but then I wouldn't see
reply posts that weren't also cc'd to the list.

Of course, since the mailing lists are available as web archives
in several places, those addresses are very easy to collect.

FreeBSD seems to have quite reasonable spam filters on the list
itself.

> >  They seem
> >to get past my bayesian spam filter (bogofilter) quite easily.
> 
> Keep in mind that the filter needs something to learn from,
> though 3300 should be sufficient to stop them continuing.

Hah!  I keep my "this is spam" collection trimmed to the most
recent 200000 or so spam messages (so that the word count
approximately balances my good-mail word count.)  Unfortunately,
keeping it down to 200000 messages requires that I rotate my
badmail folders a lot more frequently now than was once the case.

> >  Anyone have any
> >effective strategies for mitigation?
> 
> An effective spam mitigation strategy would make you an instant
> millionaire or better.

True.  I guess I was just looking for a reality check, to see if
anyone else was getting the forged-Sender badly-configured-SMTP
spam bounce problem.

> >[Most of it seems to be to/from Russian or Korean addresses.
> 
> Likewise.

I had one sneak through the other day with a Cyrillic subject
line and the body in Hangul.  You have to think that that would
have had a terribly low "hit" rate, given the supposed number of
appropriately multi-lingual morons in the world.  If the
spammers don't even care about "hits", are they just doing it to
be annoying?  Weird.

Cheers,

-- 
Andrew

More information about the BUGS mailing list