This is as days pass by, by Stuart Langridge

And this is Drowning in the backscatter, written , and concerning Rants, Software

Every now and again, some shit-eyes of a spammer decides to send a million spams and forge my address as the sender. So I come back to my email and find four hundred messages, all of which say something along the lines of "your message was rejected because it was spam", or "the user arsefish@example.org does not exist", or "I'm on holiday until Dec. 31st". This is pretty annoying. What I want to know is: how can I not drown under the weight of this backscatter? I can't go round to each mail server admin that does it and forcibly administer a fatal beating, much as I'd like to. I read my mail with Gmail, so I can't use procmail to filter it all first (not to mention the fact that trying to use procmail has a very similar pain/productiveness ratio to trying to insert the Empire State Building down my urethra). I'm frightened to actually mark these backscattered bounces as spam in Gmail, because if I myself actually mail someone and get a message back saying "I'm on holiday for two weeks" then I don't want that marked as spam -- I want to see it. Part of the problem here is that everything at kryogenix.org goes to me, so when spam is forged from non-existent addresses at kryogenix.org, I get the bounces. I could avoid this by blackholing all addresses that aren't specific ones that I use, but I really like the convenience of being able to subscribe to mailing lists with the address "name-of-your-mailing-list at kryogenix.org", so i can tell if people sell their subscription list to spammers. Suggestions welcomed. I tried creating a Gmail filter that looked for mail that (a) wasn't addressed to one of my main addresses (b) wasn't a mailing list mail (c) contained words like "bounce", "account", "spam", etc and then adding the label "probably-spam-bounce" to it, so that I could see if this technique would work. It doesn't; on an average "get 400 bounces" day, it catches about 60% of them, which isn't much good, and worse it occasionally matches real actual email I get, like Amazon "you have just purchased this item" emails. If anyone has suggestions for a better Gmail filter, or can confirm that I'm OK to tell Gmail to classify these messages as spam without much risk of many false positives, speak up. If your suggestion is "don't use gmail" or "fetch all your email with POP and run it through procmail", then I don't want to do that; I understand that those methods might be better, and if deleting five hundred bounces every week is the price I pay, then I'll pay that price.

Comments

Aquarion

First: Fuck me, that's pink. I mean, I know I didn't like the black'n'beige, but pink?

Second, while it fucks your current situation, I've dealt with the catch-all handyness by using 'mailbox' matching on email addresses, so aq-fuxxor[at]gkhs.net goes to the same place as aq[at]gkhs.net, which is also gmail.

Gmail supports this too, though it's undocumented. sil+fuxxor[at]gmail.com will still go to your sill@ gmail account.

My suggestion is therefore to set up that on kryogenix (or get Friendly Neighbourhood Sysadmin to do it) and blackhole anything that isn't a valid mailbox. Course, you'll have to redo your subscriptions, but the time it saves is useful.

(Edited. Why tafook does your parser hyperlink email addresses?)

Paul

Aaagh, someone bled on your website!

Looking forward to finding the solution. In the same situation as you.

Tried more or less the same thing as Aq but eventually setting up filter after filter on paul-sub-to-stupid-website@dellah.com got be time consuming and the setup broke.

sil

Aquarion: I got bored with the black and beige, so I got halfway through doing something nice (and dark pink) and got bored with that as well and just put up what I had. Web design is so time-consuming and irritating.


I'm the same as Paul, I'm afraid; having to go and add $NEW_ADDRESS to my don't-delete-this list every time I created a $NEW_ADDRESS annoyed me.


Since I actually sign up for stupid-new-site as sil-stupidnewsite at kryogenix.org, I suppose I could blackhole everything that doesn't match sil-*. Gmail doesn't seem to let me do wildcard matching in a filter, though, as far as I can tell...

No'

Dear You,

I'm on Holiday at the moment, thus I can't access your blog until Jan, 2nd.

Until that date, if this post is definitely interesting for me, please contact my personal assistant and she'll forward your message.

Thank you very much.

--

No', french wing of the LR massive.

sil

Bruno: fuck off. :)

resiak

I'm glad you're so secure in your masculinity.

Do you have some minimal mail server running on kryogenix.org forwarding everything to gmail? If so, surely you could relatively easily only forward sil@ and sil-*@?

(Also, "some shit-eyes of a spammer". Are you trying to reduce all of our eyes in the same way?)

mrben

O.

M.

G.

I thought you'd been hacked. Are you coming out of the closet, what with the pink and the picture?

Alex Willmer

I believe Sender Policy Framework can reduce this. An SPF record for your domain states which server(s) may send email with a FROM address containing your domain. The server(s) may be directly specified by IP, subnet or by indirection.

1. A mail server receives an SMTP connection, from a spammer that is using your email address.

2. The mail server looks up the SPF record for your domain.

3. The mail server determines that the spammer's IP/FQDN is not authorised for your domain.

4. The connection is rejected.

Of course the mail server needs to implement SPF lookups, but it could prevent a good proportion of that backscatter.

DaveB

Lordy.

Step One:

Postfix + postgrey

see: http://www.debian-administration.org/articles/168

This solves 90% of my spam problems, including this kind of backscatter crap. I went from about 400 - 500 spams in my inbox (per day), to something around 20 - 30. I am quite happy with that.

_daveb

Tack

Greylisting is great, but I don't see how it would help backscatter, since most backscatter is actually queued by a real MTA and will be retried.

Herb

As an alternative to downloading mail from GMail, you could use IMAPFilter (packages available in Debian and Ubuntu repositories at time of writing).

This will access your mail on the server and act on it. Granted, setting up IMAPFilter requires some work and a computer to house it -- and if you want to download messages and match them with regular expressions, you will have to use some Lua programming to do it. (Fortunately, this is an easy language to use. Unfortunately, it's still programming, which could be a lot to ask in this case.)

This is the approach I've taken in my sysadmin++ job when I need to do some filtering in an Exchange mailbox on the server, and Oulook's filters are laughably inadequate for the job (which is much of the time, unsurprisingly). It didn't seem onerous at the time to set it up, but then again, I was being paid! Weigh it against wading through the meta-spam for the rest of your life, I guess.

I hope this gives you some insight!

Adam Sweet

Vote #2 for SPF. SPF has it's detractors as among other things, it breaks forwarding unless you include all of the machines that your mail might go out through (ie Gmail, if you send your mail from Gmail), and it has to be supported at the receiving end, but SPF is designed to solve this kind of problem.

There are also some tips on rejecting backscatter with Exim here but I guess you're not running Exim (included here in case someone else with the same problem is), however some of the rules on the same page will mean you hardly get any mail at all, so exercise caution.

The hard and fast rule here is that the people bouncing shit back your way are as much part of the problem as the spammers are. You should always reject mail at SMTP time where possible, not accept the mail and then bounce it.

Just don't use catchalls. Set up all your addresses manually. It's painful if you've been using a catchall for years but the end result is that you get sooo much less spam and bouncebacks from crap you didn't send. For new domains, just say no to catchalls from the beginning.

Simon

Someone mentioned my article at Debian Administration on how to do Greylisting. But it doesn't stop this - but do check the advice from Wietse linked at the end of the article.

I'm not sure if it is all applicable to GMAIL, and a lot depends on how many, and which ways you send email.

Ultimately if the computer is to reliably distinguish between bounces of what you sent, and bounces of forged email, it needs a way to establish the difference. SPF fails because it relies on everyone else to implement it, and that won't happen because it breaks forwarding.

Wietse has the poor man's solution, one can make a similar approach cryptographically secure in a similar fashion to DKIM.

On a more practical note, I suspect spammers preferentially use domains with catch-alls as senders, since then any call-back sender checks will succeed. As such - step 1 - lose the catch all and use the "-" or "+" extension (whichever Gmail accepts) to vary the email address you hand out.

Anonymous

Several possible solutions.

First, kill the wildcard email delivery, and drop all mail sent to any address which does not match some criteria, either "contains my normal email prefix" or "contains a magic word I designate". That should reduce your volume.

Second, do go ahead and report backscatter generators, both to postmaster@thedomain and more importantly *to their ISP as contributors to the spam problem*. This does in fact work, even with large ISPs.

Finally, if you feel like writing some code to solve the problem: find some way to keep a record of all mail servers yours contacted in the last X days, and drop bounces that do not come from one of those mail servers.

Tom

I have been merrily marking those emails as spam in my gmail to no *known* ill effects, although your volume of email is probably higher than mine.

Although it is a bit urgent, I like the new design. It's certainly very clear and still not white. I talk, of course, as someone who has only recently abandoned purple.

http://fragglet.livejournal.com/

I think your best option is probably to redirect all emails that aren't to one of your standard addresses to a separate label, then periodically go through and cherry-pick out anything that really was legitimate email. At least you can delete them in bulk by doing "select all->delete". Basically, what you've been doing, but cut the word filter.

Really though, your best option is to stop using your domain as a catch-all email address and just use a single, specific email address.

http://marnanel.livejournal.com/

I actually like the new design.

Aquarion

Marnanel: You are entitiled to your wrong opinion.

Anonymous Coward

whatever

How To Spot A Psychopath :: One more reason to love spammers :: April :: 2008

[...] for me to MailWash all of those bounces out of existence. Actually filtering backscatter bounces is a bit tricky - in essence, you probably do want to receive bounces from messages you actually sent, and [...]

This website belongs to Stuart Langridge. Contact details are available. Don't eat yellow snow. Valid HTML5, at least in theory, except for the bits that aren't because I'm that futuristic that I'm ahead of the spec, oh yes. HTML5 help from Bruce Lawson, among others. Fonts from the superb FontSquirrel. End.