[Declude.JunkMail] Joe-jobs and nobody aliases (again)

[Matt]

I made a determination last week that joe-jobs present a much bigger 
problem currently than dictionary attacks on my system, and soon I will 
be gatewaying off of a different machine which should solve the 
dictionary attack problem anyway (by accepting all messages).  Because 
of this, I have been removing all of the nobody aliases for the domains 
that I host, though some of course are taking a little extra time 
because we're not totally sure what advertised addresses might have been 
used in some cases, or what dead accounts were being captured in this 
way as opposed to setting them up as aliases and redirected somewhere.

Last week once client that still had nobody active received about 150 
bounce messages from AOL to addresses that didn't exist on this local 
domain (randomized).  AOL wasn't bouncing any content which could be 
scored, and every last one of these messages landed in the manager's 
account.  Obviously this was a big problem and as soon as we became 
aware of it, we got rid of the nobody alias.  This fixed their immediate 
problem, though it doesn't fix problems where the address is forged to 
be a real account (there's a mix of this going on).

I've also just started building some spamtraps on some unused domains 
that I own.  One account that I created last night is being used 
exclusively to unsubscribe to garbage that I get in a Web mail account 
of mine as well as subscribing to contest sites.  To my astonishment, 
within 12 hours of creating this account, someone joe-jobbed it in a 
piece of spam sent to some account that didn't exist, and it was clearly 
spam that was sent with this from address.  There is no way that this 
account was randomly guessed.

The preventive actions that I'm taking to help protect from such things 
besides removing the nobody alias is to create a filter that checks for 
the null sender.  I'm capturing all hits to this filter and I am also 
scoring it at 50% of my fail weight, though that may rise.  I figure 
that the bounces that contain spam content will have an easier time 
getting held, and for the most part, bounce messages are only failing 
CMDSPACE, so this isn't stopping messages that don't contain spam 
content (so far).

There was a suggestion by someone that a system be made that tracked 
repeated bounces, such as the AOL one described above.  I feel that this 
may be the best way long term to maintain bounce functionality in the 
face of a problem that will likely get much worse over time.  For now at 
least, the issue is mostly mitigated since most such things utilize fake 
users on joe-jobbed domains.

Matt

--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.