Hi!
On Wed, Sep 26, 2007 at 02:03:03PM -0700, Rob wrote:
>[...]
>While watching the connection logs, I've noticed that a large majority
>of spammers get the first spamd response ("250 Hello, spam sender.
>Pleased to be wasting your time.") and immediately disconnect. This
>suggests to me that rather than spend time trying to get whitelisted
>by spamd servers, they've mostly decided to skip them entirely and
>move on to servers that aren't running spamd.
Interesting. Do you think they pattern match on the response, or do you
think they disconnect if the initial greeting takes too long (spamd
"stutters" for the first 10 seconds, in its default settings)? I'd guess
the latter.
>[...]
>We've also been hit by backscatter, and I haven't had the time to
>figure out how to stop that one yet.
For some, signed envelope senders or variations thereof work. That
depends on a few circumstances.
The basic idea is this:
My email address is [EMAIL PROTECTED] Normal mail installations would
send mails out with both the From header *and* the envelope sender set
to [EMAIL PROTECTED] SES and similar schemes instead create a modified
sender address like [EMAIL PROTECTED] That is used
in the envelope. The header From address is left unmodified. "TAG" is a
tag saying "this is a address created using the envelope signing
scheme", hannah is the original local part, timestamp can be made short
by making it have only day granularity, and perhaps even only days
modulo 2^.... sig is a MAC, created from the local part, the timestamp
and a host specific key.
When a legitimate bounce (empty envelope from) is received, it must be
in response to a mail recently sent out from our domain. If all mails
sent out from our domain use the envelope signing scheme, bounces need
only be accepted if they are to *signed* addresses that are recent
enough and have a valid MAC. Bounces that don't fulfill that can be
rejected (I'd reject after DATA or later so address verification will
not lead to false positive rejects in other situations). In addition,
bounces should be only addressed to exactly *one* recipient...
Some also use SRS (sender rewriting scheme, from the SPF people),
signing their own envelope as if the mail were forwarded, and accept
bounce traffic only to SRS'ed addresses.
>- R.
Kind regards,
Hannah.
