Re: [SAtalk] Spamming through returned mail

Wed, 06 Nov 2002 09:27:48 -0800

I went ahead and upgraded to 2.43 yesterday afternoon, deleted the whitelist, and let it start rebuilding.

As for the Joe-Jobs...has anyone had luck actually getting these caught by SA, or coming up with local rules for these? The poor guy here is getting pounded with them. It actually caught one, due to enough spammy content that it overrode the negative MAILER_DAEMON scores, but the majority are short enough that they don't, with the header stuff hidden in the bounce.

I was thinking about a rule that looked for "The original message was received at" and didn't have an IP address in our range that followed in the next 150 characters or so. Something like:

body BAD_BOUNCE /The original message was received at (?!.{10,150}\[129\.116\.190\.)/
describe BAD_BOUNCE Message was bounced after being sent with forged from
score BAD_BOUNCE 20.0

I realize this isn't foolproof (if he sends a message while at home through his ISP's smtp server and it bounces), but he seems willing to go for it. And since most of his bounces come from AOL, it should catch most.

Any other suggestions are appreciated,
John

Matt Sergeant wrote:

John Schutz said the following on 05/11/02 16:25:

> One of my users has been getting these about once a day.  What it
> looks like is happening is that since AOL doesn't immediately report
> back with a 550 user unknown, the spammer can fill in a return address
> of my user, so the bounce ends up in his mailbox.  The other option is
> that they're trying to spam this aol address, and for some reason
> chose this guy's address to forge from...this seems less likely than
> the first.


No, it's the latter. It's called a Joe-Job. Do a google search for more
info. Happens to me regularly.

Oh, and you should upgrade. 2.3x is well out of date, and the AWL is
dumb in 2.3x. It's much smarter in 2.43.

Matt.



-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld.
Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk



-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to