Several people have been posting rules and ideas on filtering for the large numbers of bounce emails we're receiving because virus filters are bouncing virus emails back to addresses which didn't send them. If you haven't been there yet, you can find these rules at http://www.exit0.us/index.php/VirusBounceRules
I think some of these ideas are worth a wide audience, and so I'd like to post some of my ideas/comments/questions on the SA list. I've prefixed this subject with "VB", so those who don't want to read future messages on this topic can recognize them. I'll quote from the page to explain why I'm interested in this activity: > Increasingly, the latest Win32 viruses are causing storms of "your > email was rejected" bounce messages, sent to addresses that are picked > up from the victim's cache. For users of non-vulnerable platforms, > these messages are almost more annoying than the virus itself. As a > result, I reckon it'd be very handy to block them as well. I'm not so muchconcerned about "non-vulnerable" platforms. What gets me is that in the past week all but two of these bounces have been to email addresses which are NOT used for sending out email. These are inbound-only email addresses, posted on our web site so customers can send email to the desired department or store (eg: [EMAIL PROTECTED]). When we receive those emails, we reply from our personal email accounts -- the manager of the above store would respond from [EMAIL PROTECTED], not from [EMAIL PROTECTED] I've therefore created a simple header rule to identify email destinations to which ANY bounce is necessarily invalid: > header RM_vbt_CWnosend ToCc =~ /(?:Help|Sales|...)\@(?:dom1|dom2)\.(?:com|org)/i > describe RM_vbt_CWnosend Destination is to a CW address from which we do not send > emails > score RM_vbt_CWnosend 0.01 I've then created rules which identify virus (and/or spam) bounces, some by the "from" header (eg: AOL's mailer daemon), some by the subject (eg: "MailMarshal has detected a Virus in your message"), and some by the body content (eg: "Unrepairable Virus Detected"). Each of these rules are scored 0.01 as above, primarily so I can see them in email headers and validate their activity. Once I'm done with this development, I expect to drop them to "__xxx" internal rules with no score. I then use meta rules to combine these into bounce identification rules, eg: > meta RM_VB_MailMarshalV RM_vbt_CWnosend + RM_vbs_MailMarshalV > 1 > describe RM_VB_MailMarshalV MailMarshal system bounced back a virus we did not send > score RM_VB_MailMarshalV 9.0 > meta RM_VB_MailWatchV RM_vbt_CWnosend + RM_vbf_MailWatch + RM_vbb_MailWatchV > > 2 > describe RM_VB_MailWatchV MailWatch system bounced back a virus we did not send > score RM_VB_MailWatchV 9.0 Once I've validated these against a bounce, I score them at my spam threshold, so that the SA "X-Spam-Flag: YES" header gets turned on. I then let my SA setup filter these as spam into my spamtrap, and I let my email client filter on the "RM_VB_" rule name to send these into a virustrap folder. (I've had to bump up a score or two -- Ebay is receiving these viruses and/or spam, and auto-responding to these addresses. Because such Ebay replies are normally OK, I've had to bump the RM_VB_EbayBounce score to 18.0 to counter the normal negative score Ebay responses get. This is where I get a lot of benefit from my CWnosend rule -- I *KNOW* nobody placed an Ebay bid using these email addresses.) Question 1 : Is my experience here unique? I have a number of email addresses which are very heavily hit by spam, and none of them have received any significant number of bounces. These bounces seem to be hitting only the most visibly web-published addresses. Am I just lucky, or are others seeing similar patterns? Question 2: The rules on the Wiki page are all named VBOUNCE_..., and suggests filtering on these VBOUNCE names, just as I filter on RM_VB_ above. But ALL of the rules are named VBOUNCE_..., including those that are not by themselves sure signs of anything, for example: > header VBOUNCE_THANKYOU Subject =~ /(Re: ?)+Thank you!?\b/i > describe VBOUNCE_THANKYOU Virus bounce - variation on Re: Thank you! > score VBOUNCE_THANKYOU 3.0 It seems this rule might match a lot of normal email which aren't bounces, and it would be just one rule among many listed in an email header where the score itself could be negative. Is anyone using these rules running into false positives because of this? To avoid what appears to be a problem here, I have named all my intermediate rules RM_vbx_..., where the "x" indicates the type of rule, and all final rules which say "yes, this is an invalid bounce" as "RM_VB_...". Am I being over-cautious about this? Question 3: I personally see no difference between a virus bounce or a spam bounce sent to an email address which couldn't possibly have sent out the original email (because we don't send emails out from that address). I therefore treat them identically. Then there are the bounces which are joe-jobs (spammer A sends spam to victim B "from" victim C -- bounces and complaints go to victim C). Again, I haven't seen virus bounces of this type (though others apparently have), but I have seen a lot of spam bounces of this type. I have no way of knowing whether a simple "the email you sent to [EMAIL PROTECTED] could not be delivered -- unknown user" is an honest bounce (someone we did actually send email to changed email addresses) or is a spam bounce. If the spam is returned with it, then the contents of the spam will usually match enough rules that the bounce is flagged as spam and treated accordingly, but otherwise we let these bounces through. Virus bounces are another thing: a) we don't want viruses being returned to our less technically savvy users, and b) our systems don't let outbound viruses be sent. So those I'll be trapping and filtering. How do others feel about these actions, and do you have any recommendations for us? Bob Menschel ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
