> -----Original Message----- > From: Robert Menschel [mailto:[EMAIL PROTECTED] > Sent: Sunday, August 24, 2003 8:31 PM > To: [EMAIL PROTECTED] > Subject: [SAtalk] [VB] Virus Bounce filtering > > > Several people have been posting rules and ideas on filtering for the > large numbers of bounce emails we're receiving because virus > filters are > bouncing virus emails back to addresses which didn't send them. If you > haven't been there yet, you can find these rules at > http://www.exit0.us/index.php/VirusBounceRules > > I think some of these ideas are worth a wide audience, and so > I'd like to > post some of my ideas/comments/questions on the SA list. > I've prefixed > this subject with "VB", so those who don't want to read > future messages > on this topic can recognize them. > > I'll quote from the page to explain why I'm interested in > this activity: > > Increasingly, the latest Win32 viruses are causing storms of "your > > email was rejected" bounce messages, sent to addresses that > are picked > > up from the victim's cache. For users of non-vulnerable platforms, > > these messages are almost more annoying than the virus itself. As a > > result, I reckon it'd be very handy to block them as well. > > I'm not so muchconcerned about "non-vulnerable" platforms. > What gets me > is that in the past week all but two of these bounces have > been to email > addresses which are NOT used for sending out email. These are > inbound-only email addresses, posted on our web site so customers can > send email to the desired department or store (eg: > [EMAIL PROTECTED]). When we receive those emails, we > reply from our > personal email accounts -- the manager of the above store would > respond from [EMAIL PROTECTED], not from [EMAIL PROTECTED] > > I've therefore created a simple header rule to identify email > destinations to which ANY bounce is necessarily invalid: > > header RM_vbt_CWnosend ToCc =~ > /(?:Help|Sales|...)\@(?:dom1|dom2)\.(?:com|org)/i > > describe RM_vbt_CWnosend Destination is to a CW address > from which we do not send emails > > score RM_vbt_CWnosend 0.01 > > I've then created rules which identify virus (and/or spam) > bounces, some > by the "from" header (eg: AOL's mailer daemon), some by the > subject (eg: > "MailMarshal has detected a Virus in your message"), and some > by the body > content (eg: "Unrepairable Virus Detected"). > > Each of these rules are scored 0.01 as above, primarily so I > can see them > in email headers and validate their activity. Once I'm done with this > development, I expect to drop them to "__xxx" internal rules with no > score. > > I then use meta rules to combine these into bounce > identification rules, > eg: > > meta RM_VB_MailMarshalV RM_vbt_CWnosend + > RM_vbs_MailMarshalV > 1 > > describe RM_VB_MailMarshalV MailMarshal system bounced > back a virus we did not send > > score RM_VB_MailMarshalV 9.0 > > meta RM_VB_MailWatchV RM_vbt_CWnosend + > RM_vbf_MailWatch + RM_vbb_MailWatchV > 2 > > describe RM_VB_MailWatchV MailWatch system bounced back > a virus we did not send > > score RM_VB_MailWatchV 9.0 > > Once I've validated these against a bounce, I score them at my spam > threshold, so that the SA "X-Spam-Flag: YES" header gets turned on. I > then let my SA setup filter these as spam into my spamtrap, > and I let my > email client filter on the "RM_VB_" rule name to send these into a > virustrap folder. > > (I've had to bump up a score or two -- Ebay is receiving these viruses > and/or spam, and auto-responding to these addresses. Because such Ebay > replies are normally OK, I've had to bump the > RM_VB_EbayBounce score to > 18.0 to counter the normal negative score Ebay responses get. This is > where I get a lot of benefit from my CWnosend rule -- I *KNOW* nobody > placed an Ebay bid using these email addresses.) > > Question 1 : Is my experience here unique? I have a number of email > addresses which are very heavily hit by spam, and none of them have > received any significant number of bounces. These bounces seem to be > hitting only the most visibly web-published addresses. Am I > just lucky, > or are others seeing similar patterns? > > Question 2: The rules on the Wiki page are all named VBOUNCE_..., and > suggests filtering on these VBOUNCE names, just as I filter on RM_VB_ > above. But ALL of the rules are named VBOUNCE_..., including > those that > are not by themselves sure signs of anything, for example: > > header VBOUNCE_THANKYOU Subject =~ /(Re: ?)+Thank you!?\b/i > > describe VBOUNCE_THANKYOU Virus bounce - variation on Re: Thank you! > > score VBOUNCE_THANKYOU 3.0 > > It seems this rule might match a lot of normal email which aren't > bounces, and it would be just one rule among many listed in an email > header where the score itself could be negative. Is anyone using these > rules running into false positives because of this? > > To avoid what appears to be a problem here, I have named all my > intermediate rules RM_vbx_..., where the "x" indicates the > type of rule, > and all final rules which say "yes, this is an invalid bounce" as > "RM_VB_...". Am I being over-cautious about this? > > Question 3: I personally see no difference between a virus bounce or a > spam bounce sent to an email address which couldn't possibly have sent > out the original email (because we don't send emails out from that > address). I therefore treat them identically. > > Then there are the bounces which are joe-jobs (spammer A sends spam to > victim B "from" victim C -- bounces and complaints go to victim C). > Again, I haven't seen virus bounces of this type (though others > apparently have), but I have seen a lot of spam bounces of this type. > > I have no way of knowing whether a simple "the email you sent to > [EMAIL PROTECTED] could not be delivered -- unknown user" is an honest > bounce (someone we did actually send email to changed email > addresses) or > is a spam bounce. If the spam is returned with it, then the > contents of > the spam will usually match enough rules that the bounce is flagged as > spam and treated accordingly, but otherwise we let these > bounces through. > > Virus bounces are another thing: a) we don't want viruses > being returned > to our less technically savvy users, and b) our systems don't let > outbound viruses be sent. So those I'll be trapping and filtering. > > How do others feel about these actions, and do you have any > recommendations for us? > > Bob Menschel > >
I like the way you are handling this. I too am only seeing bounces to the email addresses that are the most public. Your idea of trying to seperate virus+spam bounces from legit bounces with SA is good in my opinion. Especially with such tags like the known virus subjects and file names like pic.gif to look for. All of the SoBig.f viruses that came in cleaned were marked as spam for our company and dumped into the spamtrap. No user saw them. Last thursday I blocked an IP in china who was sending them to 2 emails here like mad! The next day I came in and saw 1813 rejections in the log!! Another on friday had a few sent to same addresses, but nothing big. So I didn't block. Bad idea. 800+ emails this morning. Again, overseas. Spammers got the virus. As long as you test for legit bounces, you should be fine. Good call on the VBOUNCE label. You're right, some of those rules can match legit bounces. --Chris Santerre ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
