On 8/26/2007 4:57 AM, Rob McEwen wrote:
Marc,
Overall good answers... but about six months ago, one of my users was
joe jobbed in "biblical proportions"... in this case, the spammer chose
this one "real" address and that spammer must have either sent the bots
this info, or pre-programmed the bots. When the spam run started, this
particular user was then the "from" address in many spams sent from many
different IPs and, as a result, he received hundreds of incoming
outscatter per day (The vast majority of which were were blocked by my
spam filter). The outscatter often showed the headers of the original
spam and from that I was able to determine that this was originating
from an army of bots... NOT merely one IP. Because the outscatter I saw
was mail returned from that fraction of a percent of mail servers which
are misconfigured, the actual spam run must have been in the 10s of
thousands... or even millions per day.
Combine this with the fact that I highly doubt that anyone else's
implemenation of SAV would be as surgically targetted as yours, no
matter how hard they try, and my mail server might have been brought to
its knees had all the major ISPs used SAV at that time!
It would be interesting if there were a central "clearinghouse" server
which could do the SAV one time (with each new request not yet in the
DB) and then cache the results for everyone else to do some kind of DNS
query to this one server. But this is not feasible because if random
aliases are used in the FROM address then the database for this server
could grow unbelievably large to a point where it would be rendered
useless. Also, this would also be a valuable resource for spammers to
verify addresses in their own address lists! So... forget that idea!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
Rob,
Just parse received headers in attached message in backscatter. You can
easily see what this message sent not by your server and you can reject
such backscatter, because you never sent such messages.
