Rich Dygert <[EMAIL PROTECTED]> wrote:
A couple months ago my email traffic doubled (from 1 million a day to 2
million a day). After some investigation I found that a spammer was
sending from [EMAIL PROTECTED] and I was getting the back splatter. I cancelled
the [EMAIL PROTECTED] account and thought the spammer would soon stop. Turns
out I was wrong, the spammer is still at it. I just received several
hundred attempts to return email from @walmart.com.
To make a long story short, please feel free to block [EMAIL PROTECTED] You
can verify that the address is invalid first if you wish.
The same spammer fakes [EMAIL PROTECTED], and the mail has a fake
Received header alleging the mail comes from cs.columbia.edu 128.59.16.20.
Only 1 million backscatter? We're getting 3 million backscatter a day.
In our case the sender address never existed, and the alleged origin is
a host that does not send any mail (it WAS a mail host until about six
months ago).
So, feel free to block mail from [EMAIL PROTECTED], and mail with
128.59.16.20 in a Received header. Guaranteed fake. There's a lot of it.
Go to Senderbase-- they list 128.59.16.20 as the largest mail sender in
columbia.edu-- and it's based 100% on believing fake Received headers!
OK, they are foolishly naive, but it suggests how much spam would match
a rule like this.
The spammer likes sender addresses that start jq or jr. We note also
that the spam to our users is never from [EMAIL PROTECTED], but
only from other addresses. I recognize [EMAIL PROTECTED]
Dan McDonald opined,
Is there a better way to handle something like this?
SPF or domainkeys. Then Walmart would know that the message being sent
was forged.
Thanks for playing, but cs.columbia.edu DOES have an SPF record. You'll
say we'd have even more without SPF, but I'm skeptical. The 3 million
bounces are from several hundred thousand hosts.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
