On Fri, 21 Dec 2007, Bob Proulx wrote:
dvesely wrote:
My server manager tells me that my Windows version of SpamAssasin cannot
reject email at the SMTP level. This is only possibble in the Unix version.
True or False?
False but for a different reason. False because the Unix version of
SpamAssassin can't reject at the SMTP level either. SpamAssassin is
[deleted]
In the old days (and sadly today on some large organization site)
border machines would receive the message and route the mail through
multiple hops to a final destination machine. At the final
destination it might be undeliverable. In that case a bounce message
is generated and returned to the specified from address. This has
been used by spammers in the past to bounce their spam to their
victims. They create a known invalid address as the recipient at a
site known to create bounce messages after having accepted them. They
forge a victim address as the from address. The message can't be
delivered and the bounce message then carries the spam payload message
as a bounce reply to the forged victim from address as backscatter.
Also known as a joe-job.
This is a bit off topic, but I've noticed that a lot of backscatter
arriving at my site has email addresses that are obviously forged to
be incorrect, as in [EMAIL PROTECTED], where the same address
without the "_qq" is a valid email address.
Its not a dictionary attack because the addresses are all different,
but each is a slight modification of a valid address, and I've always
assumed that the spammers using this technique don't want the bounced
messages delivered in order to cover their tracks.
However, that doesn't make much sense since any messages that did get
delivered (i.e. didn't get bounced) would have the same routing info
so why not use a valid bounce address to improve the odds that the
spam will get delivered somewhere.
Has anyone else encountered forged from addresses that are obviously
meant to be incorrect, and does anyone have any idea why a spammer might
choose to do that, rather than forge a correct address and double the odds
that the spam will get through.
- rick
