R.Smits wrote:
Hello,
Is there something I can do that our company addresses cannot be used
for sending spam ? Is DKIM an answer ?
A lot of our users get "delivery failed" messages. So a spammer is
sending spam with our addresses :-(
A difficult problem I think ?
you can reject (or tag) some of these by looking for forgery signs,
provided the NDR reports the headers of the original message. for
instance, nothing on earth should put a Received header with "by
netoyen.net", "from netoyen.net" or "helo netoyen.net" (the domain name
is never used without a host label).
unfortunately, some sites send plain dumb NDRs: you can't even guess the
original sender (because some sites send NDRs to the From header, mostly
because of broken mix of software that loses the envelope sender).
Most of these are from sites that fail to validate recipients at
reception time (at the edge of their network). this setup was once
considered valid, but in these joe job days, it is no more acceptable
(some sites even include the original attachment, which may be spammy or
even infected). For this reason, blacklisting may be appropriate.
The rare times I tried complaining to postmaster and abuse, I got an NDR
(again?). And once, I got directions on how to remove viruses from my
machine (!!!) together with links to symantec (so not only do they
ignore complaints, but they use them to send commercial ads!). of
course, the ISP (wanadoo.fr) was overwhelmed (I alone got 2000 NDRs in
few hours. this should give an idea about the number of NDRs they sent)
and sat up an auto-responder targetting their users (since then, they no
more send backscatter. so the situation is good for us, but not for
their users, who reportedly lose mail).
from experience, backscatter storms have a relatively short duration for
a given address (spam run). if this happens to you, you can block NDRs
for the victim address until the storm stops. in case this is too risky,
most of the times, the original messages have common patterns (they got
out via few hosts, they have the same structure, charset, ...) so simple
header and body matching can catch them.
