Educause Security Discussion mailing list archives
Re: Dealing with s-p-a-m "backscatter"
From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Mon, 21 Jul 2008 09:36:20 -0500
Russell Fulton wrote:
Ian McDonald wrote:Has anyone come up with a more creative way to block the spam backscatter while allowing the legit non-delivery SMTP notifications to come through?MailScanner can add a watermark to each outgoing message (derived from a secret you configure), so that they appear in legitimate notifications. It can hence bin non-legit ones inbound :) . http://www.mailscanner.info/MailScanner.conf.index.html#Add%20Watermark I presume similar functionality is available in other packages, but I noticed it in MailScanner.It would be difficult to retrofit I suspect. The idea is straight forward enough -- add an X-watermark header that is an MD5 of the message id concatenated with a secret, then check for it in the headers of returned mail and dump the bounce if a/ it is missing or b/ it does not match. Hmmm.... given that this is automated spam we are talking about simply dropping bounces of messages that don't have the right format of message id may work... any one looked at doing that in either postfix or sendmail.
A lot of backscatterers don't conform and won't attach the original message, so you'll have to make the choice between dropping these DSNs or letting them through. There are fewer of these non-conforming DSNs, so the conservative approach would be to let them through and deal with the conforming DSNs first. For the conforming DSNs, it would probably suffice (and would be a lot easier to implement) to use a static value in the x-header. Alternatively, just look for a tell-tale regex in the Received headers of the attached message. Jesse -- Jesse Thompson Email/IM: jesse.thompson () doit wisc edu
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Dealing with s-p-a-m "backscatter" Jeff Giacobbe (Jul 15)
- <Possible follow-ups>
- Re: Dealing with s-p-a-m "backscatter" Wes Young (Jul 16)
- Re: Dealing with s-p-a-m "backscatter" Jesse Thompson (Jul 16)
- Re: Dealing with s-p-a-m "backscatter" Ian McDonald (Jul 16)
- Re: Dealing with s-p-a-m "backscatter" Russell Fulton (Jul 16)
- Re: Dealing with s-p-a-m "backscatter" Jesse Thompson (Jul 21)