[FoRK] spam insanity

Justin Mason < jm at jmason.org > on > Tue Dec 5 10:02:18 PST 2006

Luis Villa writes:
> Gmail caught 13K spam for me in the past 14 or so hours. (This may in
> fact be a gmail bug, undeleting a bunch of spam I trashed yesterday.
> They really need a 'this might be spam', 'this is definitely spam'
> two-tier system. But I digress.)
> 
> The vast bulk of it is emails *from* [random characters]@tieguy.org
> which are now getting bounced back to me. (*@tieguy.org is funneled to
> my gmail account, to let me provide domain at tieguy.org addresses when I
> buy/register/etc.) I'm getting so much of it, in fact, that I'm
> concerned that I'm going to get blacklisted.

nah, you'll be ok.  It's all "backscatter" -- noise responses from old and
broken MTAs, virus filters, spam filters, and challenge-response filters
responding to the wrong address due to forged mails from spammers.

> So a couple questions:
> 
> * Is there something like SPF that I should be looking at setting up
> to help those who are currently getting inundated by spam 'from'
> tieguy.org, and additionally to verify that mail actually from
> luis at tieguy.org shouldn't be spam filtered? What is the state of the
> art there?

SPF helps, a little.  however most of the MTAs generating this
backscatter are old and crappy and don't care.  It's the new
open relaying.

> * given that I don't want to set up a real mail server on tieguy.org,
> are there any better options for doing the wildcard domain stuff I'm
> doing? I don't want to give this up; cnnsi at tieguy.org (for example)
> gets several hundred spam a day, so I want to be able to give out
> email addresses trivially and later can them. gmail-specific solutions
> are acceptable; anything requiring serious server-side work probably
> not.

http://wiki.apache.org/spamassassin/VBounceRuleset -- ruleset
for SpamAssassin to catch them.  I guess that's out, though ;)

I had to shut down half of my MTA over the weekend due to an insane
volume of this crap -- even with just procmail-based filtering,
no SpamAssassin, Postfix couldn't deal with the volume.  basically
it's the "smurf" amplification attack applied to email.

--j.

More information about the FoRK mailing list