Bouncing Spam

Rick Cooper rcooper at DIMENSION-FLM.COM
Fri Jan 9 13:39:12 GMT 2004

> -----Original Message-----
> From: MailScanner mailing list
> Behalf Of Quentin Campbell
> Sent: Friday, January 09, 2004 7:59 AM
> Subject: Re: Bouncing Spam
> >-----Original Message-----
> >From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
> >Sent: 09 January 2004 12:25
> >Subject: Re: Bouncing Spam
> >
> >
> >At 12:09 09/01/2004, you wrote:
> >>I have been using MailScanner for a year or so. We
> used to flag spam
> >>messages but accept them. As the volumes of spam
> increased we have now
> >>started to bounce spam messages. We bounce rather
> than delete
> >so as to be
> >>polite to people who send legitimate messages which are
> >'falsely' marked as
> >>spam.
> >[snip]
> >Result: They get very annoyed, as they can't see any
> of their real mail
> >among all the MailScanner spam bounce messages.
> >Result of that: They complain to me about it, and I
> can't help them.
> >Result of that: MailScanner gets a very bad name, and
> you have
> >wasted yet more of my time that I have to spend
> answering these (often
> >rude, abusive and threatening) emails.
> [snip]
> Julian
> I sympathise with your problems. However I am equally
> at risk from
> sanctions or abuse from people who think that I am
> deliberately ignoring
> their mail when in fact it was (a false positive)
> deleted automatically
> as probable spam.

I don't delete any spam that has not reached the high scoring
threshold (17)
I deliver the rest of the spam to a special mailbox that I can
look at if I need to, I have a custom script that periodically
sends me a notice of spam from the MailScanner logs If there is a
false positive I forward to the person it was to and I look at
ways to eliminate the FP in the future. (I have modified
MailScanner to include the subject and "To" address(s) in the

MOST importantly, I have the MTA do the RBL checks, it also
requires a FQDN (e)helo, checks to see if the calling host is
attempting to impersonate one of our hosts or IPs, does sender
verification on any non-internal host, drops any host that has
missed on 3 mail addresses in one session, drops any non internal
host that tries to send to more than 5 mail addresses in one
session, checks that the MX record for the sender domain is valid
and not 127.0.0.x, checks the sender IDENT, if available to see
it's not a web server or web proxy, and require sender
authentication from any valid local user... In short, I make sure
the MTA has done everything reasonable to stop spam before it
makes it onto the server. MailScanner doesn't get much spam to
handle as the result.

> For this reason I have chosen to use the MailScanner
> option to send an
> explanatory message when spam to me is deleted. In
> truth I am more
> concerned about the people who _need_ to know what has
> happended to
> their message to me than I am about the consequences
> of collateral spam
> that results.

It is the ultimate in rudeness to bounce a message to someone
that did not send it. And the vast majority of normal users do
not have a clue that someone was impersonating them in a spam
message, and would not care if they did understand. When you
bounce spam to someone who did not send it *you have become the
spammer*. In fact this is becoming a more and more popular way to
transmit spam.

> One reason I have moved to using MailScanner to delete
> probable spam is
> that we have many mailboxes on Outlook/Exchange. That
> system cannot
> permanently delete tagged messages through the Rules
> Wizard when Outlook
> is switched off. This can be a serious problem and
> results in mail being
> lost if quotas are exceeded (over vacations for example).
> I receive so much spam each day that it is not
> practical to have tagged
> messages delivered then moved to a "spam" folder (by a
> personal mail
> filter) where I am supposed to inspect them for possible false
> positives.

Be more vigilant about stopping spam before it is received and
reduce the amount of spam you need to look at. Bouncing spam
notices, and "virus received messages" are just as bad as
originating the offending material yourself. This added work load
form mail admins is just part of life today... not fair but
certainly necessary.

> I would be interested to hear what alternative
> strategies have been
> adopted by people in my position.

done :-)

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list