OT: Question

Rick Cooper rcooper at dwford.com
Fri Apr 3 12:42:14 IST 2009


> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of Scott Silva
> Sent: Thursday, April 02, 2009 7:33 PM
> To: mailscanner at lists.mailscanner.info
> Subject: Re: OT: Question
> on 4-2-2009 3:37 PM Rick Cooper spake the following:
> >  
> > 
> >> -----Original Message-----
> >> From: mailscanner-bounces at lists.mailscanner.info 
> >> [mailto:mailscanner-bounces at lists.mailscanner.info] On 
> Behalf Of Ken A
> >> Sent: Thursday, April 02, 2009 4:42 PM
> >> To: MailScanner discussion
> >> Subject: Re: OT: Question
> >>
> >> Rick Cooper wrote:
> >>> Just a query regarding bounces: How many of you actually 
> bounce mail
> >>> anymore? I ask this question because I noted a huge number 
> >> of rejects on one
> >>> of my servers that appear to be valid bounce attempts to an 
> >> address of
> >>> info at mydomain.com for the last week or so. I have an ACL 
> >> that looks at the
> >>> local part of recipients and if that local part is being 
> >> used it denies the
> >>> message (even null sender) with a message stating there is 
> >> no such user and
> >>> it's an address currently being joe-jobbed. I see the same 
> >> ips repeatedly
> >>> attempting a bounce for days.
> >> I've got one: eqnjahdhx at domain.tld. We host the domain, 
> but of course
> >> they don't send the spam. They aren't even aware of it. We are the 
> >> joe-jobbed victim. We don't accept the bounces, but they are
> >> annoying, and it's been going on for well over a year. I 
> tightened up 
> >> the SPF record, but I don't think that helped much. People 
> >> who accept, 
> >> then bounce mail will eventually learn, or be buried, I 
> >> think. The 550 
> >> error on this one now says "Please dont bounce forged spam". 
> >> That hasn't 
> >> helped either. It just takes time.
> >>
> >> Ken
> > 
> > [...]
> > 
> > That is the frustration that I feel. Pick a list having 
> something to do with
> > mail, SA, Exim, pretty much any and you will hear people 
> stating what a
> > waste of time SPF is but when it comes to something like 
> this I would much
> > prefer a DNS txt check over repeatedly trying to send a 
> bounce. And they
> > would be miles ahead because they would have never wasted 
> time taking the
> > mail. 
> > 
> > I guess nothing works if you don't use it.
> > 
> SPF is only a poor method of anti-spam tool. As a tool to 
> control bounces, it
> seems to be much better. Another problem with it is many of 
> the server records
> are set to softfail (~),pass (+), or neutral (?), instead of 
> fail(-) . Even
> the spf wizard that many people used seems to either set 
> softfail or neutral,
> and unless you dig in the docs, you wouldn't know any better.

I agree, especially since many spammers are publishing SPF records now. But
if one just checks and denies outright a hard fail that could help quite a
bit. Sites that help you build your records should absolutely make it clear
once your setup is tested it should go to -fail. I score ~fail quite high
because that is basically a lazy admin. "We are stating the preceding hosts
are our only authorized MTAs, but go ahead and accept from everyone else too
just in case we haven't done our job". SPF won't stop spam for sure, but if
everyone used proper records with a hard fail it could go a long way in
eliminating joe-jobs, and forgeries, so why not use it? Same with domain
keys, not *the* answer but certainly *A* tool


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list