[Spambayes] Content violation

Tim Peters tim.one at comcast.net
Sun Apr 11 13:09:09 EDT 2004 

[Robert Coe]
> Do bounce messages like this really have to be forwarded to the entire
> Spambayes list?

There are two kinds of bounces:

1. The spambayes list tries to send something to a subscriber, but it
   bounces back.

2. Email forged to *appear* that it came from spambayes at python.org
   bounces back to the forged sender address.

There's actually quite a bit of #1 (mailbox quota exceeded, temporary
errors, user account closed, the addressee's ISP thinks the msg is spam,
etc), but the list doesn't see any of it -- Mailman recognizes bounces due
to email it actually sent.

#2 is very different.  In that case, it's just another external msg getting
sent to spambayes at python.org, and this isn't a moderated mailing list.

The example below is in category #2, of course.

> In the early days of the list, I'm pretty sure that such
> forwarding didn't happen.

It took time for spammers to bother to forge this address as a sender, and
time for this address to show up in the address books and browser caches of
newbie machines (so that when they're infected by viruses, this address is
now among those forged as the viruses propagate).

> But it has for several months now, and it's getting tiresome.

Yup!  The good news is it's bound to get worse <wink>.

...
>> Sent: Thursday, April 08, 2004 6:21 PM
>> To: spambayes at python.org
>> Subject: [Spambayes] Content violation
>>
>>
>> Content violation found in email message.
>>
>> From: spambayes at python.org
>> To: dave at 1stsource.com
>>
>> File(s): private_01.pif
>>
>> Matching filename: *.pif

Bingo.  dave at 1stsource.com isn't a subscriber to this list, so Mailman never
sent him anything from this list, and certainly not a .pif file:  this was a
virus forged to appear to have come from the list.

What would help:  ISPs should stop generating idiotic bounce messages -- if
they're bouncing a msg due to a virus attachment (and there's no other
reason to attach a .pif file directly), they should know darned well that
the sender address was forged, and so also that they're just adding to the
problem by generating more email in response.

More information about the Spambayes mailing list