[Spambayes] NDR SPAMS

Amedee Van Gasse amedee at amedee.be
Mon Apr 28 15:10:45 CEST 2008 

On Mon, April 28, 2008 05:00, skip at pobox.com wrote:
>
>     Gilbert> We are currently getting alot of this notifications of
>     Gilbert> non-delivery that are spam. Is there a patch for this or one
> on
>     Gilbert> the way by chance?
>
> Just train on them as spams.  There is no patch necessary.

On a sidenote: at work we are getting a lot of NDR backscatter too.
Technically it's not spam, but it's just as bad. The good news is that
these NDR's are only sent to our old mail domains, and we are gong to
delete those MX records in a couple of days. But in a few months the
spammers will learn the new domain...

In the old days, you had to change email addresses when you got too much
spam.
Now you already have to change your entire domain to avoid spam... :(

I've been reading a lot in RFC2821 & RFC2822 lately, and now I can speak
SMTP fluently. Not many people know this, but it is *extremely* trivial to
fake the sender address. Want to know why you get backscatter?

* spammers spams a site with fake sender address (your address)
* a GOOD mail server refuses the mail inside the SMTP connection,
preferably before DATA, at least before putting it in the queue. That way
the real spammer gets the bounce.
* If the good mail server isn't sure, it accepts the mail, and if it turns
out to be spam after all, it silently drops it (like spambayes does).
* a BAD mail server (some exchange configurations, also some qmail
configs) accepts the mail, puts it in the queue, and closes the SMTP
connection.
* The bad mail server then sees that the mail is spam, and bounces it. But
to where? The SMTP connection, which cannot be forged, is already closed.
So it can only rely on the From: header. Which is of course forged. Which
is why you get backscatter.

Fortunately the NDR backscatter usually stops after 24-48 hours. Either
because the spammer is shut down, or because the bad bouncer is shut down
by its internet provider.

I'm not sure who the bad bouncers are: stupid mail admins who don't know
how to properly configure their servers, or accomplices of the spammers
who intentionally bounce? Usually Hanlon's Razor applies but in case of
spam it might be an inverse Razor...


-- 
Amedee Van Gasse
amedee at amedee.be

Disclaimer:
By sending an email to ANY of my addresses you are agreeing that:

   1. I am by definition, "the intended recipient"
   2. All information in the email is mine to do with as I see fit and
make such financial profit, political mileage, or good joke as it lends
itself to. In particular, I may quote it on usenet.
   3. I may take the contents as representing the views of your company.
   4. This overrides any disclaimer or statement of confidentiality that
may be included on your message.

More information about the SpamBayes mailing list