[Exim] A pattern of collateral spam

Top Page
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Exim users list
Subject: [Exim] A pattern of collateral spam
We're being pestered with a non-trivial number of rejection reports
which amount to collateral spam.[1]

The routine pattern is that the rejection report relates to an
original spam whose content-body is in Cyrillic (windows-1251),
has been accepted from some spam-happy offering MTA by some naive
receiving MTA, who have then discovered they can't do anything with
it, so they compose a non-delivery report to the counterfeited
envelope-sender.

Problem is, these rejection reports come from all kinds of different
places (as collateral spam does, of course), in all kinds of different
formats, even though the *original* spam looks as if it could be
readily recognised. The consistent feature is that their quoted stuff
from the original spam is in Cyrillic (Windows-1251), and had been
consistently offered to the naive victim with a HELO of
compuserve.com, take this for example:

Received: from compuserve.com (cs666852-119.austin.rr.com
[66.68.52.119]) by mail.liu.se (Postfix) with SMTP id 6DD0A1FF2B

Received: from compuserve.com (cdu05d86.cncm.ne.jp [61.206.211.86])
        by relay2.telekom.ru (8.12.9/8.12.9) with SMTP id h67HvFJp024648


Received: from narganesten.ne.client2.attbi.com ([24.61.233.191]
  helo=compuserve.com)
        by mail.icw.com with smtp (ICW Mailer 3.35 #1)
        id 19ZaIi-0006lH-00


and so on, and so on.

I've been discarding them as they come in, without further action, but
I've finally been irritated enough to at least try for a bit of
discussion.

Does this pattern look familiar? Is there anything worth doing to try
to educate the naive souls who are being fooled into this collateral
activity? Presumably if I write an ACL to try to recognise this
pattern of rejection report, and simply reject them, there's little
chance they will ever get to understand what they're doing wrong and
why we're rejecting it? On the other hand, I've no wish to compose
individual explanatory letters notifying the abuse addresses of each
and every naive MTA that's got itself involved in this activity.

And normally speaking it would be considered bad form to reject
rejection reports without a very strong motive, right?

Any thoughts on what can be achieved through the wonder of exim,
please?

all the best

[1] http://www.ja.net/CERT/JANET-CERT/mail/junk/collateral.html for
any reader who might not be familiar with the term.