Re: [Exim] A pattern of collateral spam

Top Pagina
Delete this message
Reply to this message
Auteur: Alan J. Flavell
Datum:  
Aan: Exim users list
Onderwerp: Re: [Exim] A pattern of collateral spam
On Wed, 13 Aug 2003, Jez Hancock wrote:

> On Mon, Aug 11, 2003 at 07:22:59PM +0100, Alan J. Flavell wrote:
> >
> > We're being pestered with a non-trivial number of rejection reports
> > which amount to collateral spam.


[...]
> I only realized this was 'collateral' spam when I started accepting a
> few of the rejected mails


Oh, we reject quite a number of bounces for *non-existent* users; we
don't usually try to separate the callouts produced by those who "try
before they buy", from the non-delivery reports from those who didn't
try a callout and then had to compose a report: for non-existent users
both kinds produce the same kind of entry in the log.

Anyhow, to get back to the point of my original posting: this was
about collateral-spam where the counterfeited envelope sender had been
a genuine address in our domain, and would (if not intercepted) cause
a nuisance for our users.

> As to what can be done I fear not a lot other than prepare for any
> complaints that may arise because of it.


Well, we've been mentally prepared for that thanks to the very useful
briefing at
http://www.ja.net/CERT/JANET-CERT/mail/junk/collateral.html

> At the end of the day the only
> thing one might attempt to do would be to warn the admins of the MTAs
> that are bouncing the mails that the mail didn't originate from your
> server


Well, this is a fairly conservative attempt to match the pattern seen
in these non-delivery reports:

  deny senders = :
    condition = ${if match {$message_body}{\Ncharset=Windows-1251\N} \
                    {yes}{no}}
   log_message = Matches the 'compuserve.com' pattern of collateral spam.
   message = Your delivery status notification matches a pattern of \
                                                    'collateral spam'\n\
             and has been refused.  For general explanation please see\n\
             http://www.ja.net/CERT/JANET-CERT/mail/junk/collateral.html\n\
             If this is wrong please contact postmaster@(OUR-DOMAIN)
    condition = ${if match {$message_body}\
                    {\N(from\s{1,3}|helo=)compuserve\.com\N} {yes}{no}}
    condition = ${if match {$message_body}\
                    {\NMessage-ID: .[A-Z0-9]{16}@\N} {yes}{no}}


I ran it as a "warn" since posting my original question, but I
turned it into a "deny" earlier today. It's caught a few already, and
during the "warn" period none of them were false matches. If the
spammers are reading this and go and change their pattern, it
shouldn't be too hard to adapt to their new one.

> Of course how well this advise would go down - not least because the
> majority of MTAs appear to be in russia and I don't speak russian too
> well! - is another question entirely.


Well, sorry - I can't help that either.

cheers