Tim Jackson (lists@???) said, in message
<20040205212809.306c6ea3.lists@???>:
>
> Hi Gururajan, on Thu, 05 Feb 2004 11:17:45 -0500 you wrote:
>
> > Is there any way to distinguish genuine bounces to any address against
> > the fake ones generated by spam and viruses co-opting one's email
> > address?
>
> You could try my "bogus virus warning" SpamAssassin ruleset at
> http://www.timj.co.uk/linux/bogus-virus-warnings.cf .
>
> This tries to pick out bogus virus warnings without blocking real bounces.
We've been getting a lot of bogus bounces here recently (and sending lots
too (buf not to MyDoom, I hope!), but I've finally managed to get permission
to turn that off!). It got me to thinking about what we could do about it.
I've installed Tim's ruleset, but I was wondering whether something along
the following lines would work in general.
On outgoing mail, add a header containing a tag which changes every
hour (e.g. MD5(secret . int(time/3600)))
Keep a list of recent (say a month's worth?) tags that have been used.
When a message from <> comes in, search it for any used tag and, if not
present, drop the bounce.
You could go further and make the tag cryptographically dependent on
the message ID or something, but I think it would be best to keep the
search simple.
The question is, how many mail systems bounce mail without including
the headers? If the answer is low enough, we would end up not passing
on any bounces that weren't in response to mail originating from our
systems.
I'm pretty sure I'm not the first person to think of this, so there must
be a big flaw. Presumably the flaw lies in the previous paragraph. What do
people think?
Cheers,
Alun.
--
Alun Jones auj@???
Systems Support, (01970) 62 2494
Information Services,
University of Wales, Aberystwyth