Wednesday, June 16, 2004

Using bad bounce messages to combat spam.

Postfix documentation calls what I'm talking about "backscatter." Before I found that, I said spammers were forging my domain on their outgoing junk, and I'd get the replies. I get a lot of backscatter because my domain accepts mail for any user name and directs it all to me.

In the first two weeks of June, my filter identified 71,220 of these critters, which is 5,087 per day. They're all the result of someone forging my domain on an email.

I could drop them all, but I don't. I use them to populate my own DNSBL. Sometimes the responding mailer daemon will include the original headers of the message that triggered the response. In that case, I can see where the email originated. For instance, here's one:
Received: from bbc.com ([218.128.244.106]) by sanction.DATEM with Microsoft SMTPSVC(5.0.2195.6713);

Tue, 15 Jun 2004 22:27:24 -0800
Date: Wed, 16 Jun 2004 06:28:07 +0000
From: store0@toehold.com
Return-Path: store0@toehold.com

Based on that, I know that the computer that claimed to be bbc.com (218.128.244.106) forged my address on its outgoing mail. It's probably a flesh-eating, soul-stealing, spam-spewing zombie. I add that IP to my list of IPs that I don't like very much.

Each IP in my list has a date attached, which I set to the current date every time that IP brings itself to my attention. This way I can expire them off the list when they stop misbehaving (or merely leave me alone).

In general, I think IP black lists are bad. The above isn't the only (automated) way that I add IPs to my list, and I have no doubt that there are addresses on it that do not deserve to be. Even bounce messages technically contain data from untrusted sources. There's no way to know that those "Received" headers are valid!

I use the list only as another data point when SpamAssassin is evaluating incoming mail. Having an entry on this list will not block anything; it just makes it look worse.

No comments: