Mailing List Archive

On Sat, 30 Jan 2021, Kenneth Porter wrote:

> What do others do about backscatter to their role addresses? It seems
> spammers have recently discovered the role addresses noc, hostmaster, and
> webmaster for one of my business domains and are forging them as senders. As
> a result, I'm seeing lots of backscatter from various spam-detectors. (This
> just started a week or two ago but the addresses have been around for years.)

Me too, just started a couple of days ago. SPF doesn't help, they are
either using relays that ignore SPF failures for authenticated connections
(and also don't validate the sender domain belongs to a client), or don't
check SPF at all - essentially, open relays.

> Should I bother letting SA scan the messages and consign them to my SA folder
> where they get auto-learned?

I'm not doing that, because it might cause legitimate "undeliverable"
messages from (admittedly poorly-configured) MTAs to be classified as
spam. You don't want to learn the MTA message part as "spammy".

What I'm doing right now is: if the "undeliverable" spam message is
attached (it isn't always), I add it to my spam corpus and train *that* as
spam, then I add the MTA that send the backscatter to my MTA's "access
denied" list with a message about the backscatter.

I'd also like to know how to submit these MTAs for inclusion in one of the
Spamhaus DNSBLs.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you ask amateurs to act as front-line security personnel,
you shouldn't be surprised when you get amateur security.
-- Bruce Schneier
-----------------------------------------------------------------------
2 days until the 18th anniversary of the loss of STS-107 Columbia

On Sat, 30 Jan 2021 14:41:42 -0800 (PST)
John Hardin wrote:



> I'd also like to know how to submit these MTAs for inclusion in one
> of the Spamhaus DNSBLs.

I don't think there's an existing Spamhaus list that's relevant.

I used to use ips.backscatterer.org for this, but for some reason
I commented it out and I can't remember why. The website looks active
with a 2021 copyright line.

On Sat, 30 Jan 2021, RW wrote:

> On Sat, 30 Jan 2021 14:41:42 -0800 (PST) John Hardin wrote:
>
>> I'd also like to know how to submit these MTAs for inclusion in one
>> of the Spamhaus DNSBLs.
>
> I don't think there's an existing Spamhaus list that's relevant.

SBL has listed open relays in the past (circa 2013) -
https://www.spamhaus.org/news/article/706/the-return-of-the-open-relays

> I used to use ips.backscatterer.org for this, but for some reason
> I commented it out and I can't remember why. The website looks active
> with a 2021 copyright line.

I was focusing on something supported out-of-the-box by SA.

Perhaps SORBS?

describe RCVD_IN_SORBS_SMTP SORBS: sender is open SMTP relay


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Are you a mildly tech-literate politico horrified by the level of
ignorance demonstrated by lawmakers gearing up to regulate online
technology they don't even begin to grasp? Cool. Now you have a
tiny glimpse into a day in the life of a gun owner. -- Sean Davis
-----------------------------------------------------------------------
2 days until the 18th anniversary of the loss of STS-107 Columbia

On 30.01.21 14:30, Kenneth Porter wrote:
>What do others do about backscatter to their role addresses? It seems
>spammers have recently discovered the role addresses noc, hostmaster,
>and webmaster for one of my business domains and are forging them as
>senders. As a result, I'm seeing lots of backscatter from various
>spam-detectors. (This just started a week or two ago but the addresses
>have been around for years.)

SPF
DKIM
DMARC

loadplugin Mail::SpamAssassin::Plugin::VBounce

whitelist_bounce_relays fantomas.fantomas.sk
# or better, put your outgoing relays there

score BOUNCE_MESSAGE 1
score CRBOUNCE_MESSAGE 1
score VBOUNCE_MESSAGE 1
score OOOBOUNCE_MESSAGE 1
score ANY_BOUNCE_MESSAGE 1

...

>Should I bother letting SA scan the messages and consign them to my SA
>folder where they get auto-learned?

it is possible but I would not recommend it.


--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod

On 2021-01-31 13:05, Matus UHLAR - fantomas wrote:

> SPF

basicly REJECT envelope sender if its local domain

and only on port 25, not elsewhere

> DKIM
> DMARC

but not with DKIM, DMARC