Late last week, some idiot spammer decided it would be a neat trick to send a metric boatload of spam messages in my name (see also Joe Job). I estimate that in the space of 48 hours, his botnet spewed a million messages that appeared to come from one of my domains.
Unsurprisingly, a small percentage of those messages bounced. Guess where the bounces ended up? In my email. All 25,000 of them...
What can we learn from this?
- Symantec's Brightmail spam filter is really good. OK, I kinda knew this already, but the Brightmail filters that sit in front of my mail service did a near-perfect job of sifting out the bounces from the real email.
- Way too many email servers are badly broken, to the extent that they bounce email to unknown addresses, instead of rejecting it. Some of this is down to configurations that accept everything at the perimeter and only later decide the mailbox doesn't exist, but mostly it just seems to be broken software. (If you run a mail system that does this, for the love of all that's holy please fix it.)
- Way too many ISP abuse desks seem to think (2) is perfectly acceptable behavior.
- Way too many sites allow their users to auto-reply to email willy-nilly. Don't these people have spam filters? Amusingly, some do, as can be seen from the SpamAssassin-like headers added to the bounced spam, yet even though the message scores higher than the spam cutoff, they're still kindly letting me know that they're out of the office.
- Way too many ISP abuse desks seem to think (4) is perfectly acceptable behavior, too.
- Challenge/Response spam filters are a royal scourge. (See blog posts passim). It's not my job to filter your spam for you.
- SpamCop is still an excellent resource.