Tuesday 28 November 2006

I Got 25,000 Spam Messages in Two Days!

Late last week, some idiot spammer decided it would be a neat trick to send a metric boatload of spam messages in my name (see also Joe Job). I estimate that in the space of 48 hours, his botnet spewed a million messages that appeared to come from one of my domains.

Unsurprisingly, a small percentage of those messages bounced. Guess where the bounces ended up? In my email. All 25,000 of them...

What can we learn from this?

  1. Symantec's Brightmail spam filter is really good. OK, I kinda knew this already, but the Brightmail filters that sit in front of my mail service did a near-perfect job of sifting out the bounces from the real email.

  2. Way too many email servers are badly broken, to the extent that they bounce email to unknown addresses, instead of rejecting it. Some of this is down to configurations that accept everything at the perimeter and only later decide the mailbox doesn't exist, but mostly it just seems to be broken software. (If you run a mail system that does this, for the love of all that's holy please fix it.)

  3. Way too many ISP abuse desks seem to think (2) is perfectly acceptable behavior.

  4. Way too many sites allow their users to auto-reply to email willy-nilly. Don't these people have spam filters? Amusingly, some do, as can be seen from the SpamAssassin-like headers added to the bounced spam, yet even though the message scores higher than the spam cutoff, they're still kindly letting me know that they're out of the office.

  5. Way too many ISP abuse desks seem to think (4) is perfectly acceptable behavior, too.

  6. Challenge/Response spam filters are a royal scourge. (See blog posts passim). It's not my job to filter your spam for you.

  7. SpamCop is still an excellent resource.
Some spammer probably thinks he's been jolly clever and put one over an "anti". However, the state of the art in spam filtering is just too good.


Anonymous said...

We do both (2) and (4). We're going to fix (2) because a very high % of incoming spam is to non-existant addresses, and we quarantine it!
(4) could be just for monitoring purposes of the outgoing traffic rather than a real blocking service. There are cases when you "trust" your internal users, but sometimes their machines get hijacked into botnets.

A system architect

Anonymous said...

The same happened to me: http://blog.iloaf.com/2006/11/27/wtf-my-mailbox-exploded/

I ended up with a heap of stuff that was more dificult to deal with such as CR's and OOO messages.

Anonymous said...

Implement BATV (bounce address tag validation) and all of these bounces would have been rejected even before your spam filter.


I would suggest you look into BATV.

Post a Comment