Re: "Backscatter"?

justinp_ironport · ‎09-28-2005

-updated subject to correctly categorize-

We are seeing a high number of these on our limited honeypot accounts and are curious whether other people are suffering from them and to what degree, as well as what measures you have taken to mitigate them, any experience out there?

Cheers

Justin

tminchin_ironport · ‎09-28-2005

We've not seen spam joe jobs for a year or so now. The most recent used a deprecated subdomain (which we pulled the plug on to avoid the complaints - hotmail still blacklisted us so we had to buy a bonded sender subscription).

Now all we get is email worm joe jobs...

Corey_ironport · ‎09-28-2005

Yeah, I haven't seen a real Joe job in quite a while. Everthing that I've seen recently was from worms spoofing addresses.

justinp_ironport · ‎09-28-2005

My bad, I mis-categorized what we are seeing.

The mails we are seeing are bounces coming to us as due to spoofed from addresses on virual infection attempts that have been cleaned by the receiving party.

Brightmail doesn't seem to feel any ownership for them as they are "legitimate" bounces.

Sorry for the confusion.

Justin

tminchin_ironport · ‎09-29-2005

You're kinda stuck with those bounces.

You could make a filter to drop all mailerdaemon bounces - but then users would have no legimate bounce messages either.

Floating around in the spamassassin open source rulesets somewhere are common "anti-virus message gateway bounce" response strings. That would alleviate some of it - but not the normal error 5xx responses.