Karsten M. Self
Tue Apr 6 00:55:48 PDT 2004
on Mon, Apr 05, 2004 at 05:32:33PM -0400, Mister Bad (firstname.lastname@example.org) wrote:
> So, I get about 10-20 worm bounce messages per day. It would be nice
> if folks who put anti-worm filters into their MTAs would also check
> to see if the worm falsifies "From:" and/or "Sender:"; but they don't,
> so I get a lot of bounces.
You're welcome to the following canned rant 'avspam', from the amazing
Turn off your viral autoresponder.
Ensure that your mail server is generating 5XX *REJECT* messages, *NOT*
sending a notification to the 'From:' or Envelope From sender, as these
Just like SoBig-F, much of the huge volume of crap generated by
MyDoom is the result of auto-responder messages. As well as replies
that someone is out of the office users are getting a stream of
accusatory messages from anti-virus gateway products accusing them
of sending a virus.
Graham Cluley, senior technology consultant for Sophos Anti-Virus,
said that the current generation of anti-virus gateway products are
incapable of determining the email address in a virus contaminated
email are spoofed.
"In the circumstances, it might be better for people to turn off
their auto-responder," Cluley advised, adding the auto responder
messages could be taken of an accusation that someone wholly
innocent was sending out viruses.
My own systems are not susceptible to legacy MS Windows viruses (I run
GNU/Linux exclusively). For sites unfortunate enough to rely on
Microsoft products, such false reports waste staff and administrative
time on wild-goose chases.
Your email system is generating "bounce" messages to spoofed "from"
addresses. These are widely considered spam on the UBE basis:
- Unsolicited? Check
- Bulk? Check
- Email? Check
The sending address has been added to the local spamlist; any further
mail from that address will be treated and reported as spam. Multiple
such reports *will* result in your site being listed on spam-origin
lists, including SPEWS, SpamCop, Spamhaus, and others.
Further similar messages from your domain will be reported as spam.
Any prior and subsequent mail can and will be forwarded to public
services not limited to NANAE (news:news.admin.net-abuse.email) at my
sole discretion. All "confidentiality" email disclaimers are
> Almost all of them get caught by crm114, which, by the way, rocks the
> I scan my spam traps once every 2-3 days to check for false positives,
> but I have to admit that I've stopped opening anything from mail
> administrator or postmaster.
> Does this make me a bad person? Or, rather, worse than I was before?
I use a set of procmail filters based on Lars Wirzenius's 'spamfilter'
recipies (packaged for Debain). I've created a couple of helper scripts
to parse mail messages for sender and dump these into an appropriate
list: white, black, grey, spam, daemon (for dumping to a daemon
Postmaster/admin mail which is spammy (including avspam as defined
above) gets spamlisted.
Otherwise, it's dumped to a "remote-daemon" box which gets sorted every
few days. I pick the bounces for p'master, abuse, and any domain or IP
WHOIS contacts and send these to the appropriate reporting address at
So does this make you a bad person?
No, of course it doesn't.
> ~Mr. Bad
Karsten M. Self <email@example.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20040406/e140e866/attachment.pgp
More information about the linux-elitists