LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: spam question

Cris Fuhrman <[log in to unmask]>

Fri, 4 Jan 2008 03:00:51 +0100

text/plain (61 lines)

On Fri, 30 Nov 2007 17:51:15 CST, listserv postmaster
<[log in to unmask]> wrote:

>Unfortunately the mail addresses are never repeated.  The spammers just
>send message after message with different forged addresses.  The owners
>of the forged addresses then get some garbled HTML SPAM interspersed
>with LISTSERV "INVALID COMMAND" messages.
>
>Ron

Owners of forged addresses get what is known as "email backscatter" and
sadly mailing lists are a big source of it. I have an address that gets over
700 backscatter messages/day, although mailing lists are the cause of less
than 10% of it.

In 99.9% of the cases I have seen, it's a zombie machine (part of a
so-called bot-net) that initiates the SMTP message sent to a list address
from a forged address. Such zombies have certain characteristics that are
relatively easy to determine:

1) They don't have a reverse DNS. That is, when you try to find the domain
name for their IP address, there isn't one.
2) Their IP addresses are on various DNS block lists (DNSBL) such as
bl.spamcop.net, cbl.abuseat.org, etc. 
3) They are dynamic IP addresses, which can appear in other block lists such
as zen.spamhaus.org. 

For example, the IP I'm using right now to post this message should never be
sending SMTP traffic outside of my ISP. To quote the entry in the
zen.spamhaus.org list:

<quote>
24.201.0.0/17 is listed on the Policy Block List (PBL)

Outbound Email Policy of Videotron Ltee for this IP range:

It is the policy of Videotron Ltee that unauthenticated email sent from this
IP address should be sent out only via the designated outbound mail server
allocated to Videotron Ltee customers. To find the hostname of the correct
mail server to use, customers should consult the original signup
documentation or contact Videotron Ltee Technical Support.
</quote>

So, to avoid creating backscatter, the mail server that receives input to
your mailing list should check the IPs of the systems connecting to it
during the SMTP session. It should REJECT any email during the SMTP session
originating from IPs that meet the above criteria (1-3). This will eliminate
most if not all of all email with forged sender addresses.

How one does the checking on one's mailserver depends on what OS and
mailserver it is. The wikipedia page is a good reference to start: 

http://en.wikipedia.org/wiki/Anti-spam_techniques_(e-mail)#DNSBLs
http://en.wikipedia.org/wiki/Anti-spam_techniques_(e-mail)#PTR.2FReverse_DNS_checks
http://en.wikipedia.org/wiki/Anti-spam_techniques_(e-mail)#HELO.2FEHLO_checking

Lastly, backscatter coming from mailing lists is considered spam and can be
reported to SpamCop. If you have ever gotten spamcop reports about list
traffic caused by spam sent to your mailing list, that is the reason.
http://forum.spamcop.net/forums/index.php?showtopic=6432

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM