[PLUG] email joe-job.

Terry Griffin griffint at pobox.com
Tue May 20 00:23:39 UTC 2008


> Looks like I've had a joe-job done to my main email address.  Forged
> envelopes with my address as the Return-Path.  A couple of thousand
> bounce messages since around 10:30 this morning and still coming in.
>
> Any ideas as to how to identify that they are bounce messages.  Is there
> a postfix header check or a procmail recipe?
>
> I'll probably start with the Sender containing postmaster and dump that
> into a folder.  That should cut down on the pile I have to sort through
> so I don't miss a real message.
>
> Not sure Spam Assassin would help and this is a pretty old mail server,
> running postfix, that has never been compromised before, so installing
> Spam Assassin isn't a good option.  I'm working towards replacing it but
> not ready yet.  Looks like I might have to get ready sooner.
>

The term is "backscatter" when you are not being deliberately targeted
but instead your email address is simply being abused.

Dealing with backscatter has been my struggle for the past many weeks,
but I've more or less got it under control now with some custom filters
that I slapped together.

First I try to determine if the message is some sort of bounce, legit
or not. If so then I try to find the original message either as an
attachment or in-line. In-line is most difficult because there are so
many different formats with different delimiters. But if I can find the
original message then I run it through the regular spam filters. If it
turns up positive then I assume my bounce is backscatter.

If I can't find the original message then I just search the body of the
bounce message for the original "From:" line. If I find it I pick out the
name and address. Say for example it's this:

   From: "go large" <myaddress at example.com>

(I also check the "From:" line even in the cases where I do find the
entire attached message, but where it passes the regular spam filters.)

The backscatter clue is that the string "go large" does not match
the string "Terry Griffin". [Insert your own joke here.] For myself and
every user on my mail server I know their real name. I lookup the name
using the email address from the "From:" line, then do a fuzzy string
comparison between their name and whatever name is in the "From:" line.
If there is no similarity then I assume the original message was spam
with a forged address, and that the bounce is backscatter.

Some bounces unfortunately don't contain enough of the original spam
to work with. But even so I'm now getting a backscatter catch rate
well in to the 90% range and no false positives.

Terry




More information about the PLUG mailing list