Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About jrssystemsnet

  • Rank
  1. jrssystemsnet

    CNAMEs, MXs and AT&T

    Lemme know if you need any more help figuring it out. Might want to email me at jim[AT]youcanprobablyfigurethedomainoutifyoutryreallyhard if you do, I don't monitor forums here so much and may forget they exist entirely if not reminded. =)
  2. FWIW: 6 detected Sieve backscatters out of approximately 108,000 quarantined spams currently. Please note, however, that I AM subscribed to several RBLs and in addition I have bounce flood protection mechanisms that automatically kick in to forcefully deny any message that appears to be a bounce when a flood is in effect, so that number is very definitely going to be VERY artificially low. If Sieve servers are producing backscatter from spam runs, they are guaranteed going to be getting RBL'ed at SORBS, SCBL, and several other lists as well as likely winding up trashed by bounce flood mechanisms like mine. Also, many admins implement automatic blackholing of any IP that sends more than [x] detected spams during [y] period of time for [z] hours, so Sieve servers producing backscatter will get DIRECTLY blackholed a lot of places if they produce backscatter - particularly backscatter that reproduces original message content - as well. FINALLY notice that a lot of admins - such as myself - are trending more and more towards doing automatic deletion of incoming bounce messages even when NOT under load, as they do vastly more damage than good. Producing backscatter is, frankly, inexcusable.
  3. jrssystemsnet

    Amazing reduction in Spam

    My personal guess is that it stands at "yup, I'm still spamming people and I hate it when it gets me on the SCBL."
  4. jrssystemsnet

    CNAMEs, MXs and AT&T

    You don't have any NS records for intuitmassage.com, is the problem. The root servers list ns0 and ns1 .directnic.com as the glue servers for intuitmassage.com, but when you query them... ... you get absolutely no NS records for that domain at all. This is very, very broken - you should never have a domain without NS records. It's fine to CNAME the A record for the domain as you have above, but there should be NS records, and they should match the glue at the root servers.
  5. jrssystemsnet

    Amazing reduction in Spam

    One final thought on the topic of whether you can discern meaningful trends in spam flow if you aren't the admin on your mailserver: the numbers you just looked at for one of my servers were actually just the spam that made it THROUGH the initial RBL-level filtering, in which recognized spam emitters are dropped before they can ever even try to send a message. Here are the complete numbers for that box since midnight last night: In the last 16 hours, that particular server has, one way or another, deflected 50,566 individual spams while delivering 2,732 emails to user mailboxes. My (relatively unscientific) attempts to discover how much spam actually makes it through to the mailboxes seems to reflect about 300 undetected spams a day on that box, for a filter effectiveness of about 99.4%. Point being, believe me, the admin on your mailserver and his actions can have a GIGANTIC impact on the amount of spam you do and don't receive, all without any change of behavior from the actual spammers themselves. Just as importantly, the spammers adjusting their techniques effectively to try to fight through the filters put in place by people like me tends to have a much bigger impact on the volume of spam in actual user inboxes than simple increases/decreases in raw spam volume.
  6. jrssystemsnet

    Amazing reduction in Spam

    Okay, now, on the topic of spammers using return requests, I just happen to manage mailservers for a couple of reasonable size hosting companies. One of them filters roughly 50,000 spams per 12 hour period, quarantining the ones that make it through the RBLs but get caught by internal filters for a certain amount of time before deleting them. So I always have a nice big spam pit to play in when I want to analyze trends, or see how rule tweaks are working / not working. There are currently 39,007 messages in the pit. ... and only one of them contains a Return Receipt request. Examining that message reveals that it's the result of one of the users' friends attempting to forward that user a spam that they found funny, and Vipul's Razor recognizing the signature of the enclosed spam and killing the message. In other words: the message might have been a spam, but its origin AND the identity of the Return Receipt Request-er is, legitimately, somebody who uses Outlook in a business environment and simply has it configured to always ask for receipts. Honestly, guys, there's just ZERO percentage in a spammer deliberately inserting a Disposition-Notification-To targeted to an email account under his own control. Stop and think about this - a typical spam run will hit anywhere from 100,000 to 7,000,000 or more addresses FAST. In the present era of really big-time spam runs being run from botnets of thousands of trojan-infected computers, that can mean hundreds or even thousands of messages PER SECOND going out across the globe. Guess what happens if all of the resources of 5,000 or more PCs all generate a Return Receipt email simultaneously? You guessed it - the mailserver handling the address that gets the receipt gets insta-nuked. The bounce flood generated by the bad addresses in a spam run ALONE is enough to bring most servers to their knees. If you've never seen 30 AOL and Yahoo Groups bad-address or mailbox-full notifications come in per second for a half an hour straight, you aren't a big mailserver admin.
  7. jrssystemsnet

    Amazing reduction in Spam

    Sheesh, guys, talk about a lot of ado over nothing. Rooster (and everybody), WRT Tbird and return receipts, the DEFAULT behavior is to pop up a dialog ASKING you if you wish to return a receipt to sender if the message is flagged for return receipt. If you click "OK", T-bird sends it. If you click "Cancel", T-bird does NOT send it. Unless you very specifically drilled down into Thunderbird's configs to tell it to always send return receipts when requested, it is absolutely impossible for you to have sent a return receipt to anyone, ever, without specifically authorizing it. This behavior has been consistent ever since the first time I installed Thunderbird, which was IIRC build 0.47. The way that spammers generally attempt to track viewings of their messages is MUCH simpler and lower bandwidth and more useful to them: they simply embed images with tracking codes in them. If you view that image, their webserver logs the fact that you did, and since nobody but you has that tracking code, they know that your mail address specifically is being monitored. No "exploits" required, that's just the way the internet works. OTOH, if you have image viewing disabled in Tbird - which I STRONGLY recommend - this is not an issue unless you specifically click the "show images" button. Images embedded IN the message are a different story entirely. They do display by default, because there is no way to "report home" by viewing an image stored in your own machine. More in a moment on the topic of whether spammers actually inject deliberate Return Receipt requests or not.