Recognizing automatic responses

[jms1]

I own the domain "delete.net", and use it as a honeypot- the idea is that any messages sent to an email address in the domain are automatically reported to spamcop, UNLESS they are bounces. The program which decides whether or not a given message is a bounce, and does the spamcop report if not, is a perl scri_pt I have written (and am more than willing to share under the GPL, once I'm happy with how it works.)

About a week ago, some (insert expletive of choice) spammer decided to send an entire run of spam with "{random letters}[at]delete.net" as the forged "From" addresses... and they apparently continue to do so even as we speak. As a result, my server was automatically reporting a lot of auto-responses (autoresponder messages, vacation messages, non-standard bounce messages, etc.) to spamcop and I got my hand slapped for it. Looking through my logs I can see that about 90% of what I had reported over the previous week was in fact not spam.

The auto-reporting routine is currently disabled, and all messages which it classifies as spam are going to a folder which I am having to continually check (it receives about 15-20 new messages every hour.) On top of this is the fact that my quick reporting is disabled right now, because I'm in the process of registering mailhosts for the first time, which means I'm having to manually submit every single message.

I am working on adding some intelligence to the function which classifies a message as "auto-response" (which is dropped and ignored) or "spam" (which gets reported, and the relevant IP is added to my "rbl.delete.net" blacklist- which I cannot safely recommend that anybody else use at this time.) The idea is that once I reach the point of having no false positives for about a week, I want to turn the auto-reporting routine back on and not have to deal with it anymore.

I know spamcop's parser searches for certain patterns and refuses to process messages which it considers to be bounces, auto-responses, and other non-spam messages. I'm wondering if it's possible to get a copy of the list they are using... and/or if not, is there anywhere else I could find a reasonably complete list of what to search for as a marker for "automated reply" messages?

[turetzsr]

Hi!

<snip>

About a week ago, some (insert expletive of choice) spammer decided to send an entire run of spam with "{random letters}[at]delete.net" as the forged "From" addresses... and they apparently continue to do so even as we speak. As a result, my server was automatically reporting a lot of auto-responses (autoresponder messages, vacation messages, non-standard bounce messages, etc.) to spamcop and I got my hand slapped for it. Looking through my logs I can see that about 90% of what I had reported over the previous week was in fact not spam.

<snip>

I know spamcop's parser searches for certain patterns and refuses to process messages which it considers to be bounces, auto-responses, and other non-spam messages. I'm wondering if it's possible to get a copy of the list they are using... and/or if not, is there anywhere else I could find a reasonably complete list of what to search for as a marker for "automated reply" messages?

19059[/snapback]

...Not that I'm an expert on this or anything but ... doesn't the first part of your post that I quoted kind of answer the question in the second part? That is, if the "From" address is {whatever} <at> delete <dot> net, treat it as an autoresponse and do not report it. I realize it's not a complete answer but it would certainly be a great start! <g>

...Also, not being an expert on this, either, but I'll nevertheless insert my naive guess that the answer to your question about whether SpamCop's logic can be made available is "no." But it's certainly worth asking! <g>

[sethg]

Hi!

...Not that I'm an expert on this or anything but ... doesn't the first part of your post that I quoted kind of answer the question in the second part? That is, if the "From" address is {whatever} <at> delete <dot> net, treat it as an autoresponse and do not report it.  I realize it's not a complete answer but it would certainly be a great start! <g>

19065[/snapback]

I've had my share of real spam with my domain forged in the From: header, so I don't know if that is an adequate solution. Having a spammer poison the spamtrap by joe-jobbing its address is a pretty good move on their part. Probably the easiest thing is to change the local-part of the address and reject anything not to that local-part. That still doesn't solve the general problem of how to deal with someone joe-jobbing your spamtrap. You can't just exclude DSN's, either, because there is a lot of spam that is sent as null-sender to look like a DSN. It's an interesting problem

[turetzsr]

...Now that I read the original post more carefully, I see that my (first) answer (probably) doesn't make sense in this context -- it isn't e-mail with {whatever} <at> delete <dot> net in the "From" address that the OP is reporting as spam but rather auto-replies to those addresses from the spam victims that the OP is reporting. My first answer is therefore probably best ignored.

...Answering what the OP didn't ask about these is that they should be reported (NOT via SpamCop) to the admin of the machine generating the auto-reply. It is spam (although not in the sense of something that can be reported using SpamCop's automated reporting tool) and is VERY poor netiquette (at least IMHO).

[Jeff G.]

Any complete reply to your post would necessarily include info I'd personally prefer not to give to the spammers trolling around in these waters. Besides, you shouldn't be doing fully-automated reporting.