Jump to content

Dealing with Joe Jobs


Recommended Posts

I’ve just been on the receiving end of yet another Joe Job attack, aimed at my Spamcop address – I suppose we are popular targets after all.

It doesn’t happen to me very often, but when it does I feel mostly helpless.

These Joe Job, Mailer Daemon, undeliverable bounces are, if anything, actually more annoying than the spam itself, primarily because I have absolutely no mechanism for reporting the original spammer, especially when the full source headers have been striped, obfuscated or truncated (as they invariably are).

I could set up local filters, but what I’d *much* rather be able to do is:

1) … Have some kind of semi-automated reporting mechanism that informs postmaster[at]<incomming-bounce>.com that they need to improve their method of handling bounces – i.e. bounce back to the true sender, rather than blindly using return-path. I.e. – a two click solution (parse and confirm).

2) … Reject or devnull incoming bounces from certain country level domains. I know, for example, that I will never, ever, receive legitimate mail from Russia, China, or Brazil, and so frankly I’d be more than happy to have messages from those domains devnulled completely.

The reason I want to set this up as an MTA level blocking mechanism, rather than just a client filter, is that firstly I don’t want to be flooded by bounces, and secondly I just don’t want to even know about them – if I have no reporting mechanism then I don’t even want to read them.

Is there any way Spamcop could offer a per-account configurable MTA level reject/devnull based on domains/IPs/senders, rather than just the ‘Held Mail’ method used currently? I know that my ISP (Nildram) currently offers this, but most of these Joe Jobs bypass my main account and are sent straight to my Spamcop account.

Until the SPF is more widely implemented, (and then again, will it *ever* be implemented by spam friendly hosts), I wish to God Spamcop had some kind of Joe Job “tool” for reporting, IMHO this is desperately needed.

These Joe Jobs are the SMTP equivalent of a DDoS; is there *nothing* I can do about it?

How do others here deal with this kind of ‘attack’?

Link to comment
Share on other sites

Item #1: please see the Glossary here for data and links to the definition of the term "Joe Job" .... the much more common "Forged From: Address" construct is not a Joe Job.

Item #2: your suggested "some kind of semi-automated reporting mechanism that informs ...." is actually the source / cause of the e-mail traffic you are complaining about ....

Item #3: your requsted "Reject or devnull incoming bounces from certain country level domains" is something that goes outside the parameters that the SpamCop e-mail system is advertised/programmed to do ... specifically, the philosophy is rather that no e-mail will be lost .. which is what the first series of complaints would be about if rejection/dev-nulling were actually implemeted. The BLs and filters are in place to "manage" the e-mail.

Item #4: The are FAQ entries, there is a Pinned items, there are other 'discussions' from previous recipients of this stuff .... myself included ... noted in some is that folks seem to want to create their own terminology for this type of e-mail, so search results are a bit hit-and-miss .... some say "spoof" some say "forged addresses" some say "joe job" some talk about "bounces" some say "DNRs" ......

Link to comment
Share on other sites

You state here several times that there is nothing you can do about it. Have you read the recent (at least 6 months now) changes to the reporting rules?

http://www.spamcop.net/fom-serve/cache/14.html

You can report the servers that send misdirected bounces which will hopefully get them to clean up their policies.

Link to comment
Share on other sites

You state here several times that there is nothing you can do about it.

<snip>

You can report the servers that send misdirected bounces which will hopefully get them to clean up their policies.

29437[/snapback]

Hi, Steven,

...Didn't the OP explain this (perhaps with insufficient explanation)?

<snip>

primarily because I have absolutely no mechanism for reporting the original spammer, especially when the full source headers have been striped, obfuscated or truncated (as they invariably are).

<snip>

29434[/snapback]

Link to comment
Share on other sites

Hi, Steven,

...Didn't the OP explain this (perhaps with insufficient explanation)?

29438[/snapback]

Correct, he can not report the original spammer ebcause the spam was not addressed to him. But he can still report the mis-directed bounce, which would include the headers (otherwise the message could not make it to the OP).

Link to comment
Share on other sites

Item #1: please see the Glossary here for data and links to the definition of the term "Joe Job"  .... the much more common "Forged From: Address" construct is not a Joe Job.

29436[/snapback]

AKAIK every spammer uses a “Forged From: Address”, that doesn’t necessarily mean the address is mine. I could write that every time I wanted to explain what I mean, or I could just write “Joe Job” in the certainty that 99% of everyone reading it knows what I mean. Two 3 letter words, or half a page from Wikipedia; tough choice.

Item #2: your suggested "some kind of semi-automated reporting mechanism that informs ...." is actually the source / cause of the e-mail traffic you are complaining about ....

The source / cause of the Email I am complaining about is derived from some mail host’s badly configured server. We could just let those servers continue to spew misdirected bounces forever I suppose, without ever complaining. I’m not talking about an infinite loop of bounces. Just one notification to the postmaster per batch run (incident) would suffice. Presumably Spamcop is doing something like that now, since I have just reported those misdirected bounces (now that I know I am allowed to).

Item #3: your requsted "Reject or devnull incoming bounces from certain country level domains" is something that goes outside the parameters that the SpamCop e-mail system is advertised/programmed to do ... specifically, the philosophy is rather that no e-mail will be lost .. which is what the first series of complaints would be about if rejection/dev-nulling were actually implemeted.  The BLs and filters are in place to "manage" the e-mail.

Last time I checked, I wasn’t paying Spamcop for pseudo-philosophical indoctrination, but rather for a good Email service. It’s not like it’s a major overhead, nor difficult to implement. Let the customers decide. I have a noreply address on my subdomain, to which all incoming messages are devnulled. I’m not complaining, since it was my decision to set it up like that.

Also see my reply to Steven.

You state here several times that there is nothing you can do about it.  Have you read the recent (at least 6 months now) changes to the reporting rules?

http://www.spamcop.net/fom-serve/cache/14.html

You can report the servers that send misdirected bounces which will hopefully get them to clean up their policies.

29437[/snapback]

There was a time, not so long ago, when those who attempted to report misdirected bounces were not only chastised for doing so, but actually threatened with suspension. This change to the rules is new, and I had no idea.

I do read the FAQs, but not every month; I assumed that a rule like that (which was defended so vigorously at the time) would not be likely to change any time soon. It did. Good.

That’s half the battle.

The other half is accepting that there are times when it is more desirable to devnull a flood of bounces, rather than hold them for reporting. The attitude that “Spamcop is about reporting, and that’s all. If you don’t like it then tough”, is a bit draconian and short-sighted to say the least. The reporting mechanism is the most useful thing about a Spamcop Email account, but it is still, nonetheless, an Email account. Paying Spamcop account holders should be afforded the same privileges as customers of any other Email service.

It really isn’t much to ask for. Devnulling reduces traffic, not increases, and saves account holders from dealing with one particular variety of spam (which is what it is IMHO) that would otherwise take up an inordinate amount of the customers time, to little advantage. I’d like that choice, based on IP, domain, BLs, or simply my mood, to decide whether or not it would be better to accept and report, or to devnull and give myself a rest. As much as I enjoy contributing to the inconveniences (which is all it is really) caused to spammers by our reporting, there are days (and for certain types of ‘spam’ runs), that I’d prefer to just ‘opt out’. The one example here is misdirected bounces; another that I’d be happy to permanently devnull is absolutely anything from China. Once again, I’d like that choice.

Regardless of the “no mail lost” philosophy, is it unreasonable for me to wish to save myself the headache of dealing with (what is currently) an otherwise insoluble problem, in this manner?

Link to comment
Share on other sites

Let's start with the "primarily peer-to-peer sipport" words at the top of each forum section. I had already pointed out the problem with the mis-use of the wrong terms in describing an issue (specifically the ability to get consisutent results in a search) ... do what you will, but "joe job" carries a lot of weight, to include possible legal actions, to which you have made no ties to in your query.

You posted in the forum section set-up to handle issues with a SpamCop filtered e-mail account. You really didn't appear to be making a complaint or raising problem issues. It appears to me that what you really wanted to do in your first and seconf post was to have made you point/request in the forum section set up for "new feature requests / suggestions / etc" ....

There is no one actively posting here that has any "inside" data on what Julian may decide to do next. The www.spamcop.net FAQ has always been under attack as being out of date, incomplete, useless at times. The Forum FAQ was an attempt to work around those issues, but agian ... there is no direct feedback loop there. More than once I've been surprised while researching someone's query and found that the www.spamcop.net FAQ had been changed (not always for the better) .... Sorry that there's not much more I can do but point to the Forum FAQ entry that does use "New!" and "Updated!" flags to indicate things that I become aware of ... and that does include rules and guidleine changes.

I'm not the one you want / need to argue with, and other users have even less control over things here... You asked a question, I answered with what I know to be the situation, others porvided more input. Check the FAQ if you want to take it upstream. First of all of course is to post your query in the correct Forum section.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...