Jump to content

Huge amounts of backscatter caused by one machine


rojo
 Share

Recommended Posts

Hi,

Over the last 36 hours I've gotten about 3000 bounce messages, trend is increasing. What I found is that all of these bounces are in response to spam from one single machine in a Verizon pool.

I notified the Verizon abuse address shortly after receiving the first fifty or so and asked them to isolate the offender. My message got an auto-reply but nothing happened. About 1.5 hours later I replied to the auto-reply, assuming they are logged in some sort of task management system, telling them that I got another 150 messages.

Another three hours later I took to forwarding every applicable message to their abuse address for a while, each with a note that this particular machine in their pool is causing it and asking them to take action.

All I can tell that happened is that in their notifications my reports are now shown with "Received:" headers containing the string "ESMTPAMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM" - everyone's guess what that may mean...

Well, I understand (to an extent) that most companies cannot respond within a few hours, but as stated above it's been going on for more than 36 hours now and continuing unabatedly. If I alone got 3000 bounces, how many messages using my email address and others would have been sent out overall?

[As a side-issue I am wondering whether this spam-run is actually some sort of revenge. Since my hosting provider has introduced greylisting, bringing my spam-count down to manageable levels (from about 400 per day to fewer than 10), I had taken to report every spam I receive to SpamCop.

Then I saw interesting things happen. For example one admin of an obvious scam replied stating it was an opt-in list (which it clearly isn't). Since I saw no way to respond to that mail without disclosing my email address, I ignored it and believe it was an attempt to actually find out my email address.

Then I noticed some spams coming through the greylisting which contained variations on strings encapsulating the recipient address in various ways, obviously trying to circumvent SpamCop's attempts to obscure it in reports. I did wonder whether I should look at those messages and try to manually defuse them but decided not to be bothered and report them anyway. Maybe that was a mistake.

Anyway, at some point those messages stopped showing up and then the bounces kicked in.

I'm a bit surprised that they all come from one machine but then I did not realise that a big ISP like Verizon would make it so easy for them to just keep going. I can't filter the stuff easily, either, because the spam uses sender addresses all over my domain. I'm using, and need to keep using, a catch-all and my impression is that the spammers established that, though of course I may just be paranoid. However I did have back-scatter problems before but usually to just one or two addresses which could easily be redirected to /dev/null, and never sustained for so long.]

Whatever it is that's going on, does anyone have any suggestions for ways to compel Verizon to take action about this rogue machine?

Aren't they meant to do that anyway? Their policies clearly state that they do but I just don't see any action.

Is it any good to report to the ftc.gov website or email address?

I'd really like to repossess my mailbox again and it would seem like an easy thing for them to do, the right thing besides that...

Any advice appreciated.

TIA,

rojo

Edited by rojo
Link to comment
Share on other sites

Hi rojo, commiserations. You need to keep that stuff out of your intray, you need to filter and sort. I doubt there's much anyone can do to compel Verizon to do anything - and not a few have tried, I think. If that rogue machine is blacklisted then that's about as much in the way of sanctions that can be expected (you didn't mention the IP address).

Concerning filtering, there are things you can do with a SC email account (look for the past posts of petzl, a fellow Aussie and enthusiast about that approach) or you can interpose some sort of filtering software to do the bulk of the work in sorting it out and putting it aside for review and report/discard. A selection is at spam Filter Review but I have to say the lowly-ranked MailWasher and the unranked SpamAssassin have been long-term favourites with people commenting on these pages. Hopefully some users of client-level filters can comment.

FWIW there have been a number of reports of massive bounce events over the past few days so the liklihood of it being personal is not very great.

Link to comment
Share on other sites

G'day Farelf,

Thanks for your empathy and comments.

I thought the uce[at]ftc.gov email address was meant for reporting spam but was hesitant to forward them all my bounces, and about the ftc.gov website I was not sure. Or maybe I just need to wake up to the reality that not many people would care much about things like that happening.

The IP of the machine in question is 209.158.58.121 with the reverse DNS entry being pool-209-158-58-121.scr.east.verizon.net.

I don't have an SC email account but only report spam in the belief that it might help in the grand scheme of things. As mentioned I don't get much spam anymore since my host implemented whitelisting and the remainder is usually recognised by Eudora. I have used spamassassin myself and found it very good (with the right settings) but unfortunately my host only offers it in conjunction with "Subject:" line mutilation which I don't like at all.

As for the recent bounces, Eudora is quite good at recognising and junking them and the main inconvenience is that to my knowledge it does not allow to apply automatic filters to junked mail so I have to sift through my now pretty big junk mailbox with manual filtering. Which is not too hard to do right now, either, because almost all those mails contain the above hostname or IP. I just hope I don't get to handle the fall-out from a distributed spam run of that sort...

With regards to the recent massive bounce events you mentioned, I was not aware of them - were they also using randomly generated sender addresses across one domain? If it were just a handful of addresses I could just black-hole them on the server but as it is the only thing common amongst (most of) the bounces is the reference to the sending host. But anyway, I also tend to believe that it's not personal rather than just ignorant. My impression of them trying to suss out my email address setup could well be wrong, though funnily I had that feeling well before the current mess started.

What would really be nice is a mail server software that only accepts bounces for mails that were actually sent and just rejects the bogus/misguided stuff - I wonder if something like that is around...

Thanks again & best regards,

Ronald

Link to comment
Share on other sites

Hi Ronald.

...I thought the uce[at]ftc.gov email address was meant for reporting spam but was hesitant to forward them all my bounces, and about the ftc.gov website I was not sure. Or maybe I just need to wake up to the reality that not many people would care much about things like that happening.
I think spam[at]uce.gov is the current address (for some 3 years). Not sure how much priority they give to reports from outside the US but it can't hurt. But if this is real, clueless, backscatter then the evidence is second-hand and I can't see them getting excited. Unless the "bounces" you are getting are fake bounces (disguised spam as opposed to real, clueless backscatter). Maybe you should post a Tracking URL so the on-board slueths (I'm not one) can see. There is such a thing as a 'quality' fake which is why the mailhosts configuration step was introduced for SC reporting, even now SC is not infallible in its injection source detection.

Apart from the (assumed) second-hand nature of the evidence and depending on the spam subject matter there may be other reporting avenues - from http://forum.spamcop.net/forums/index.php?showtopic=2238 finding http://spamlinks.net/track-report-addresses.htm

The IP of the machine in question is 209.158.58.121 with the reverse DNS entry being pool-209-158-58-121.scr.east.verizon.net.
Yes, that address was thoroughly listed over the weekend - initially having some sort of rDNS mismatch problem which they fixed and - oops they're freshly back on - Check 209.158.58.121 which gives other information like
If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

...

Listing History

In the past 15.4 days, it has been listed 4 times for a total of 13.7 days

Other hosts in this "neighborhood" with spam reports

209.158.58.31 209.158.58.102 209.158.58.144 209.158.58.224 209.158.59.9 209.158.59.13

Note the list of others in the immediate Verizon block which have also been recently "pinged". And Verizon have lifted their game, believe it or not - well, more accurate to say more spam is emanating from botnets. Anyway, you can see they are still a problem in absolute terms - look at Map of 209.158.0.0/16 where the 209.158.58.0/24 is top of that heap in spamcount terms - and Verizon owns other /24s aplenty - Report on Network owner: Verizon Internet Services showing 261 domains and 47,203 "Addresses in Verizon Internet Services used to send email" - being just those that SenderBase "knows" about. Daily message volume ~ 108.5.

Bottom line - they're big enough to be chaotic and the business with the rDNS I saw might indicate they're finding it easier, in general, to shuffle their servers than to track down delinquent users. There again they still have pool-209-158-58-121.scr.east.verizon.net online (dv ~ 104.9) ... and listed.

..I don't have an SC email account but only report spam in the belief that it might help in the grand scheme of things. As mentioned I don't get much spam anymore since my host implemented whitelisting and the remainder is usually recognised by Eudora. I have used spamassassin myself and found it very good (with the right settings) but unfortunately my host only offers it in conjunction with "Subject:" line mutilation which I don't like at all.
Yes it helps but you don't get direct benefit unless you have a way to filter using the SCbl, "Subject:" line mutilation doesn't inhibit SC reporting. Not that the SCbl would help in the current situation where you need to block - and can only report - the 'backscatterers'.
...With regards to the recent massive bounce events you mentioned, I was not aware of them - were they also using randomly generated sender addresses across one domain? If it were just a handful of addresses I could just black-hole them on the server but as it is the only thing common amongst (most of) the bounces is the reference to the sending host. But anyway, I also tend to believe that it's not personal rather than just ignorant. My impression of them trying to suss out my email address setup could well be wrong, though funnily I had that feeling well before the current mess started.
I can't recall where I saw that now but I don't think much detail was given. So it is unclear is whether or not they were real, clueless backscatter or total forgeries bombing a particular address. There has been mention by SC members (and staff), here and in the Newsgroups, of a massive spamrun recently - just 'normal' spam from 69-64-89-90.dedicated.abac.net but with a non-existent domain (NXD) sender address. Morph that with a (real) sender/reply domain in the forged address instead of the NXD and you get something like what you describe. I suppose someone *could* be indirectly mailbombing you that way if they knew you had a catch-all (easy to find out and anonymously too) but it would be a terribly inefficient way to do it - relying on the volume of clueless backscatter - unless they were also sending to a list of targets known to backscatter. Possible, but why would they bother? (Do give us a Tracking URL of an example so we can see what you see).
...What would really be nice is a mail server software that only accepts bounces for mails that were actually sent and just rejects the bogus/misguided stuff - I wonder if something like that is around...
Sounds a little like the quest for the holy grail territory to me but I dunno. Anyone? Hmm ... occurs to me I've heard of a 'backscatter bl' but I don't, at a quick glance, see it in http://spamlinks.net/filter-dnsbl-lists.htm#domain
Link to comment
Share on other sites

[Edit: not sure what happened with my BBcode tags - any ideas?]

Hi Farelf,

I think spam[at]uce.gov is the current address (for some 3 years).

Of course you are right - obviously I've never used it... :-)

Not sure how much priority they give to reports from outside the US but it can't hurt. But if this is real, clueless, backscatter then the evidence is second-hand and I can't see them getting excited.

Probably not. Especially as it's always the same machine causing it.

Unless the "bounces" you are getting are fake bounces (disguised spam as opposed to real, clueless backscatter).

I've only been looking at a few of them every now and then, and those always looked like the real, clueless type.

Maybe you should post a Tracking URL so the on-board slueths (I'm not one) can see. There is such a thing as a 'quality' fake which is why the mailhosts configuration step was introduced for SC reporting, even now SC is not infallible in its injection source detection.

No doubt there are always ways to get past any defence. I have stopped reporting them as volume mounted because clicking a link for each, waiting for the webpage to load, scrolling down to the "Send" button, double-checking the subject (I inadvertently reported one genuine email...) clicking the button and then switching back to my mail client to move on to the next notification is just too tedious a procedure for large amounts of UBE. For what it's worth, here some of the tracking URLs:

http://www.spamcop.net/mcgi?action=gettrac...rtid=2690374035

http://www.spamcop.net/mcgi?action=gettrac...rtid=2687984897

http://www.spamcop.net/mcgi?action=gettrac...rtid=2687984614

http://www.spamcop.net/mcgi?action=gettrac...rtid=2688058281

Apart from the (assumed) second-hand nature of the evidence and depending on the spam subject matter there may be other reporting avenues - from http://forum.spamcop.net/forums/index.php?showtopic=2238 finding http://spamlinks.net/track-report-addresses.htm

Thanks for the links, quite interesting resources there, though most don't seem interested in backscatter.

Yes, that address was thoroughly listed over the weekend - initially having some sort of rDNS mismatch problem which they fixed and - oops they're freshly back on - Check 209.158.58.121 which gives other information like

[Quotation clipped]

Note the list of others in the immediate Verizon block which have also been recently "pinged". And Verizon have lifted their game, believe it or not - well, more accurate to say more spam is emanating from botnets.

Lifted their game - well, maybe they have but I don't see it.

Anyway, you can see they are still a problem in absolute terms - look at Map of 209.158.0.0/16 where the 209.158.58.0/24 is top of that heap in spamcount terms - and Verizon owns other /24s aplenty - Report on Network owner: Verizon Internet Services showing 261 domains and 47,203 "Addresses in Verizon Internet Services used to send email" - being just those that SenderBase "knows" about. Daily message volume ~ 108.5.

Far out! Funny notation, that, but I take 108.5 to be about 3e8, or 300 million - spam emails, daily. Now that is some number.

That should cost Verizon quite a lot of money in terms of resource usage, so why are they not keener to rule in the problem. After all it's not exactly hard to contain a known-spamming (or infectious) machine if you're the network operator. Actually not even that hard to detect them. Makes me wonder...

Also blocking outgoing connections to port 25 should be quite effective, and not really a problem anymore.

Bottom line - they're big enough to be chaotic and the business with the rDNS I saw might indicate they're finding it easier, in general, to shuffle their servers than to track down delinquent users. There again they still have pool-209-158-58-121.scr.east.verizon.net online (dv ~ 104.9) ... and listed.

Interesting link again, thanks. 104.9 is about 80,000. So this one machine is spewing out about 80k spam emails per day, according to the page you referred to not much less than that last month, and yet Verizon does not see fit to take it offline. Now if anyone has a credible explanation for that that's not dodgy I'd really like to hear it.

[continues after the break]

Edited by rojo
Link to comment
Share on other sites

[Edit: not sure what happened with my BBcode tags - any ideas?]

Too many quotes

Funny notation, that, but I take 108.5 to be about 3e8, or 300 million - spam emails, daily.

Interesting link again, thanks. 104.9 is about 80,000. So this one machine is spewing out about 80k spam emails per day, according to the page you referred to not much less than that last month, and yet Verizon does not see fit to take it offline.

Those numbers refer to total emails being seen from those machines by their system. It is not seeing all messages and not all of those are spam, though when there is a marked increase, the differential is usually spam.

Link to comment
Share on other sites

Too many quotes

Ah, thanks!

I've now split my post - the remainder will come after this one.

Those numbers refer to total emails being seen from those machines by their system. It is not seeing all messages and not all of those are spam, though when there is a marked increase, the differential is usually spam.

Ok, thanks. Not sure what those numbers mean, then.

[continued]

[Quotation clipped again by the board software]

Yes it helps but you don't get direct benefit unless you have a way to filter using the SCbl, "Subject:" line mutilation doesn't inhibit SC reporting.

Yes, most spam filters can handle it but I just don't like it. The subject line is the one most visible attribute of an email, especially in listings, and the tagging is just plain intrusive, making it harder to scan visually. With false positives it's a pain in the neck. I never understood why some people seem to think it's a good idea to mangle the subject line when a header can do the same job without interfering with usability.

I don't need a tag to blare at me that an email is spam when it sits in my junk mailbox. I need it even less on mails I've decided don't belong there.

Um, rant over. :unsure:

Not that the SCbl would help in the current situation where you need to block - and can only report - the 'backscatterers'.

It does not help to reduce the outgoing spam, only to put some pressure on admins to properly configure their bounce-handling (and hopefully discourage some users of challenge-response systems).

[Quotation clipped]

I can't recall where I saw that now but I don't think much detail was given. So it is unclear is whether or not they were real, clueless backscatter or total forgeries bombing a particular address. There has been mention by SC members (and staff), here and in the Newsgroups, of a massive spamrun recently - just 'normal' spam from 69-64-89-90.dedicated.abac.net but with a non-existent domain (NXD) sender address. Morph that with a (real) sender/reply domain in the forged address instead of the NXD and you get something like what you describe.

I guess some of the spamming outfits are just always testing new ways of deployment, and also have the impression that with the never-ending supply of potential bots courtesy of a big software manufacturer and the inactivity of some ISPs, they don't always care that much about efficiency.

I suppose someone *could* be indirectly mailbombing you that way if they knew you had a catch-all (easy to find out and anonymously too) but it would be a terribly inefficient way to do it - relying on the volume of clueless backscatter - unless they were also sending to a list of targets known to backscatter.

I've been getting quite a few from Google Groups and see some other repeat "customers". And I find it interesting that 80,000 emails sent out by that machine per day cause 5,000 bounces to land in my inbox, so that's over 6% of the total mail volume. I'm sure they use other people's addresses as well rather than just mine, or is that not how they work? (Dubious honour...) Or it might just have been "my turn" and they don't care that much about efficiency.

Possible, but why would they bother?

I don't know, and it might not be the case. I just had the feeling that I had attracted some attention and thought that might have been due to my reporting every single spam I got for a while.

(Do give us a Tracking URL of an example so we can see what you see).

Here's one that puzzles me a bit, and this one looks odd, too. Both I have not sent (yet?) because they contain quite a bit of information about my domain and email addresses and in the latter the SpamCop parser did not even attempt to obscure them. Strange...

Nor did it here, though it's probably less of a concern because it looks genuine. I get quite some number of those - they don't tell me where the bounced message came from, and the undeliverable addresses look like random strings - not even from a dictionary.

[Quotation clipped]

Sounds a little like the quest for the holy grail territory to me but I dunno.

I think it would not be that hard to implement, provided that you send all your mail through the same server, with no exceptions. That machine would have to log sender and recipient for every outgoing message which could be in the form of a date-stamped encrypted hash.

When a bounce comes in the receiving machine would have to scan the mail for the bounced address, create the same kind of hash from that address and the bounce recipient address and check if it's listed in the log of outgoing messages. If yes, accept the bounce, if not, reject it. Done.

Of course this breaks if/when the bounced mail was not sent through the logging server in the first place, but then there's always a catch and I'd be happy to live with that one.

Anyone? Hmm ... occurs to me I've heard of a 'backscatter bl' but I don't, at a quick glance, see it in http://spamlinks.net/filter-dnsbl-lists.htm#domain

Well, it would seem a bit counter-productive to me to reject all bounces from servers that are known to send them. BTW, not sure what that list would achieve because you'll know it when you receive the bounce, or did I miss something?

Thanks again for your comments and the interesting pointers.

Best Regards,

Ronald

[Edit: added tracking URLs]

Edited by rojo
Link to comment
Share on other sites

I never understood why some people seem to think it's a good idea to mangle the subject line when a header can do the same job without interfering with usability.

Unfortunately, MOST users could not find a header with a map. :(

Because they are most visible is exatly why they are using it. Using a header to mark something as spam never occured to me for that very reason before I started with SpamCop, though I do like it now.

Link to comment
Share on other sites

...I guess some of the spamming outfits are just always testing new ways of deployment, and also have the impression that with the never-ending supply of potential bots courtesy of a big software manufacturer and the inactivity of some ISPs, they don't always care that much about efficiency.

I've been getting quite a few from Google Groups and see some other repeat "customers". And I find it interesting that 80,000 emails sent out by that machine per day cause 5,000 bounces to land in my inbox, so that's over 6% of the total mail volume. I'm sure they use other people's addresses as well rather than just mine, or is that not how they work? (Dubious honour...) Or it might just have been "my turn" and they don't care that much about efficiency.

I don't know, and it might not be the case. I just had the feeling that I had attracted some attention and thought that might have been due to my reporting every single spam I got for a while.

Here's one that puzzles me a bit, and this one looks odd, too. Both I have not sent (yet?) because they contain quite a bit of information about my domain and email addresses and in the latter the SpamCop parser did not even attempt to obscure them. Strange...

Thanks for the tracking links but please go in and cancel those reports - the links are still available afterwards when you do. Yes, if you view the parse and message text from your members area (instead of plain old //spamcop.net through the tracker URL) the munging isn't in effect. No-one else can see it in that state. Munging isn't entirely/necessarily comprehensive but it is permissible to sensibly munge addresses manually in that instance - just check http://www.spamcop.net/fom-serve/cache/283.html. Known/accepted issues include non-munging of sender & return addresses even when they are forged as the recipient/reporter's address(es).

I won't attempt to reply to everything right up but yes, it is possible you were selected for special treatment. The odds against it are astronomical but it has to be "someone" if, for instance, some little spamkin decides to test out out something slightly novel, what better sport than to select a SC reporter to try it on (not *too* hard to detect an active reporter) then watch the forums and newsgroup to confirm the result and gloat over his bleatings? Maybe even learn a few things - though I doubt we could teach these little slime anything new about their own "trade".

spam volumes - saw an estimate somewhere recently that the top 6 networks (that would be all US) send something like 11-12 billion a day (don't remember precisely)**. Have a feeling Verizon was well over one billion in that estimate. Currently, and on different criteria, Spamhaus rates them No 1 for all the wrong reasons - http://www.spamhaus.org/statistics/networks.lasso.

Gotta go - hopefully someone can look at those reports you nominate in your last 2 posts.

[**added - ah yes, there it is Network Reputation - Estimated spam Volume by ISP. Heck ONLY US representative was Verizon in the top six, not all US at all (premature senescence). But Verizon were estimated at 2,170,000,000 pd. Yeah, "lifting their game" was purely a relative term. What it really means is others got worse more quickly.]

Link to comment
Share on other sites

Those aren't tracking URLs - you provided proper URLs further down from that post. Anyone else "here" trying to access those will just get Authorization failure, no username provided by server; action = gettrack

...Usually, spammers rotate the forgeries, but sometimes they don't. You are not the first person to receive thousands of 'misdirected bounces' and IIRC, some of them were not spamcop reporters to start with.
But became reporters as a result? I *love* a good ending.
Link to comment
Share on other sites

Hi Miss Betsy & Farelf,

Yes, if you view the parse and message text from your members area (instead of plain old //spamcop.net through the tracker URL) the munging isn't in effect. No-one else can see it in that state.

Ah, ok - I thought that was different at some point, so that I could see myself what would be sent. Of course I may again be wrong, in any case thanks for pointing this out. So to see what's going to be sent before it is, I would have to look at the tracking URL in a different browser without the cookie.

Munging isn't entirely/necessarily comprehensive but it is permissible to sensibly munge addresses manually in that instance - just check http://www.spamcop.net/fom-serve/cache/283.html. Known/accepted issues include non-munging of sender & return addresses even when they are forged as the recipient/reporter's address(es).

Those usually look ok to me, but in the first instance in my last mail pretty much all the information is there in the body of the mail, which I'm not too fond of. Well I can black-hole that particular address but it's official now that I'm using a catch-all...

Thanks for all the numbers and URLs - the statistics are quite interesting, if a bit disconcerting.

Seems to me that some ISPs are being let off the hook a bit too easily for what I see as collusion by inaction.

Usually, spammers rotate the forgeries, but sometimes they don't. You are not the first person to receive thousands of 'misdirected bounces' and IIRC, some of them were not spamcop reporters to start with.

Ok, so I'm not really all that special - that's alright. No really! :DB)

Thanks for the clarification.

Those aren't tracking URLs - you provided proper URLs further down from that post. Anyone else "here" trying to access those will just get Authorization failure, no username provided by server; action = gettrack

Apologies - it took me a while to figure out how to get to the actual tracking URLs in hindsight - here they are:

http://www.spamcop.net/sc?id=z1570004258zd...95b7716f49795az

http://www.spamcop.net/sc?id=z1568440411zb...56fd30e9ce6052z

http://www.spamcop.net/sc?id=z1568441675zc...d4632a677f3f89z

http://www.spamcop.net/sc?id=z1568475857zc...1ae2baa6468b5fz

But became reporters as a result? I *love* a good ending.

:lol:

Thanks & Best Regards,

Ronald

Link to comment
Share on other sites

Unfortunately, MOST users could not find a header with a map. :(

Because they are most visible is exatly why they are using it. Using a header to mark something as spam never occured to me for that very reason before I started with SpamCop, though I do like it now.

Fair enough from a user's perspective.

The thing is that even though most users are not aware of headers and what they are used for, most email clients are, more often than not to the extent that they automatically move mails with the usual spam-tag headers (e.g. "X-spam-Status: Yes") right into the junk mailbox. So the user does not really need to know what's happening behind the scenes rather than just check that mailbox from time to time. Which is much easier to do without the visual distraction of that changed subject line, IMO. And it's probably clear to anyone that whatever is in the junk mailbox is there because it is considered junk - either by the client or the server.

Why providers and the control panel programmers have taken to make subject mangling the standard I don't know, but perhaps it has more to do with marketing than functionality - if it's right in the user's face then it is clear that they are doing something to address the spam problem. Which is fine by me, I just want an option to switch off the subject mangling...

Best Regards,

Ronald

Link to comment
Share on other sites

The thing is that even though most users are not aware of headers and what they are used for, most email clients are, more often than not to the extent that they automatically move mails with the usual spam-tag headers (e.g. "X-spam-Status: Yes") right into the junk mailbox.

These questions are more for my personal knowledge as I have not experienced too many different server or client configurations.

1. What systems use that spam header tag format? I've never heard of a standard for that. Spamcop uses: X-SpamCop-Disposition: Blocked <reason for block>

2. Every client I have experienced, either does the analysis itself to judge whether to use the Junk folder (Outlook), or a rule needs to be created to use the headers placed by a server (Outlook Express, Eudora). Another client I have used is Lotus Notes, but that required notes scripting (at least the version we were using at the time) which we never did work to implement. What clients are you talking about here?

Link to comment
Share on other sites

These questions are more for my personal knowledge as I have not experienced too many different server or client configurations.

1. What systems use that spam header tag format? I've never heard of a standard for that. Spamcop uses: X-SpamCop-Disposition: Blocked <reason for block>

I don't know of a standard for those headers, either. It is quite common for them to start with "X-spam", but that's not something one could rely upon. The header I quoted is one that I seem to remember being used by default by Spamassassin, though it's of course also fully configurable. "X-spam-Flag" and "X-spam-Status" seem to be used by a number of products, though, at least by default. Spamassassin also has an "X-spam-Level: ***********" header where the number of "*"s represents the spam score and you can decide where to draw the line via the client-based filter.

2. Every client I have experienced, either does the analysis itself to judge whether to use the Junk folder (Outlook), or a rule needs to be created to use the headers placed by a server (Outlook Express, Eudora). Another client I have used is Lotus Notes, but that required notes scripting (at least the version we were using at the time) which we never did work to implement. What clients are you talking about here?

It looks like I was a bit quick with extrapolating dim memories. Looking at my Eudora filters, they look like I set them up myself, probably a long time ago. I do know that Apple's mail client ("Mail.app") does have a simple checkbox to toggle header-based filtering - see point 4 here.

I am not sure whether that's enabled by default and how well it works with different server configurations.

In fact I don't even know what headers it looks for, but do remember that the feature did not work for me with our custom headers back in the day when I was still using Mail.app at work. The implementation is also odd in that I could setup a rule to move server-tagged mail to the junk mailbox, but not tag it as junk.

(The "learning" junk mail filter over time seemed to give more relevance to those headers, though, so that more and more of the server-tagged mail did end up marked as junk even without an explicit rule.)

In Eudora it's pretty straight-forward to "junk" a mail via a user-defined filter, in addition to its own junk detection.

Still, I obviously stuck out my head a bit far with my sweeping statement - apologies, and thanks for calling me on it! :blush:

I guess a reasonable thing to say in defence of my point is that with most email clients setting up a filtering rule based on a subject string should be just as difficult or easy as building one based on a header string. The difference being that the subject string is obvious to the user while the header is not, so clear instructions, e.g. like these, would be necessary.

Outlook Express does not seem to support header-based filtering and some other products may not, either, requiring the cruder approach of meddling with the subject header (or using a work-around, like this one for OE).

Best Regards,

Ronald

(Going off to hide himself in shame)

Edited by rojo
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...