Meet the Gang 1 2 3 4 5 6 7 8 9 10 11 12 |
By Dan Wilder
I've been filtering more agressively. This month's spam bouncing features a 450 to "From: " addresses with domains the MTA can't find in the DNS.
Since lots of spammers use unrepliable "From:" this knocks those guys off. We use a 450 instead of a 550 because a 450 is retryable. If it's just a DNS glitch, the retry goes through.
So the real slimebags use a nonexistant user at a host that exists but for some reason does not accept SMTP connections. That way they pass the "does this host exist" test.
Lots of their mail goes to 10000000 VERIFIED EMAIL ADDRESSES, meaning people like [email protected] who don't work here any more, or [email protected] who never did. These bounce, but our MTA can't raise a connection from the putative source, so they just park on the queue for a week or so.
Every couple of days I go look for new stuff on the queue from MAILER-DAEMON with "Connection refused" errors. Then I add them to a reject file, and henceforth mail claiming to be from anybody at the "From:" domain gets
550 You refuse our connections so we refuse yours
Non-retryable. I figure we don't knock off too many legit domains, since these usually don't keep refusing connections for very long, and MAILER-DAEMON doesn't have much traffic for legit domains anyway.
Each morning I get mailed the list of 100 or so mails that were so refused, and I vette for stuff that might be legit. Mostly it's the same bogus "From:" hammering ten or twenty users at SSC, more than half of whom never existed.
Meet the Gang 1 2 3 4 5 6 7 8 9 10 11 12 |