On Wed, 2005-09-14 at 23:55 -0700, Schlaegel wrote: > On 9/14/05, kevin.kempter@xxxxxxxxxxxxxxxxx > <kevin.kempter@xxxxxxxxxxxxxxxxx> wrote: > > Thanks for the info. > > > > Can you send me info on what a spam assasin filter to catch these will need to > > look like? > > Here are some rules I added to my user_prefs file after setting > "allow_user_rules 1" in local.cf. > > My goal was to insure the joe-job bounces were deleted, not remove > spam, which I receive little of. I turned off Bayes and neutered > auto_whitelist. I would have completely turned off auto_whitelist if I > could have figured out how. The rules still need to have their score > adjusted, as most of the matches are guaranteed bounces. > > I based the rules on my large collection of bounce messages and > http://permalink.gmane.org/gmane.discuss/5381 > > # From bounce matches > > header BOUNCE_FROM_MAILER_DAEMON From =~ /mailer-daemon/i > describe BOUNCE_FROM_MAILER_DAEMON From: mailer-daemon, probably an > automated message > score BOUNCE_FROM_MAILER_DAEMON 5 > > header BOUNCE_FROM_BLACKHOLE From =~ /blackhole/i > describe BOUNCE_FROM_BLACKHOLE From: blackhole, probably an automated message > score BOUNCE_FROM_BLACKHOLE 5 > > header BOUNCE_FROM_POSTMASTER From =~ /postmaster/i > describe BOUNCE_FROM_POSTMASTER From: postmaster, probably an > automated message > score BOUNCE_FROM_POSTMASTER 5 > > header BOUNCE_FROM_POST_OFFICE From =~ /Post Office/i > describe BOUNCE_FROM_POST_OFFICE From: Post Office, probably an > automated message > score BOUNCE_FROM_POST_OFFICE 5 > > header BOUNCE_FROM_MAIL_DELIVERY_SYSTEM From =~ /Mail Delivery System/i > describe BOUNCE_FROM_MAIL_DELIVERY_SYSTEM From: Mail Delivery > System, probably an automated message > score BOUNCE_FROM_MAIL_DELIVERY_SYSTEM 5 > > header BOUNCE_FROM_MAIL_DELIVERY_SUBSYSTEM From =~ /Mail Delivery > Subsystem/i > describe BOUNCE_FROM_MAIL_DELIVERY_SUBSYSTEM From: Mail Delivery > Subsystem, probably an automated message > score BOUNCE_FROM_MAIL_DELIVERY_SUBSYSTEM 5 > > header BOUNCE_FROM_MAIL_ADMINISTRATOR From =~ /Mail Administrator/i > describe BOUNCE_FROM_MAIL_ADMINISTRATOR From: Mail Administrator, > probably an automated message > score BOUNCE_FROM_MAIL_ADMINISTRATOR 5 > > header BOUNCE_FROM_SYSTEM_ADMINISTRATOR From =~ /System Administrator/i > describe BOUNCE_FROM_SYSTEM_ADMINISTRATOR From: System > Administrator, probably an automated message > score BOUNCE_FROM_SYSTEM_ADMINISTRATOR 5 > > header BOUNCE_FROM_INTERNET_MAIL_DELIVERY From =~ /Internet Mail Delivery/i > describe BOUNCE_FROM_INTERNET_MAIL_DELIVERY From: Internet Mail > Delivery, probably an automated message > score BOUNCE_FROM_INTERNET_MAIL_DELIVERY 5 > > header BOUNCE_FROM_MAIL From =~ /mail/i > describe BOUNCE_FROM_MAIL From: mail, possibly an automated message > score BOUNCE_FROM_MAIL 1 > > > # Subject bounce matches > > header BOUNCE_FAILURE_NOTICE Subject =~ /failure notice/i > describe BOUNCE_FAILURE_NOTICE Subject: 'failure notice', bounce message > score BOUNCE_FAILURE_NOTICE 5 > > header BOUNCE_DELIVERY_STATUS_NOTIFICATION Subject =~ /delivery > status notification/i > describe BOUNCE_DELIVERY_STATUS_NOTIFICATION Subject: 'Delivery status > notification', probably bounce > score BOUNCE_DELIVERY_STATUS_NOTIFICATION 1 > > header BOUNCE_DELIVERY_FAILED Subject =~ /delivery failed/i > describe BOUNCE_DELIVERY_FAILED Subject: 'delivery failed', bounce message > score BOUNCE_DELIVERY_FAILED 1 > > header BOUNCE_MAIL_DELIVERY_FAILED Subject =~ /Mail delivery failed/i > describe BOUNCE_MAIL_DELIVERY_FAILED Subject: 'Mail delivery failed', > bounce message > score BOUNCE_MAIL_DELIVERY_FAILED 5 > > header BOUNCE_UNDELIVERABLE Subject =~ /Undeliverable:/i > describe BOUNCE_UNDELIVERABLE Subject: Undeliverable > score BOUNCE_UNDELIVERABLE 1 > > header BOUNCE_RETURNED_MAIL Subject =~ /Returned mail/i > describe BOUNCE_RETURNED_MAIL Subject: 'Returned mail', bounce message > score BOUNCE_RETURNED_MAIL 5 > > header BOUNCE_MAIL_COULD_NOT_BE_DELIVERED Subject =~ /Mail could > not be delivered/i > describe BOUNCE_MAIL_COULD_NOT_BE_DELIVERED Subject: 'Mail could > not be delivered', bounce message > score BOUNCE_MAIL_COULD_NOT_BE_DELIVERED 5 > > header BOUNCE_UNDELIVERED_MAIL Subject =~ /Undelivered Mail/i > describe BOUNCE_UNDELIVERED_MAIL Subject: 'Undelivered Mail', bounce message > score BOUNCE_UNDELIVERED_MAIL 5 > > header BOUNCE_RETURNED_TO_SENDER Subject =~ /Returned to Sender/i > describe BOUNCE_RETURNED_TO_SENDER Subject: 'Returned to Sender', > bounce message > score BOUNCE_RETURNED_TO_SENDER 5 > > use_bayes 0 > fold_headers 0 > auto_whitelist_factor 0 Does this not result in the trashing of *all* bounces, not just backscatter? Note that the term "Joe Job" really applies to cases where the spammer is deliberately trying to pass off the spam as originating by the purported sender, typically to try to cause trouble for the purported sender - see http://searchcio.techtarget.com/sDefinition/0,,sid19_gci917469,00.html for some history - whereas most spam sent with forged sender addresses is just a result of the spammer picking domains at random, with no particular malicious intent regarding the domains he/she is forging. The OP could get rid of most of his problem simply by turning off the catch-all mailbox and using only specific addresses in his domain. Backscatter hitting non-existent addresses would then be rejected by his mail server. Paul. -- Paul Howarth <paul@xxxxxxxxxxxx>
