cjsmith: (baaaaaaby hitler)
cjsmith ([personal profile] cjsmith) wrote2007-11-29 01:28 pm
  • Add Memory
  • Share This Entry
  • Current Mood: aggravated

Spam, spam, spam, spam....

I got 5870 pieces of spam between about 11pm last night and right now. These are mail bounces; the spammers have now discovered my domain and are sending mail "from" it. I now have to delete all that crap. I also need to move to a system where I throw away everything addressed to my domain by default, and keep a whitelist set of To: usernames.

LJ comment notifications, however, are still intermittent at best. Many of them simply aren't making it (at least not in the last few days). I know of at least one other personal e-mail I'm missing. There are days when I honestly wonder why I bother having e-mail at all.

I think today is determined to make me blow up. I shall have to go find a useful (or fun) way to channel this explosion.
Flat | Top-Level Comments Only

[identity profile] hanov3r.livejournal.com 2007-11-29 09:39 pm (UTC)(link)
If you've got access to procmail for email filtering, it's pretty simple to set up a recipe that says, in effect, "if this mail is a bounce and is not from $addresses (where $addresses is in the set "email addresses that I actually use to send outbound mail"), /dev/null it".

Something along the lines of:

:0:
* ^FROM_MAILER
* !^To:.*$ADDRESS_REGEXP
/dev/null


FROM_MAILER is a procmail internal that expands to (^(((Resent-)?(From|Sender)|X-Envelope-From):|>?From )([^>]*[^(.%@a-z0-9])?(Post(ma(st(er)?|n)|office)|(send)?Mail(er)?|daemon|mmdf|n?uucp|ops|r(esponse|oot)|(bbs\.)?smtp(error)?|s(erv(ices?|er)|ystem)|A(dmin(istrator)?|MMGR))(([^).!:a-z0-9][-_a-z0-9]*)?[%@>\t ][^<)]*(\(.*\).*)?)?$([^>]|$)) - this regexp catches most well-known mailer daemons.
brooksmoses: (Default)

[personal profile] brooksmoses 2007-11-29 09:56 pm (UTC)(link)
Thanks! I've had the same problem (though, luckily, with an order of magnitude fewer bounce messages) and may need that someday.

That's a rather ugly regexp, though! :)

[identity profile] hanov3r.livejournal.com 2007-11-29 10:28 pm (UTC)(link)
That's why "^FROM_MAILER" is useful. :-)

I wouldn't route to /dev/null off the bat. I spent two or three months routing that to a "not_my_bounce" folder and checked it every few days; what I found is that there are legit bulk mailers out there that send from addresses like Admin that catch that regexp and, since I give commercial entities unique addresses that I never send from, their mail was going into that folder. Other filters sent that mail to where I could see it and, once I had all of it nabbed, the bounces and other junk started going to /dev/null

[identity profile] cjsmith.livejournal.com 2007-11-29 10:25 pm (UTC)(link)
Thank you! I'll see if I can get this plugged in pretty soon. I had to shut the whole thing down -- they're coming in faster than I can delete them -- so until I get procmail running with this filter, I have no mail at all.

[identity profile] hanov3r.livejournal.com 2007-11-29 10:31 pm (UTC)(link)
Procmail's not bog simple, but it's not rocket science. :-) If'n you need help, I'm online on most of the IM services at this username, or poke me on gmail at username dromerstein.

[identity profile] rfrench.livejournal.com 2007-11-29 09:39 pm (UTC)(link)
Go shooting :-)
mithriltabby: Serene silver tabby (Default)

[personal profile] mithriltabby 2007-11-29 09:41 pm (UTC)(link)
I have a filter in place on my e-mail client that shunts anything not sent to my own e-mail address into a folder named “Misdirected”. Occasionally, it’s a typo from a human being trying to reach another human being on my domain, but 99% of the time it’s spam or bounce messages from someone spamming using my domain name. Having the filter cuts down on the annoyance a great deal.

[identity profile] cjsmith.livejournal.com 2007-11-29 10:26 pm (UTC)(link)
I've thought about shunting things somewhere, but honestly, we're talking disk space limitations here. Anything that even triggers a whisker on any level of my spam-traps is deleted completely.
davidlevine: (Default)

[personal profile] davidlevine 2007-11-29 10:09 pm (UTC)(link)
What I finally had to do was turn off the catchall email address on all my domains. Anything not specifically addressed to a defined user gets bit-bucketed.

I found that what I was getting on the catchall was 99.99% spam (mostly bounces "from" my domain, as you got today) with one or two typos and perhaps a dozen non-spam shots-in-the-dark (e.g. "complaints@mydomain.com" which, well, might conceivably be the complaints address, but as it is not and we never told anyone it is, you really had no reason to expect a reply) over five years. Removing the catchall has eliminated those bogus bounce messages and probably reduced the remaining spam by 5-10%.

[identity profile] cjsmith.livejournal.com 2007-11-29 11:39 pm (UTC)(link)
Yep, that's basically what I meant by throwing away everything addressed to my domain by default, and keeping a whitelist set of To: usernames. I could specifically define those and turn off the catchall, or I could run procmail and enter my whitelist into its filters, but either way, this is definitely a step I need to take.
Flat | Top-Level Comments Only