[Mimedefang] What to do about bounced forgeries?

Rick Mallett rmallett at ccs.carleton.ca
Sun Dec 21 20:23:38 EST 2003 

We're seeing a big increase in the number of "...User unknown"
messages in our log files which we have determined to be the result
of bounced spam messages which were forged to appear to come from our
site (eg. MAIL FROM: blotto at carleton.ca), and I'm wondering if others
are experiencing the same problem, and I'm also wondering if anyone
has any ideas on what to do about it.

By late last week we were getting over 500,000 such messages a day
(i.e. approximately 6/sec), and although we have a fairly large system
with some spare capacity, forking a sendmail process to reject each of
these bounced forgeries is starting to have a significant effect on
performance.

I know these "...User unknown" messages are bounced forgeries, BTW,
rather than a dictionary attack, because we temporarily adjusted our
sendmail configuration to capture some of the messages in sendmail
queue format ("q" and "d" files), and I wrote a perl script to extract
subject lines and received headers from the "d" files, and where
possible, identify the site originating the message and the nature
of the material, and I discovered that out of approximately 4000
bounce messages in our sample, almost all of which were spam, there
were about 3000 messages that could be analyzed to determine the
spammer, and this analysis showed that there were close to 2000
different systems involved in the spamming operations.

In other words, there are so many different systems being used to
send spam which is forged to appear to come from our site that it
would be virtually impossible to attempt to contact the responsible
authorities and ask them to take action.

So what do we do? Hope the spammers get tired of using our domain in
their forgeries, or do we have to build a frontend system that uses a
more lightweight process than sendmail to handle the unknown user
rejections. Anyone have any ideas?

BTW, I had originally thought that asking sites to discard, rather
than bounce, spam might be a solution to this problem, but my analysis
also revealed that most of the messages were bounced because they were
improperly addressed and/or sent to an address which was no longer
valid, and not because the target system detected the spam.

- rick

More information about the MIMEDefang mailing list