The largest virus outbreak ever occurred again this week. Our cluster of ClamAV servers handled it just fine, but that is not what this post is about. Virus outbreaks like this cause a swarm of backscatter mail. Backscatter is when innocent mailboxes are flooded with undeliverable mail notifications, because of the fact that viruses forge random sender addresses. To combat this, we discard virus notifications from other servers, because ALL of them are bogus. Viruses forge the sender address… So all you mail administrators out there – stop bouncing this crap back to the sender!
Blocking virus bounces based on Subject and other headers has worked reasonably well, but it does not block backscatter from simple SMTP rejects, because those bounces don’t contain pretty "you sent a virus" subject lines. It also doesn’t block backscatter caused by bounced spam, because spammers love to use sender addresses as well.
The high volume of backscatter seen this week caused us to look deeper for a way to block this stuff. And we found it… We now tag as spam any bounce message where the original email was not sent from our email system.
The rule is: (1) if the email is from a null sender, and (2) if the email has a bounce-style Subject or From header (such as "Subject: Undeliverable Mail" or "From: Mail Delivery Subsystem"), and (3) if the body of the message does not contain our servers’ Received headers – tag it as spam.
Now our email hosting customers have even cleaner inboxes, and you can thank Sober.Y.