The largest virus outbreak ever occurred again this week. Our cluster of ClamAV servers handled it just fine, but that is not what this post is about. Virus outbreaks like this cause a swarm of backscatter mail. Backscatter is when innocent mailboxes are flooded with undeliverable mail notifications, because of the fact that viruses forge random sender addresses. To combat this, we discard virus notifications from other servers, because ALL of them are bogus. Viruses forge the sender address… So all you mail administrators out there – stop bouncing this crap back to the sender!
Blocking virus bounces based on Subject and other headers has worked reasonably well, but it does not block backscatter from simple SMTP rejects, because those bounces don’t contain pretty "you sent a virus" subject lines. It also doesn’t block backscatter caused by bounced spam, because spammers love to use sender addresses as well.
The high volume of backscatter seen this week caused us to look deeper for a way to block this stuff. And we found it… We now tag as spam any bounce message where the original email was not sent from our email system.
The rule is: (1) if the email is from a null sender, and (2) if the email has a bounce-style Subject or From header (such as "Subject: Undeliverable Mail" or "From: Mail Delivery Subsystem"), and (3) if the body of the message does not contain our servers’ Received headers – tag it as spam.
Now our email hosting customers have even cleaner inboxes, and you can thank Sober.Y.
> The rule is: (1) if the email is from a null sender, and (2) if the email has a bounce-style Subject or From header (such as “Subject: Undeliverable Mail” or “From: Mail Delivery Subsystem”), and (3) if the body of the message does not contain our servers’ Received headers – tag it as spam.
Makes perfect sense to me! especially rule #1. I don’t know why any servers aint doing this in the first place, especially yahoo and hotmail. grrrrr
We use a local, firewalled server for outbound SMTP in order to avoid connect delays from webmail. Will the new rule cause me to loose all bounces from mail initiated by my local, outbound SMTP server?
You will not lose the bounces from mail initiated by your local SMTP server, however they will get tagged as spam. i.e. We don’t automatically delete them.
But if you send me a copy of a bounce, I can get the necessary rules added so that they are not tagged as spam. Send it to: billsblog(at)webmail.us
Pingback: 1.6% virus – Is that all? | Bill Boebel