FAQ
hi guys,

I recieve over 2000 messages from mailman-bounces every day with subject: Uncaught bounce notification.. and when opening any message it's nothing but another Spam Ad about pills or shoes or other stuff.. how can I stop these ADs from being sent to my Admin email? it's becoming a real pain as it takes forever to download to the inbox.. on the other hand, I don't want to disable the notification because sometimes it might be a bounce that mailman couldn't detect so I remove it manually from the list ..

thanks..
_________________________________________________________________
Change the world with e-mail. Join the i?m Initiative from Microsoft.
http://im.live.com/Messenger/IM/Join/Default.aspx?source=EML_WL_ChangeWorld

Search Discussions

  • Stefan Förster at May 18, 2008 at 11:45 am

    * Khalil Abbas wrote:
    I recieve over 2000 messages from mailman-bounces every day with
    subject: Uncaught bounce notification.. and when opening any message
    it's nothing but another Spam Ad about pills or shoes or other
    stuff.. how can I stop these ADs from being sent to my Admin email?
    it's becoming a real pain as it takes forever to download to the
    inbox.. on the other hand, I don't want to disable the notification
    because sometimes it might be a bounce that mailman couldn't detect
    so I remove it manually from the list ..
    If you do not wan't to disable those notifications in Mailman, the
    easiest way seems to filter the messages bevor they are delivered to
    mailman. This probably involves some configuration in your MTA - but
    have you tried out the "Spam Filtering" options in your admin
    webinterface? As for your mailserver:

    A very effective open source spam filtering tool is amavisd-new which
    is written in Perl and can classify incoming messages as ham or spam
    using a pre-defined set of rules (to catch typcial pill ads, Nigerian
    419 frauds and so on), a Bayes style filter (which you can train to
    "learn" which messages are spam), numerous DNS blacklists to e.g. compare
    advertised URLs against blacklists and distributed spam tracking
    systems like Razor or Pyzor. You can download it at:

    http://www.ijs.si/software/amavisd/

    Please note that, depending on the volume of messages it has to
    filter, amavisd-new might need a non-trivial amount of memory and CPU
    time. On a dualcore Opteron with 2 GB RAM, I can filter between four
    and eight messages per second.

    Another option is to configure your mail server to do more checks on
    incoming messages. Since I don't know what MTA you are using, I can
    only give you some general guidelines on that: A first step would be
    to enforce compliance to the (E)SMTP protocol in you MTA, i.e. reject
    the message when the (E)SMTP syntax is invalid or the presented name
    in the HELO/EHLO greeting is either invalid or not fully qualified
    (you have to THOROUGHLY TEST the latter!). This solution deson't
    consume any noticeable ressources. On the aforementioned server, I can
    easily handle around 7k rejected mails per second on 100 concurrent,
    incoming connections made by spambots.


    A second step would be to enforce a technique called greylisting on
    hosts which don't have a reverse DNS name or whose hostname looks like
    a dialup name, e.g. "22-22-22-22.dialup.provider.example.org". You
    can find information on greylisting at

    http://www.greylisting.org/

    In terms of resources, greylisting is very cheap. On the
    aforementioned server, I can easily handle about 1k rejects per minute
    due to hosts not passing greylisting.

    As a last step, you can make use of various realtime DNS black lists,
    for exampe zen.spamhaus.org. I cannot give you any specific
    recommendations on which blacklists to use, and I can't give you any
    guidelines on your policy, i.e. whether you want to reject a message
    if the sending host is in one, two, three or more blacklists. There
    are Postfix style policy daemon, Sendmail style milters and generic
    SMTP proxies around which all allow you to configure quite
    sophisticated policies on when to reject a message according to DNSBL
    hits. For some general information on the use of blacklists, please
    refer to your MTA's documentation. On the aforementioned server,
    supported by a highly tuned local DNS cache, I can handle about 200
    policy decisions per second at most.


    Cheers
    Stefan
  • Stefan Förster at May 18, 2008 at 12:06 pm
    Damnit, that is

    * Stefan F?rster wrote:
    easily handle around 7k rejected mails per second on 100 concurrent,
    per MINUTE, ofc!


    Ciao
    Stefan
    --
    Stefan F?rster http://www.incertum.net/ Public Key: 0xBBE2A9E9
    ...And god said, let there be a Satan, so people won't blame everything on me...
  • Mark Sapiro at May 18, 2008 at 2:48 pm

    Stefan F?rster wrote:
    * Khalil Abbas wrote:
    I recieve over 2000 messages from mailman-bounces every day with
    subject: Uncaught bounce notification.. and when opening any message
    it's nothing but another Spam Ad about pills or shoes or other
    stuff.. how can I stop these ADs from being sent to my Admin email?
    it's becoming a real pain as it takes forever to download to the
    inbox.. on the other hand, I don't want to disable the notification
    because sometimes it might be a bounce that mailman couldn't detect
    so I remove it manually from the list ..
    If you do not wan't to disable those notifications in Mailman, the
    easiest way seems to filter the messages bevor they are delivered to
    mailman. This probably involves some configuration in your MTA - but
    have you tried out the "Spam Filtering" options in your admin
    webinterface?

    Mailman's spam filters only apply to mail to the list and list-owner
    addresses. They don't apply to mail to -bounces.

    The remainder of Stefan's advice is good.

    For my server, I use Postfix as the incoming MTA with Postgrey for
    greylisting. This gets rid of much spam. The remaining mail is run
    through MailScanner <http://mailscanner.info/> which in my
    configuration uses ClamAv, SpamAssassin, Razor, Pyzor, DCC and other
    checks for malware and spam. I find this to be a pretty effective
    combination.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Brad Knowles at May 18, 2008 at 5:00 pm

    On 5/18/08, Mark Sapiro wrote:

    For my server, I use Postfix as the incoming MTA with Postgrey for
    greylisting. This gets rid of much spam.
    At the Anti-Spam Workshop at the LISA'07 conference, one lesson we
    learned is that every site is different, and what works for one site
    may not work for another.

    However, another thing we learned is that greylisting is becoming
    much less effective for many sites -- the workshop leader shared with
    us some average statistics for greylisting success versus spam for
    the year versus the last month, and the year was a 20% hit ratio
    while the last month was 10%.

    At that point, I would say that greylisting is less than useful.
    There's a definite non-zero cost to using it, but if the spammers are
    doing non-queueing retries, then greylisting becomes less than useful.
    The remaining mail is run
    through MailScanner <http://mailscanner.info/> which in my
    configuration uses ClamAv, SpamAssassin, Razor, Pyzor, DCC and other
    checks for malware and spam. I find this to be a pretty effective
    combination.
    I've got a multi-part article I've been writing for a couple of years
    that details all of my knowledge and experience on the subject of
    fighting spam (and I've been doing this for over seventeen years),
    for publication on the LOPSA.org website, and goes into some detail
    on the anti-spam methods we use for python.org.

    Anyone who wants a copy of the current draft should contact me, and
    I'll be glad to share it with them, under the conditions that they
    don't share it with anyone else without my prior approval, and they
    promise to give me feedback.


    I'm also hoping to do an invited talk at the LISA'08 conference on
    one small part of the spam problem, if anyone is interested.

    --
    Brad Knowles <brad at shub-internet.org>
    LinkedIn Profile: <http://tinyurl.com/y8kpxu>
  • Mark Sapiro at May 19, 2008 at 3:36 am

    Khalil Abbas wrote:
    OKEYZ .. this is just too much for me.. if I just disabled the options
    that send the Uncaught Bounce notification would it be ok? I mean if
    there are REAL bounces that mailman couldn't process, would it be
    harmful if I just ignored them?

    The harm in ignoring legitimate unrecognized bounces is you keep mailing
    to a dead address. At best, this is a waste of bandwidth and other
    resources. At worst, it can get your server blacklisted.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Bill Christensen at May 19, 2008 at 4:16 am

    At 7:48 AM -0700 5/18/08, Mark Sapiro wrote:
    Stefan F?rster wrote:
    * Khalil Abbas wrote:
    I recieve over 2000 messages from mailman-bounces every day with
    subject: Uncaught bounce notification.. and when opening any message
    it's nothing but another Spam Ad about pills or shoes or other
    stuff.. how can I stop these ADs from being sent to my Admin email?
    it's becoming a real pain as it takes forever to download to the
    inbox.. on the other hand, I don't want to disable the notification
    because sometimes it might be a bounce that mailman couldn't detect
    so I remove it manually from the list ..
    If you do not wan't to disable those notifications in Mailman, the
    easiest way seems to filter the messages bevor they are delivered to
    mailman. This probably involves some configuration in your MTA - but
    have you tried out the "Spam Filtering" options in your admin
    webinterface?

    Mailman's spam filters only apply to mail to the list and list-owner
    addresses. They don't apply to mail to -bounces.

    The remainder of Stefan's advice is good.
    If the original mail was sent to the list address
    by a non-member and bounced with an autoreply,
    would the spam filter have been applied? Is the
    filter only applied after the message passes a
    member/non-member test?

    My guess is that there's message rejection going
    on: the spam is coming to the list address,
    bouncing out as being from non member addresses,
    and bouncing back to the -bounce address. If
    that's the case, stop autoreplying to non member
    mail - or teach your moderators to discard rather
    than reject.

    Spam filtering before it gets to Mailman is still probably the best choice.

    --
    Bill Christensen
    <http://greenbuilder.com/contact/>

    Green Building Professionals Directory: <http://directory.greenbuilder.com>
    Sustainable Building Calendar: <http://www.greenbuilder.com/calendar/>
    Green Real Estate: <http://www.greenbuilder.com/realestate/>
    Straw Bale Registry: <http://sbregistry.greenbuilder.com/>
    Books/videos/software: <http://bookstore.greenbuilder.com/>
  • Gadi Evron at May 19, 2008 at 5:06 am

    On Sun, 18 May 2008, Bill Christensen wrote:
    At 7:48 AM -0700 5/18/08, Mark Sapiro wrote:
    Stefan F?rster wrote:
    * Khalil Abbas wrote:
    I recieve over 2000 messages from mailman-bounces every day with
    subject: Uncaught bounce notification.. and when opening any message
    it's nothing but another Spam Ad about pills or shoes or other
    stuff.. how can I stop these ADs from being sent to my Admin email?
    it's becoming a real pain as it takes forever to download to the
    inbox.. on the other hand, I don't want to disable the notification
    because sometimes it might be a bounce that mailman couldn't detect
    so I remove it manually from the list ..
    If you do not wan't to disable those notifications in Mailman, the
    easiest way seems to filter the messages bevor they are delivered to
    mailman. This probably involves some configuration in your MTA - but
    have you tried out the "Spam Filtering" options in your admin
    webinterface?

    Mailman's spam filters only apply to mail to the list and list-owner
    addresses. They don't apply to mail to -bounces.

    The remainder of Stefan's advice is good.
    If the original mail was sent to the list address by a non-member and bounced
    with an autoreply, would the spam filter have been applied? Is the filter
    only applied after the message passes a member/non-member test?

    My guess is that there's message rejection going on: the spam is coming to
    the list address, bouncing out as being from non member addresses, and
    bouncing back to the -bounce address. If that's the case, stop autoreplying
    to non member mail - or teach your moderators to discard rather than reject.

    Spam filtering before it gets to Mailman is still probably the best choice.
    Unrelated, I auto-delete bounces these days as to deteremine which is
    useful and which isn't, type-wise, takes me opening and examining the
    email.
  • Mark Sapiro at May 19, 2008 at 2:22 pm

    Bill Christensen wrote:
    At 7:48 AM -0700 5/18/08, Mark Sapiro wrote:

    Mailman's spam filters only apply to mail to the list and list-owner
    addresses. They don't apply to mail to -bounces.

    The remainder of Stefan's advice is good.
    If the original mail was sent to the list address
    by a non-member and bounced with an autoreply,
    would the spam filter have been applied? Is the
    filter only applied after the message passes a
    member/non-member test?

    For mail sent to the list posting address or the list-owner address,
    Mailman's header_filter_rules are applied before anything else.
    Mailman's bounce_matching_headers (a misnomer because it's actually a
    hold, not a bounce) are applied later to list posts (after member
    tests) and not at all to list-owner mail.

    My guess is that there's message rejection going
    on: the spam is coming to the list address,
    bouncing out as being from non member addresses,
    and bouncing back to the -bounce address. If
    that's the case, stop autoreplying to non member
    mail - or teach your moderators to discard rather
    than reject.

    Those are good suggestions, but in the case of the OP, the issue is
    much simpler than that. Spam is sent directly to the list-bounces
    address.

    Spam filtering before it gets to Mailman is still probably the best choice.

    Yes.

    --
    Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Brad Knowles at May 19, 2008 at 3:49 pm

    Mark Sapiro wrote and quoted Bill Christensen:

    Those are good suggestions, but in the case of the OP, the issue is
    much simpler than that. Spam is sent directly to the list-bounces
    address.
    Spam filtering before it gets to Mailman is still probably the best choice.
    Yes.
    It seems to me that the OP's problem is spam that is masquerading as a
    bounce. This has been going on for some time (see
    <http://www.crn.com/security/191900278> for an article written in 2006 about
    what one company was working on to combat the problem), but has become much
    more populare recently.


    The method known as Bounce Address Tag Validation (a.k.a., BATV, see
    <http://mipassoc.org/batv/>) is one way to try to mitigate fake bounces, but
    it is limited in scope and fragile. I think it may also break mailing lists.

    I have an alternative technique that I call Bounce Address Tag
    Fingerprinting (BATF) that I believe will be much more robust, won't require
    modifying the envelope sender address, and won't require any crypto. I have
    yet to get it officially written up anywhere, however.

    However, above everything else, BATV and BATV are not mutually exclusive.
    You could start with BATV now (if your systems are capable of handling it),
    and add BATF later, once it's been written down on paper and software has
    been developed which implements the technique.


    However, as you point out, all spam possible filtering should be done at the
    MTA, before the message ever gets to Mailman.

    --
    Brad Knowles <brad at shub-internet.org>
    LinkedIn Profile: <http://tinyurl.com/y8kpxu>

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedMay 18, '08 at 7:46a
activeMay 19, '08 at 3:49p
posts10
users6
websitelist.org

People

Translate

site design / logo © 2022 Grokbase