Spam Tools Filter

[uk1]

My domain has been hijacked by a spammer and I'm receiving 1000's of bounced emails each day. Basically he is using randomnames@mydomain.com.

If I set a couple of Spam Tools Filters to automatically delete anything from any address that includes "postmaster" or "mailer-daemon" - are there likely to be any unforeseen filtering consequences please part from the obvious one that anything I send to an incorrect address I'll not know about?

Is there anything else I can do to control the volume of this rubbish please? It's driving me mad.

Thanks.

Jeff

[anniebrion]

Do what I'm in the process of doing.

Create individual forwarding email address to a single mailbox then remove the catchall so that any addresses that you have not set up will be bounce at the domain server

This is not an overnight fix but at the end of the day catchalls are dangerous things to have and removing them is well worth it in the long run.

[Sidewinder]

If you had previously "Bounced" the spammers may be retaliating.

[uk1]

Do what I'm in the process of doing.

Create individual forwarding email address to a single mailbox then remove the catchall so that any addresses that you have not set up will be bounce at the domain server

This is not an overnight fix but at the end of the day catchalls are dangerous things to have and removing them is well worth it in the long run.

Thanks. If I understand you - you are suggesting that I create a forward for all kosher addresses. Unluckily as I own the domain I have freely used names to identify the source of any mail that comes to me. There a probably hundreds I've used over the years. For example mail from british gas might be britishgas@mydomain.com. So setting this up is impractical.

If you had previously "Bounced" the spammers may be retaliating.

Thanks. I've never set up a bounce. This is a spammer who has sent out literally millions of spams with random addresses all at one of my owned domains.

Is there any potential downsides to the method I proposed please?

If I set a couple of Spam Tools Filters to automatically delete anything from any address that includes "postmaster" or "mailer-daemon" - are there likely to be any unforeseen filtering consequences please part from the obvious one that anything I send to an incorrect address I'll not know about?

[Sidewinder]

I would suggest a couple of things. First use an identifiable Filter Name but don't initially set it for auto delete until you are comfortable with the result. Set the filter to always mark for delete. Set up your Sort options with Groups so that the filter(s) will bucket into groups for easy review.
Use some additional filters to grab your good mail ahead of the spam and bucket it into group(s) for review.

The issue with Auto delete is that only a fragment of each message is retained in the recycle bin when you auto delete. When the server deletion occurs there is no way to retrieve the full message other than to contact the original sender.

If after you operate that way for awhile and see that your results are 100% accurate then you can alter the Filter for Auto Delete.

[uk1]

Thanks.

[stan_qaz]

I've been in the same situation, 8,000 plus per day and the filters here dealt with it without problem. I didn't want to fiddle with my server setup, I use several hundred custom addresses that I recycle into spamtraps once they become compromised, any change would be too much effort.

http://forum.firetrust.com/viewtopic.php?f=50&t=5575

Bounce Legit and Bounce Bogus are the two to look at.

I used a pair of filters, one to protect any bounce messages from my server, add lines and ANY condition if you use more than one. The second grabs the bounces from other servers, these will all be poorly configured servers that do not issue SMTP reject codes during the SMTP session but accept the mail and later send a reject message that goes to the sender's spoofed address.

You may be getting a bunch of Challenge/Response, Spam Blocker and the like messages too, a filter to catch all of them is a big help. Just identify the bits in the header that identify the bouncing program/system and add it to the filter with the ANY condition and they will all be tagged. I found a vast majority of these messages only came from a few different systems so the filter was pretty short.

Adding the "not from me" filter in the post below is also a good idea, it will tag any message that did not come from one of your e-mail programs as it checks the entire From: line to insure it is correct. That will clear up any sent to your account by the spammer. If they ever should start spoofing the entire From: line just make a minor edit to the line in your e-mail program and update the filter to match and you are working again.

With these if you group by the status column all the junk will be stuck in individual groups.

[rusticdog]

I don't know how useful ClaraNET might be in this situation, but you could perhaps at least contact them and see if they offer anything in the way of utilising the Sender Policy Framework for your domain. This is by no means a quick fix, but it could offer some relief should the problem continue.

http://en.wikipedia.org/wiki/Sender_Policy_Framework

[anniebrion]

Do what I'm in the process of doing.

Create individual forwarding email address to a single mailbox then remove the catchall so that any addresses that you have not set up will be bounce at the domain server

This is not an overnight fix but at the end of the day catchalls are dangerous things to have and removing them is well worth it in the long run.

Thanks. If I understand you - you are suggesting that I create a forward for all kosher addresses. Unluckily as I own the domain I have freely used names to identify the source of any mail that comes to me. There a probably hundreds I've used over the years. For example mail from british gas might be britishgas@mydomain.com. So setting this up is impractical.

What you explained is exactly what I have been doing for many years, each of my contacts have a separate address like in your example, it takes quite an effort to set up all the forwarding addresses but at the same time give you the chance to remove lots of the newsletters etc... that you don't actually need.

It has taken about a week for me to add 56 individual forwarding addresses (this is the main addresses there are lots of forum accounts that I need to set up but I don't use them much) but my spam has decrease dramatically, so for me the effort is well worth it.

I have not yet switched the catchall off but have forwarded known spammed addresses to a no-reply mailbox that MWP knows to auto delete

[racker]

My domain has been hijacked by a spammer and I'm receiving 1000's of bounced emails each day. Basically he is using randomnames@mydomain.com.
(...)
Is there anything else I can do to control the volume of this rubbish please? It's driving me mad.

Thanks.

Jeff

I used to have a relatively expensive hosting contract for my domain wich included 50 seperate E-mail addresses.
Last year I changed this: I now I pay $10,- a year for a DNS entry only, where visitors to my domain are forwarded to the free webspace I have with my ISP. All mail to *@mydomain.nl is forwarded to any mailbox I choose, the catchall.

What I've done is this:
-Opened a Gmail account and setup the catchall to forward everything to Gmail.
-Disabled Gmail spam filtering (you can skip this if you trust Google to do the right filtering): http://www.webtlk.com/2009/01/26/how-to ... ogle-mail/
-set up Gmailfilters that forward any messages with valid addresses (ie the addresses I wish to use) to four of the "normal" mailaccounts I have with my ISP.
-set up a last Gmailfilter that forwards any messages with addresses not mentioned in the previous filters, to another mailaccount with my ISP: my own personal spambox.
-have MWP20XX check all five "standard" accounts with my ISP.


Works great!!I

[uk1]

I would suggest a couple of things. First use an identifiable Filter Name but don't initially set it for auto delete until you are comfortable with the result. Set the filter to always mark for delete. Set up your Sort options with Groups so that the filter(s) will bucket into groups for easy review.
Use some additional filters to grab your good mail ahead of the spam and bucket it into group(s) for review.

The issue with Auto delete is that only a fragment of each message is retained in the recycle bin when you auto delete. When the server deletion occurs there is no way to retrieve the full message other than to contact the original sender.

If after you operate that way for awhile and see that your results are 100% accurate then you can alter the Filter for Auto Delete.

Thanks - I'm unable to see any downside to this approach.

Obviously each time I'm currently logging in I'm seeing sometimes several thousand in MWP, but I just sort them in Subject order and then scroll quickly down the page and confirm delete. I appreciate the other suggestions which involve more work - but I'm unable to see a downside to this approach - am I missing something?

Thanks,

Jeff

[AlphaCentauri]

I occasionally get a few thousand of these as retaliation for spam reporting.

But when most people find their email address being forged into the "from" field, the spammer is just choosing it randomly -- sometimes when spammers make up an address, it really exists, sometimes it doesn't, sometimes it's yours.

When the address is just being chosen at random, the spammer is doing it to try to get his spam delivered. He's not going to keep using the same email address in the "from" field long enough for it to be incorporated in spam filters. He'll move to someone else's address. So unless you're trying to identify all those spam bounces for some reason, there's not a lot of point spending time creating a filter for an event that will be over in a couple days.

If you do keep them, they are useful evidence of which different affiliate programs a single mailer is associated with.

[uk1]

In my situation - the from field is randomly generated and seems infinitely variable ie 67&23dfa21@mydomain.com. So a filter covering the return cannot be constructed using the address - it can only be constructed using the subject. At least the filter pre-completes the tick for delete - which when you're dealing with several hundred or thousand per hour is a help.

I'm unable to think of any downside to this.

[AlphaCentauri]

I have a couple things that help me. One is that in my email client, where it asks for "organization," I enter a number that means nothing to anyone but me. Any email that comes with my address in the "from" but doesn't have that number in the complete headers can be filtered.

I also created a spamtrap address that by luck is the first address of all my addresses alphabetically. Spammers are quite cooperative at sending to that address and making everything else a CC or Bcc of the same email. So anything that has that address in the headers can be filtered as spam, too. The address has been posted in a very inconspicuous (to humans) place for several years now, and a large percentage of my spam comes addressed to it.

[stan_qaz]

...the from field is randomly generated and seems infinitely variable ie 67&23dfa21@mydomain.com. So a filter covering the return cannot be constructed using the address.

That is the wrong approach, filter first for all known good addresses to protect them then filter out the remaining ones as spam.