[SLL] [Fwd: Delivery Status Notification (Failure)] - joe jobs

Sun Feb 15 15:36:43 PST 2009

On Sun, February 15, 2009 2:52 pm, Dave Dennis wrote:
> On Sun, 15 Feb 2009, Paul Franz wrote:
>
>> I'm getting deluged with thousands of these joe jobs due to some spammer using my
>> e-mail address in his "reply to:" header. Most come from qmail and Exchange servers.
>>
>> What is the proper way to fix this problem? I could treat each of these joe jobs as
>> spam and automate a reply to them using procmail. It started happening a few days
>> ago
>> just getting a few hundred of these joe jobs a day but now the problem is growing to
>> a
>> few thousand just today alone.
>>
>> Maybe I should make an effort to go after the spammer who caused the joe jobs in the
>> first place.
>>
>> Comments?
>
> Items to check:
>
> 1) Are you accepting for delivery on non existent local addresses, or have a
> catchall.  Fix that, obsolete config.  See
> http://spamlinks.net/prevent-secure-backscatter.htm

These bounce messages (joe jobs) are being sent from valid mail servers to a valid
address (mine) on my mail server. The cause is that the spam that causes the response
has a return address for me. All of these mail servers are not checking SPF records or
verifying that the spam came from a valid mx for my domain.

> 2) Don't auto reply, you'll contribute to the problem, might result in your
> server being blocked in some places.  Just makes the problem worse.  SMTP's
> broken enough, don't add to it.

It's too much work to do it manually but if I made a response it would be a courteous
letter to the postmaster of the joe job sender explaining that they are responding to
a forged return address and hence creating a joe job.

>
> 3) Check your DNS hosting; are you secondary hosting anyone's DNS, or are you
> secondaried anywhere?  A whole lot of trouble can be prevented by taking down
> secondary DNS hosting for others, cause you are probably taking on their bounced
> spams.

That's not the cause, it's simply that the spams being sent out have my address as the
return or "Reply to:" address. That is the cause of the thousands of joe jobs mostly
all coming from qmail and exchange servers.

> 4) Similarly, are you "smarthosting" anyone.  Are the joe jobs the result of any
> of your customers/users bouncing their spams to you

Yes, I am smart hosting but that isn't the cause.

> 5) What MTA are you running?  If its postfix it will have some graylisting /
> SpamAssassin that could help you out here a lot.

Sendmail/procmail. Can't get SpamAssassin going since it requires newer Python than I
have. Upgrading Python was unsuccessful. I am way overdue on upgrading the OS on this
mail server. It is Fedora Core. I plan to migrate to CentOS to get off the frequent
upgrade requirement of Fedora.

>
> Those were in rough order of importance without seeing a header its all
> guesswork.  If you want to forward me a header or server log I can attempt to
> assist further.

Luckily it is no configuration problem on my end, just getting joe jobs launched as
auto replies from mostly qmail and secondarily Exchange Servers and a few others.

>
>
> Dave D
>
> +-------------------------
> + Dave Dennis
> + Seattle, WA
> + Speakeasy, Inc.
> + dmd at speakeasy.net
> + http://www.speakeasy.net
> +-------------------------
>

-- 
Paul Franz
425.440.9505 (O)
425.241.1618 (C)