Filters That Fight Back

[Marek Kowal]

> To tie this to the current thread --- This is what happens when the
> sender is forged and the bounce message goes to the forged 
> sender rather
> than the true sender.

And which actually shows that you cannot do it properly. If people knew who
really sends the viruses, they would reply there, and not to the forged
sender. All the big ISPs (I mean, hundreds of thousands of accounts) have
found already a very long time ago that the only reasonable way of handling
mails with viruses is just to drop them to the /dev/null, possibly informing
the receiver on a daily basis that XX emails he was supposed to receive was
destroyed because they contained viruses. The policy of sending the bounce
to the sender proved to be both: 

- inefective - the sender is usually forged anyway or nobody is reading
those letters
- very dangerous - since you can easily became target of the DOS attack, as
Przemek has pointed out in previous post.

What is also dangerous (but of less importance), is that since you are
sending bounces to the addressess that often do not exist, the other sites
are sometimes badly configured in such a way that they feel obliged to
inform you that they could not deliver the message (though bounces should
not be replied, it happens very often). So in the very end you end up
sending bounces, which cause to send you more bounces again, and the link
saturates even faster.

Also, (this is side remark) informing a user on a per mail basis that the
destroyed letter contained virus is like asking for trouble - when the worm
spreads out, we sometimes see 10x increase in traffic - delivering those
mails would just put the system out of operation - due to the capacity and
IO problems. Only small setups can afford such a functionality.

And the same problems will apply to the spam, if you will start sending
bounces.

And last but not least - most of the spam is sent via the legitimate
accounts created especially for that purpose on sites like USA.NET, AOL and
other big ISPs, since they have good outgoing links and local admins -
rightly - tend to trust them. If you will start sending the bounces back
(and mind it, this will be proper, the account is really the sender of the
spam!), and their admins will see that you have just sent them back a few
thousands of bounces, do not be surprised when it is you who is considered
the "bad guy" - they will block you immediately. And being cut of from the
AOL is not a good idea, especially when you have hundreds of your own users
complaining. It is as stupid as cutting off AOL yourself, because this is
where you get most spam from.

So - in my opinion - sending bounces to the spammers is dangerous. What you
can do is you can block the sender of the envelope on your machine for - let
us say - 6 hours. Most SMTP servers can accomodate such functionality with
minor changes. The blocking could take place after receiving 5 messages
qualified as spam from the same source address or (in case of less known
domains, you would have to have exception list!) the whole domain. This
would stop a lot of spammers. Or you can slow down the connection. Peter
points out that this will make them open more parallel connections, but some
systems (Zmailer included) allow to limit the number of simultaneous
connections from the same IP. Which does the trick.

Cheers,
Marek.