Learning Backscatter

Thomas Anderson tanderson at orderamidchaos.com
Thu Jan 15 14:56:04 CET 2009 

On Sat, 2009-01-10 at 17:47 +0000, RW wrote:
> I was wondering how good Bogofilter is at distinguishing between
> backscatter, and legitimate delivery failure messages. 
> 
> Specifically, does it look inside the attached original email.

It's not too good at it.  I do train my spam bounces, but it tends to
make legitimate bounces spammy as well.  What I do is weed out known
backscatterers first via the ips.backscatterer.org block list, and then
(after bogofilter) I push all bounces, spam or not, into a seperate
folder for review.  The block list doesn't catch all backscatterers of
course, but it cuts down a lot.  The down side is that some of my
clients have had people complain that their emails are rejected due to
them being listed as a backscatterer.  I'm happy to help them to fix
their server and get their ip removed from the list of course, but some
might feel put off by it.  Nonetheless, after a nasty email bomb as a
result of being listed in some spammer's from/return address on a
massive scale, I've found it necessary to take this precaution so as not
to allow a DoS of the entire system.  Also, at that rate of incoming
messages, bogofilter would be an inefficient way to deal with
backscatter anyway.  The DNS block list is far more efficient as a first
line of defense.

A few times I politely pointed out to administrators that their servers
(which weren't yet listed on the block list) were misconfigured, but
they usually have a negative reaction unfortunately.  Here's one
explanation from a guy I just couldn't get through to: "Although our
spam filter is not set up in an ideal manner for spoofed email
addresses.  It allows our clients and other vendors who do email us to
receive a notification if we did not receive their email.  I apologize
that our spam filter is not configured in such a manner that reduces
traffice on the internet and I understand this is a result.  But, with
our business, clients are very demanding, and we cannot change the way
we do business and communicate with our clients or even potential
clients, at the risk of missing deadlines and so on and so forth.  It is
just the nature of our business."  And unfortunately, that's the nature
of the internet for the foreseeable future.  Hopefully, if more
administrators start using backscatter block lists, it will force those
backscatterers to change their ways if they ever intend on their emails
making it to their destinations.

Tom

More information about the Bogofilter mailing list