Backscatter and joe jobs

Tuesday, April 22nd, 2008 | linux

I guess every blogging sysadmin has to blog about spam at least once. I’ll try to keep my frustration with spammers in check, except to note that I’m absolutely dismayed with the amount of time and effort the world has to spend cleaning up after these miscreants (according to some sources, spam makes up 70-80% of all email sent around the net).

We’re running our own mail server – a Debian GNU/Linux based system using Postfix as the mailer and SpamAssassin for spam filtering. SpamAssassin has been doing a great job of filtering our spam, especially since we started using the Bayesian classifier. SpamAssassin successfully catches most of the hundreds of spams I receive every day.

Last Friday, we noticed a fairly dramatic increase in the number of spams that were getting through our filtering – up from 3 or 4 a day to 10 or 20 a day. Updating our SpamAssassin rules to the latest using sa-learn and retraining the Bayesian classifier seemed to do the trick.

This morning, I arrived to find over 1000 mails in my inbox which were bounces from servers which had been spammed by spammers using aplpi.com email addresses, a type of spamming known as a Joe Job. I wasn’t particularly surprised to find our email address being used by spammers – but I was a bit frustrated at the outcome – the bounces or Backscatter was making it pretty difficult to even see genuine emails in my inbox, never mind respond to them. One of the bloggers I regularly read noted a similar trend for their domain – it looks to me like one or more botnets have ramped up their activity significantly in recent times.

Regardless of the cause of all this, I needed a solution to the problem. A cry for help to the SAGE-IE mailing list pointed me at Justin Mason’s blog on dealing with backscatter using some modifications to Postfix and some enhancements to our SpamAssassin configuration. It took a half hour of reconfiguring to apply Justin’s suggested changes – which immediately resulted in a dramatic reduction in backscatter

The postfix changes alone seemed to catch 75% of the bounces. The SpamAssassin VBounce ruleset tagged the rest (note that you must add your mail relay(s) to whitelist_bounce_relays for this to work properly). For now, I’m going to filter the bounces into a separate folder with the following procmail recipe and review them periodically – so far they’re all junk from misconfigured mailservers,

:0:
* ^X-Spam-Status:.*ANY_BOUNCE_MESSAGE.*
$HOME/mail/bounces

We’re running the latest stable version of Debian on our production servers (Debian 4.0 aka Etch). Unfortunately this doesn’t include the very latest SpamAssassin. In order to ensure we’re running with the absolute newest SpamAssassin rules, not only are we running sa-learn regularly, but I’ve reconfigured our servers to use debian-volatile (which is a repository of backported packages for the stable Debian distributions catering specifically for fast-moving targets such as spam filtering and virus scanning).

I’d like to thank Justin Mason for his excellent blog (and work on SpamAssassin) and the folks on the SAGE-IE list for their prompt responses. Heres hoping this keeps the spammers at bay for few more months!

1 Comment to Backscatter and joe jobs

Justin Mason
May 3, 2008

You’re welcome! 😉