[thelist] forged FROM: in emails

[Liam Delahunty]

Erik Mattheis wrote
>> A spammer has decided to use a non-existing mail box of a
>> domain I host as a forged FROM:

On Saturday, February 22, 2003, at 09:16  PM, Hugh Blair wrote:
> If the messages are always the same "xxxx at domain.com", then
> set up a forwarder on just that address to:
> anything at sparkingwire.com  - the perfect dead end.
>
> http://sparkingwire.com/

No, that _would_ be wasting bandwidth as the emails are coming to Erik's
server and then be forwarded to sparkingwire. Also sparkingwire want to stop
spam to real addressees by sucking it up by using their address in the first
place. They are not be the conduit for accounts already receiving Spam.

>Well, the situation is this: the spammer's (maybe spammers'?) list(s)
>contain a lot of invalid emails. And because the FROM: is forged as my
>client, the bounces come from the daemon of the host of the invalid
>email.

That sounds to me like they could be using a mailing form on your client's
web-site. Check your logs as I have found that forged return address bounce
to a "real" address, whilst a form being abused will return to
httpd/nobody/postmaster/siteadmin depending on the server set-up. Ex. They
could have a simple php form that has the to address in the form rather than
"hardwired" into the code, which the spammer could abuse in a similar way to
the formail exploit.

In any case, I would set up a procmail filter for the account getting the
bounces:
:0:
* ^Subject:.*delivery failed|.*system error|.*user unknown
/path/to/bounce/file

:0:
* ^(Received|From|Re(ply|turn)).*Mail Delivery
System|.*Mailer-Daemon|.*postmaster
/path/to/bounce/file

and then you can just delete it after a wee while... At least it won't
bother your client anymore.

HTH
Liam Delahunty