How to filter out "mail delivery failure" spam?

Ann_jr · 6 Jul 2004, 02:33 AM

I have begun getting, a dozen or more per day, messages of the "couldn't deliver your mail" type. They are all to bogus prefixes affixed to my real "username.fastmail.fm" address. The content is 99% spam (drugs, mortgage, etc.).

I have not been using the anti-spam features because I found that they caught too much real stuff.

I can't filter on "*@username.fastmail.fm" because I have subscribed to a lot of lists, retailers, etc., using many different prefixes. It would be possible, but too time-consuming, to try to figure out all the ones I've used and whitelist them.

Has anyone else experienced this, and figured out a way to save the wheat and isolate the chaff?

6 Jul 2004, 03:35 AM

Are the prefixes random?

Is there anything common only to those messages' headers (use raw view to see the headers)?

Ann_jr · 6 Jul 2004, 03:53 AM

Yes, the prefixes are random as far as I can see.

No, there's nothing consistent in the headers. Many have a content-type of "multipart/report; report-type=delivery-status", but not all.

I did set up a filter for "delivery" and "failure" and "returned" in the subject, so I hope that will catch many.

6 Jul 2004, 04:19 AM

This filter will catch more messages than you want, I think - not all of them automated messages

Set a rule by the Content-Type header if you want to match all delivery status notifications.

BTW, "something common in the headers" includes a common SpamAssassin spam hit.

Can you post one or two examples? I can't really think how to filter something I don't know how to match

By "random", do you mean "kxtrf@" or random first names (or something else)?

Ann_jr · 6 Jul 2004, 06:23 AM

SpamAssassin: I'm not using it; too many false hits.

By random prefixes I mean "kxtrf@"; each time is different, of course.

Here's a sample message (the returned message is not quoted in full); XXXX represents my username.
=================
Return-Path: <>
Received: from frontend3.messagingengine.com (frontend3.internal [10.202.2.152])
by server2.fastmail.fm (Cyrus v2.3-prealpha) with LMTPA;
Mon, 05 Jul 2004 14:34:14 -0400
X-Sieve: CMU Sieve 2.2
X-Resolved-to: XXXX+7kn5h8@fastmail.fm
X-Delivered-to: 7kn5h8@XXXX.fastmail.fm
X-Mail-from:
Received: from mail26c.sbc-webhosting.com (unknown [216.173.237.166])
by smtp.us.messagingengine.com (Postfix) with SMTP id 3D58852EEF0
for <7kn5h8@XXXX.fastmail.fm>; Mon, 5 Jul 2004 14:34:11 -0400 (EDT)
Received: (qmail 62859 invoked for bounce); 5 Jul 2004 18:34:11 -0000
Date: 5 Jul 2004 18:34:11 -0000
From: MAILER-DAEMON@mail26c.sbc-webhosting.com
To: 7kn5h8@XXXX.fastmail.fm
Subject: failure notice
Message-Id: <20040705183411.3D58852EEF0@frontend2.messagingengine.com>

Hi. This is the qmail-send program at mail26c.sbc-webhosting.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<ZZZZZZZ@earthlink.net>:
207.217.125.22 does not like recipient.
Remote host said: 550 ZZZZZZZ@earthlink.net...User unknown
Giving up on 207.217.125.22.

--- Below this line is a copy of the message.

Return-Path: <7kn5h8@XXXX.fastmail.fm>
Received: from mail10b.sbc-webhosting.net (209.238.184.74)
by mail26c.sbc-webhosting.com (RS ver 1.0.94vs) with SMTP id 2-0627712448
for <YYYYYYYY@YYY.YYY>; Mon, 5 Jul 2004 14:34:08 -0400 (EDT)
Received: from 211.200.150.68 (211.200.150.68)
by mail10b.sbc-webhosting.net (RS ver 1.0.94vs) with SMTP id 1-0488142441
for <YYYYYYY@YYY.YYY>; Mon, 5 Jul 2004 14:34:04 -0400 (EDT)
Message-ID: <662701c462be$fc734ff6$8d48b4c0@FgZl>
From: "Paris Nock" <7kn5h8@XXXX.fastmail.fm>
To: YYYYYY@YYY.YYY
Subject: Real meds. Get it by tomorrow 2207
Date: Mon, 5 Jul 2004 13:33:35 -0500
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_609_4D79_76084D79.76084D79"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Loop-Detect:2

This is a multi-part message in MIME format.

6 Jul 2004, 08:26 AM

You can remove the message bodies (especially the link!). I do not need them, and I'm not sure you're even allowed to post them.

Not much info except for the random prefix, I think...

Try this Look In=Advanced rule: address :localpart :regex "X-Delivered-To" "[bcdfghjklmnpqrstvwxyz0123456789]{6,}".

Do you have some more examples of the random prefixes?

Ann_jr · 6 Jul 2004, 09:39 AM

OK, I removed the body of the returned message, and changed the real addresses of the individual.

Some more of the random prefixes: l3s4, bnaq, dyyy, u4, jal, jf8, q9bz ... How many did you want?

I don't know enough to know what your suggested rule is intended to do.

In case I didn't make it clear before, I've made addresses for my own use with assorted prefixes, with varying numbers of characters. I don't think I've made any with digits, but not all of the spam ones use digits either.

6 Jul 2004, 09:51 AM

Quote:

Originally posted by Ann_jr
Some more of the random prefixes: l3s4, bnaq, dyyy, u4, jal, jf8, q9bz ... How many did you want?

As much as possible, thanks

Still need to improve...3 wouldn't be matched.

Quote:

Originally posted by Ann_jr
I don't know enough to know what your suggested rule is intended to do.

Match usernames which only contain the characters in brackets, uppercase or lowercase. It does not specify an action.

Quote:

Originally posted by Ann_jr
In case I didn't make it clear before, I've made addresses for my own use with assorted prefixes, with varying numbers of characters. I don't think I've made any with digits, but not all of the spam ones use digits either.

What is the shortest address you have used? (Most of the usernames are 4 letters or less).

If you don't use any with digits, delete the "bc...xy" substring from the rule in my previous post and.

This rule should match all prefixes...and hopefully not create false positives

address :localpart :regex "X-Delivered-To" text:
([bcdfghjklmnpqrstvwxyz0123456789]{6,}|[[:alnum:]]{0,4})

(I can't post the above as [font] or [code] tags without adding spaces and linebreaks inside the regex)

edit: If there is any space or linebreak in the regex, delete it.

n5bb · 8 Jul 2004, 03:38 AM

This sounds like a "Joe Job". I have had the same problem ... some spammers using my domain name for their return address, with random words for the username.

I started using FastMail in order to stop getting these messages. But I had to set up specific aliases to virtual domain email addresses I was using, so that the false usernames used by the spammers are rejected by the FastMail server. I can not use the *@mydomain.com catch-all method of retrieving my virtual domain emails. I have had no problems with my basic FastMail email address, so my comment here are only for virtual domains.

So I think the only easy way to insure your sanity is for you to set up a specific virtual domain for each username you have used (such as SAM@mydomain.com, BOB@mydomain.com, etc.). Then the only Joe Job spam which will get through is if the spammer happens to accidentally choose one of your aliases (SAM or BOB in my example). In my experience, this is very rare.

Otherwise, you could try to ignore all delivery error messages. But this is dangerous, since you would never know when an email to a friend failed to be delivered.

6 Jul 2004, 02:33 AM	#1
Ann_jr Senior Member Join Date: Nov 2001 Location: CT, USA Posts: 124	How to filter out "mail delivery failure" spam? I have begun getting, a dozen or more per day, messages of the "couldn't deliver your mail" type. They are all to bogus prefixes affixed to my real "username.fastmail.fm" address. The content is 99% spam (drugs, mortgage, etc.). I have not been using the anti-spam features because I found that they caught too much real stuff. I can't filter on "*@username.fastmail.fm" because I have subscribed to a lot of lists, retailers, etc., using many different prefixes. It would be possible, but too time-consuming, to try to figure out all the ones I've used and whitelist them. Has anyone else experienced this, and figured out a way to save the wheat and isolate the chaff?

6 Jul 2004, 06:23 AM	#5
Ann_jr Senior Member Join Date: Nov 2001 Location: CT, USA Posts: 124	SpamAssassin: I'm not using it; too many false hits. By random prefixes I mean "kxtrf@"; each time is different, of course. Here's a sample message (the returned message is not quoted in full); XXXX represents my username. ================= Return-Path: <> Received: from frontend3.messagingengine.com (frontend3.internal [10.202.2.152]) by server2.fastmail.fm (Cyrus v2.3-prealpha) with LMTPA; Mon, 05 Jul 2004 14:34:14 -0400 X-Sieve: CMU Sieve 2.2 X-Resolved-to: XXXX+7kn5h8@fastmail.fm X-Delivered-to: 7kn5h8@XXXX.fastmail.fm X-Mail-from: Received: from mail26c.sbc-webhosting.com (unknown [216.173.237.166]) by smtp.us.messagingengine.com (Postfix) with SMTP id 3D58852EEF0 for <7kn5h8@XXXX.fastmail.fm>; Mon, 5 Jul 2004 14:34:11 -0400 (EDT) Received: (qmail 62859 invoked for bounce); 5 Jul 2004 18:34:11 -0000 Date: 5 Jul 2004 18:34:11 -0000 From: MAILER-DAEMON@mail26c.sbc-webhosting.com To: 7kn5h8@XXXX.fastmail.fm Subject: failure notice Message-Id: <20040705183411.3D58852EEF0@frontend2.messagingengine.com> Hi. This is the qmail-send program at mail26c.sbc-webhosting.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <ZZZZZZZ@earthlink.net>: 207.217.125.22 does not like recipient. Remote host said: 550 ZZZZZZZ@earthlink.net...User unknown Giving up on 207.217.125.22. --- Below this line is a copy of the message. Return-Path: <7kn5h8@XXXX.fastmail.fm> Received: from mail10b.sbc-webhosting.net (209.238.184.74) by mail26c.sbc-webhosting.com (RS ver 1.0.94vs) with SMTP id 2-0627712448 for <YYYYYYYY@YYY.YYY>; Mon, 5 Jul 2004 14:34:08 -0400 (EDT) Received: from 211.200.150.68 (211.200.150.68) by mail10b.sbc-webhosting.net (RS ver 1.0.94vs) with SMTP id 1-0488142441 for <YYYYYYY@YYY.YYY>; Mon, 5 Jul 2004 14:34:04 -0400 (EDT) Message-ID: <662701c462be$fc734ff6$8d48b4c0@FgZl> From: "Paris Nock" <7kn5h8@XXXX.fastmail.fm> To: YYYYYY@YYY.YYY Subject: Real meds. Get it by tomorrow 2207 Date: Mon, 5 Jul 2004 13:33:35 -0500 Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_609_4D79_76084D79.76084D79" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Loop-Detect:2 This is a multi-part message in MIME format. Last edited by Ann_jr : 6 Jul 2004 at 09:31 AM.

6 Jul 2004, 03:35 AM	#2
Daniel S Guest Posts: n/a	Are the prefixes random? Is there anything common only to those messages' headers (use raw view to see the headers)?

6 Jul 2004, 03:53 AM	#3
Ann_jr Senior Member Join Date: Nov 2001 Location: CT, USA Posts: 124	Yes, the prefixes are random as far as I can see. No, there's nothing consistent in the headers. Many have a content-type of "multipart/report; report-type=delivery-status", but not all. I did set up a filter for "delivery" and "failure" and "returned" in the subject, so I hope that will catch many.

6 Jul 2004, 04:19 AM	#4
Daniel S Guest Posts: n/a	This filter will catch more messages than you want, I think - not all of them automated messages Set a rule by the Content-Type header if you want to match all delivery status notifications. BTW, "something common in the headers" includes a common SpamAssassin spam hit. Can you post one or two examples? I can't really think how to filter something I don't know how to match By "random", do you mean "kxtrf@" or random first names (or something else)?

6 Jul 2004, 08:26 AM	#6
Daniel S Guest Posts: n/a	You can remove the message bodies (especially the link!). I do not need them, and I'm not sure you're even allowed to post them. Not much info except for the random prefix, I think... Try this Look In=Advanced rule: address :localpart :regex "X-Delivered-To" "[bcdfghjklmnpqrstvwxyz0123456789]{6,}". Do you have some more examples of the random prefixes?

6 Jul 2004, 09:39 AM	#7
Ann_jr Senior Member Join Date: Nov 2001 Location: CT, USA Posts: 124	OK, I removed the body of the returned message, and changed the real addresses of the individual. Some more of the random prefixes: l3s4, bnaq, dyyy, u4, jal, jf8, q9bz ... How many did you want? I don't know enough to know what your suggested rule is intended to do. In case I didn't make it clear before, I've made addresses for my own use with assorted prefixes, with varying numbers of characters. I don't think I've made any with digits, but not all of the spam ones use digits either.

8 Jul 2004, 03:38 AM	#9
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,929	This sounds like a "Joe Job". I have had the same problem ... some spammers using my domain name for their return address, with random words for the username. I started using FastMail in order to stop getting these messages. But I had to set up specific aliases to virtual domain email addresses I was using, so that the false usernames used by the spammers are rejected by the FastMail server. I can not use the *@mydomain.com catch-all method of retrieving my virtual domain emails. I have had no problems with my basic FastMail email address, so my comment here are only for virtual domains. So I think the only easy way to insure your sanity is for you to set up a specific virtual domain for each username you have used (such as SAM@mydomain.com, BOB@mydomain.com, etc.). Then the only Joe Job spam which will get through is if the spammer happens to accidentally choose one of your aliases (SAM or BOB in my example). In my experience, this is very rare. Otherwise, you could try to ignore all delivery error messages. But this is dangerous, since you would never know when an email to a friend failed to be delivered.