Joejob on my domain; anyone else?

LazyGun · 17 Oct 2006, 05:59 AM

My domain "greylines.net" is being forged as the sender of stock spams. The addresses are in the format
'3-5 random letters@domain name.tld' with names attached. The spams mostly contain a gif showing stock tips which is the real content and some unassociated text lifted from random sites. I think its one of the new polish spam gangs but Icbw.
Anyone else getting this?

JamesHenderson · 17 Oct 2006, 06:29 AM

LazyGun,

I think a lot of people have been getting these in the last few days - just look at the other threads.

I have a virtual domain also, but I've been getting exactly the same as you to my fastmail account.

I have now got a sieve script in place to junk everything coming to my fastmail account (except for some white listed sender addresses) from fastmail themselves.

J.

NumberSix · 17 Oct 2006, 08:46 AM

I've also been getting joe-jobbed recently, but not to any of my 3 private domains, rather to random letter sequences AT myusername.myfmdomain.tld. I've made extensive use of this "own-subdomain" feature, so it doesn't surprise me...

Dave

**Shelded** · 17 Oct 2006, 10:31 AM

It only takes a bit of sieve to fix this, using the x-backscatter header. This is why I like Fastmail. My mailshell.com account doesn't have anything I can hook and I'm also being joejobbed there. That service is just about useless to me now. I'm probably going to begin discarding the backscatter without any review but here's my script now.

PHP Code:


			
 if not header :contains ["X-Spam-known-sender"] "yes" {

 if allof(

   header :contains ["X-Backscatter"] "yes",

   not header :matches ["X-LinkName"] "*"  ) 

{   fileinto "INBOX.Junk Mail";   stop; }

 if  header :value "ge" :comparator "i;ascii-numeric" ["X-Spam-score"] ["12"]  

{   discard;   stop; }

 if  header :value "ge" :comparator "i;ascii-numeric" ["X-Spam-score"] ["6"]  

{   fileinto "INBOX.Junk Mail";   stop; }}

JamesHenderson · 17 Oct 2006, 03:01 PM

My spam is only to my fastmail address too. I've used sieve (via Kurian) to simply kill all emails to my fastmail address as I only use my virtual domain. The script whitelists some addresses that fastmail themselves use.

if allof(not header :regex "From" "(bounce|webmaster)@(fastmail.(fm|co.uk)|messagingengine.com)", header :regex "To" "<myaccountname>.fastmail") {
fileinto "INBOX.Junk Mail";
}

James.

IanO · 17 Oct 2006, 03:44 PM

I have also been getting Backscatter with 3-6 random letters before the @. I've noticed some of them do not have the X-Backscatter flag on them. Some of them claim to be 'an Out of Office Autoreply' others claim to mailing list errors. Seems like they should be caught as backscatter is there a place to report these?

I put in some sieve code to catch these:

Code:

if address :regex "X-Delivered-to" "^[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?@mydomain\\.tld"
		{
		fileinto "INBOX.Junk Mail";
		stop;
		}

Is there a better way to do this instead of all those '[a-z0-9]?' ? Also I noticed if I replace address: by header: it stops working!?

**Shelded** · 17 Oct 2006, 04:02 PM

The autoreplies are not backscatter since they are not bounces. They're replies. That is just spam generated by ignorant people. I can't filter those except by looking for headers like Auto Generated: Auto Reply. I get the same junk from Challenge Response systems

asking me to verify that I want to send them mail

IanO · 18 Oct 2006, 04:44 AM

Shelded, so it depends on your definition of backscatter

. Wikipedia for example defines it differently.

**Shelded** · 18 Oct 2006, 04:58 AM

You know, since writing it I have been having these guilt feelings. I don't even need to read your link to have some misgivings. Is that a retraction? I don't know, but when you read the mail headers it's clear that a bounce is different than an out of office reply. The message id is different so that's where I was coming from.

And I could fix that error on wikipedia couldn't I

IanO · 18 Oct 2006, 03:40 PM

And I could put it back, with truthiness on my side...

But seriously I understand trying to match all possible types would be a pain, with diminishing returns for each new type.

Perhaps email needs a new standard header flag for all "Auto-Reply" type messages

**Shelded** · 18 Oct 2006, 03:52 PM

I've been scouring my mailshell.com headers for days trying to see how they are different when bounced to me versus mailed to me... and today have figured it out. But there is no diff between mailed to me or auto replied to me, unless the sender courteously adds that header you mentioned, something like "Auto Replied" -- it would be handy, but the spammers would leave it out since it doesn't help them deliver.

17 Oct 2006, 05:59 AM	#1
LazyGun Senior Member Join Date: Jan 2002 Location: Dublin, Ireland Posts: 128	Joejob on my domain; anyone else? My domain "greylines.net" is being forged as the sender of stock spams. The addresses are in the format '3-5 random letters@domain name.tld' with names attached. The spams mostly contain a gif showing stock tips which is the real content and some unassociated text lifted from random sites. I think its one of the new polish spam gangs but Icbw. Anyone else getting this?

17 Oct 2006, 10:31 AM	#4
Shelded Moderator Join Date: Aug 2001 Location: USA Northwest Posts: 3,849	It only takes a bit of sieve to fix this, using the x-backscatter header. This is why I like Fastmail. My mailshell.com account doesn't have anything I can hook and I'm also being joejobbed there. That service is just about useless to me now. I'm probably going to begin discarding the backscatter without any review but here's my script now. PHP Code: `if not header :contains ["X-Spam-known-sender"] "yes" { if allof( header :contains ["X-Backscatter"] "yes", not header :matches ["X-LinkName"] "*" ) { fileinto "INBOX.Junk Mail"; stop; } if header :value "ge" :comparator "i;ascii-numeric" ["X-Spam-score"] ["12"] { discard; stop; } if header :value "ge" :comparator "i;ascii-numeric" ["X-Spam-score"] ["6"] { fileinto "INBOX.Junk Mail"; stop; }}`

17 Oct 2006, 03:44 PM	#6
IanO Senior Member Join Date: Oct 2003 Posts: 102	I have also been getting Backscatter with 3-6 random letters before the @. I've noticed some of them do not have the X-Backscatter flag on them. Some of them claim to be 'an Out of Office Autoreply' others claim to mailing list errors. Seems like they should be caught as backscatter is there a place to report these? I put in some sieve code to catch these: Code: if address :regex "X-Delivered-to" "^[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?[a-z0-9]?@mydomain\\.tld" { fileinto "INBOX.Junk Mail"; stop; } Is there a better way to do this instead of all those '[a-z0-9]?' ? Also I noticed if I replace address: by header: it stops working!?

17 Oct 2006, 06:29 AM	#2
JamesHenderson Cornerstone of the Community Join Date: Jan 2003 Location: Oxfordshire, UK Posts: 603	LazyGun, I think a lot of people have been getting these in the last few days - just look at the other threads. I have a virtual domain also, but I've been getting exactly the same as you to my fastmail account. I have now got a sieve script in place to junk everything coming to my fastmail account (except for some white listed sender addresses) from fastmail themselves. J.

17 Oct 2006, 08:46 AM	#3
NumberSix Cornerstone of the Community Join Date: Jan 2003 Location: The Village Posts: 616	I've also been getting joe-jobbed recently, but not to any of my 3 private domains, rather to random letter sequences AT myusername.myfmdomain.tld. I've made extensive use of this "own-subdomain" feature, so it doesn't surprise me... Dave

17 Oct 2006, 03:01 PM	#5
JamesHenderson Cornerstone of the Community Join Date: Jan 2003 Location: Oxfordshire, UK Posts: 603	My spam is only to my fastmail address too. I've used sieve (via Kurian) to simply kill all emails to my fastmail address as I only use my virtual domain. The script whitelists some addresses that fastmail themselves use. if allof(not header :regex "From" "(bounce\|webmaster)@(fastmail.(fm\|co.uk)\|messagingengine.com)", header :regex "To" "<myaccountname>.fastmail") { fileinto "INBOX.Junk Mail"; } James.

17 Oct 2006, 04:02 PM	#7
Shelded Moderator Join Date: Aug 2001 Location: USA Northwest Posts: 3,849	The autoreplies are not backscatter since they are not bounces. They're replies. That is just spam generated by ignorant people. I can't filter those except by looking for headers like Auto Generated: Auto Reply. I get the same junk from Challenge Response systems asking me to verify that I want to send them mail

18 Oct 2006, 04:44 AM	#8
IanO Senior Member Join Date: Oct 2003 Posts: 102	Shelded, so it depends on your definition of backscatter . Wikipedia for example defines it differently.

18 Oct 2006, 04:58 AM	#9
Shelded Moderator Join Date: Aug 2001 Location: USA Northwest Posts: 3,849	You know, since writing it I have been having these guilt feelings. I don't even need to read your link to have some misgivings. Is that a retraction? I don't know, but when you read the mail headers it's clear that a bounce is different than an out of office reply. The message id is different so that's where I was coming from. And I could fix that error on wikipedia couldn't I

18 Oct 2006, 03:40 PM	#10
IanO Senior Member Join Date: Oct 2003 Posts: 102	And I could put it back, with truthiness on my side... But seriously I understand trying to match all possible types would be a pain, with diminishing returns for each new type. Perhaps email needs a new standard header flag for all "Auto-Reply" type messages

18 Oct 2006, 03:52 PM	#11
Shelded Moderator Join Date: Aug 2001 Location: USA Northwest Posts: 3,849	I've been scouring my mailshell.com headers for days trying to see how they are different when bounced to me versus mailed to me... and today have figured it out. But there is no diff between mailed to me or auto replied to me, unless the sender courteously adds that header you mentioned, something like "Auto Replied" -- it would be handy, but the spammers would leave it out since it doesn't help them deliver.