Spam filters failing?

[Kocab]

Has anyone else noticed a significant increase in spam getting through FastMail's filters in the last 24 hours or so? I've gone from no spam at all to a ratio of about 1:1 ham/spam.

Most of it is bounce-back spam.

If you're not seeing it, perhaps it's just my turn to have my primary email address be used as a spammers return email.

[Sherry]

Quote:

Originally Posted by Kocab

Most of it is bounce-back spam.

Hi Kocab,

If you have a Full or Enhanced account then perhaps the "backscatter" detection is not active on your account. The following is a quote I got from somewhere however I couldn't find the exact one in the FAQ so maybe it's one of Robs post quotes? Anyway here it is.

Quote:

You can filter out 99% of backscatter just by going to Options -> Spam/virus protection, selecting Normal or Aggressive protection, and clicking Done. Even if your level is already set to Normal or Aggressive, you should click Done there again to ensure that the backscatter detection rules which were only added a few months back are incorporated into your rules.

Sherry

[Kocab]

Quote:

Originally Posted by Sherry

Hi Kocab,

If you have a Full or Enhanced account then perhaps the "backscatter" detection is not active on your account. The following is a quote I got from somewhere however I couldn't find the exact one in the FAQ so maybe it's one of Robs post quotes? Anyway here it is.


Sherry

Thanks Sherry. I do have an enhanced account, and it has been active until now. I just checked and it's still active. But I reset the setting - perhaps it was modified somehow.

[Sherry]

Hopefully that will help. If not just post back and perhaps someone will come up with another idea.

Sherry

[Bolman]

Quote:

Originally Posted by Kocab

Has anyone else noticed a significant increase in spam getting through FastMail's filters in the last 24 hours or so? I've gone from no spam at all to a ratio of about 1:1 ham/spam.

Most of it is bounce-back spam.

If you're not seeing it, perhaps it's just my turn to have my primary email address be used as a spammers return email.

Fwiw, I've been seeing less spam recently. I'm curious about why (I haven't changed anything lately), but as far as I can tell, it's a good thing.

[n5bb]

Quote:

Originally Posted by Kocab

Thanks Sherry. I do have an enhanced account, and it has been active until now. I just checked and it's still active. But I reset the setting - perhaps it was modified somehow.

The Fastmail backscatter filter is applied in your Sieve script. So after Fastmail added this feature, your script needs to be modified to add the backscatter filtering. So Sherry's suggestion is correct in the most common situation, where you are only using the Fastmail SMTP and not using a custom script.

If you are not using a custom script, then when you select Done in the Options>Spam/Virus Protection screen your backscatter choices are made in your Sieve script automatically. Since this was an added feature, I think the only way that the Backscatter filtering could get into your script is by performing this seemingly unneeded step.

Important note: If you are using your ISP's SMTP and don't use a custom Sieve script, then you need to use the Options>Spam/Virus Protection "Custom" spam protection setting, select Save, add your SMTP servers at the bottom of the screen, then select Done. Otherwise, emails you send through your ISP's SMTP which are properly bounced will be sent to Junk Mail.

But if you are using a custom Sieve script, then you must add the Backscatter filter yourself. Near the top of your Sieve script (after the require initial statement but before any rules with file or forward or keep messages), you would in this case need to add the following script:

Code:

if not header :contains ["X-Spam-known-sender"] "yes" {
if allof(
  header :contains ["X-Backscatter"] "yes",
  not header :matches ["X-LinkName"] "*" 
) {
fileinto "INBOX.Junk Mail";
stop;
} }

Important note: If you ever send email using an address which targets your Fastmail account (your main Fastmail address, an alias, or a virtual alias at your domain) from a non-Fastmail SMTP (such as your ISP's SMTP), then you must add an additional statement to check X-Backscatter-Hosts to the script, resulting in the following code for two SMTP server entries:

Code:

if not header :contains ["X-Spam-known-sender"] "yes" {
if allof(
  header :contains ["X-Backscatter"] "yes",
  not header :matches ["X-LinkName"] "*" ,
  not header :contains ["X-Backscatter-Hosts"] [ "smtp.yourISP.com", "smtp.YOURotherISP.net" ]
) {
fileinto "INBOX.Junk Mail";
stop;
} }

Bill

[DaveHanson]

I've had an EXPLOSION of backscatter spam in the last 8 hours, after having virtually all of it filtered out before today. So you're not alone, OP. It's as if the filtering failed for some reason.

I have an enhanced account. Will happily provide more details in order to help solve the problem.

[n5bb]

Quote:

Originally Posted by DaveHanson

I've had an EXPLOSION of backscatter spam in the last 8 hours, after having virtually all of it filtered out before today. So you're not alone, OP. It's as if the filtering failed for some reason.

I have an enhanced account. Will happily provide more details in order to help solve the problem.

Do you have code similar to what I posted above in your Sieve script? Even if you are not using a custom script, the link at the bottom of the Rules screen allows you to view your current Sieve script.

Also look at the full headers of the messages which are getting into your Inbox. Look for this header, which should be added to backscatter messages:
X-Backscatter: yes

Bill

[robmueller]

Just a note about the backscatter filter. When I implemented it, turning it on required changing peoples sieve rules. This left two main options.

1. Leave as is, and over time as people change anything that results in their sieve rules being rebuilt, they'd automatically get it turned on
2. Go through and rebuild everyones sieve rules immediately

I ended up going with 1, which is why I say:

Quote:

You can filter out 99% of backscatter just by going to Options -> Spam/virus protection, selecting Normal or Aggressive protection, and clicking Done. Even if your level is already set to Normal or Aggressive, you should click Done there again to ensure that the backscatter detection rules which were only added a few months back are incorporated into your rules.

So basically even if you just go to Options -> Spam/Virus protection and click Done, although you didn't make any changes, it may actually be making a change to your sieve script and activating the backscatter checks.

I really should have just done 2 shouldn't I... *sigh*

Rob

[DaveHanson]

Thanks Bill for the reply. I tried entering your script, but got a syntax error. I'm sure I'm missing some punctuation somewhere...here's how my rules start.

Any suggestions most appreciated.


require ["envelope", "imapflags", "fileinto", "reject", "notify", "vacation", "regex", "relational", "comparator-i;ascii-numeric", "body", "copy"];

if not header :contains ["to", "cc", "subject"] "xxxx" {
if anyof(
header :contains "subject" "Credit Watch Credit Profile Order",
address :all :is ["to", "cc", "resent-to"] "finances.freetrade@daveh.sent.com",

[theukrainian]

I've had the same thing happen recently. I was also looking for X-BackScatter: Yes header. All the bounces I got (all 60 of them within a day!!) had the backscatter of the form NotFound1. See here for more information:
http://www.emaildiscussions.com/show...nd1#post383057

I don't know if this has any implications for automatic filters, since I am using a custom script....

[n5bb]

Quote:

Originally Posted by DaveHanson

Thanks Bill for the reply. I tried entering your script, but got a syntax error. I'm sure I'm missing some punctuation somewhere...

Sorry, but I made an error when pasting those Sieve script fragments into my post, Dave. I have corrected them now (by adding a trailing curly brace). My curly braces weren't matched (which is a particularly geeky thing to say!).

You can insert my corrected Sieve script immediately after your initial require[...]; statement.

Bill

[n5bb]

Quote:

Originally Posted by theukrainian

I've had the same thing happen recently. I was also looking for X-BackScatter: Yes header. All the bounces I got (all 60 of them within a day!!) had the backscatter of the form NotFound1. See here for more information:
http://www.emaildiscussions.com/show...nd1#post383057

I think this just means that the original message wasn't found, so that it might not be a bounce message. Did you forward some of those to Rob, as he asked in the last paragraph of that post? If you don't send these to Rob, he won't be able to add that type of bounce message to his bounce code.

Bill

[theukrainian]

Quote:

Originally Posted by n5bb

I think this just means that the original message wasn't found, so that it might not be a bounce message. Did you forward some of those to Rob, as he asked in the last paragraph of that post? If you don't send these to Rob, he won't be able to add that type of bounce message to his bounce code

Yeah, that's what it means. However if the backscatter filters are only "looking" for "Yes", these messages will get through (that's what happened in my case anyway). I did not forward them to Rob since I did not see any delimiters there, so I thought it was pointless. At least that's what I understood his message to mean.

[robmueller]

Still forward a copy of the message to me. There might be a copy of the original as an attachment or in some other odd way that's not obvious at first glance. Remember to use the "Attach Orig" option...

Rob