November 1st, 2004 | Published in Uncategorized
Apologies to anyone sending mail I may not have replied to in the past few days.
At some point over the weekend, a spammer used an old work address as his forged From: header. Beginning some time Saturday morning and ending about two hours ago, I received 5,872 messages including failed challenge/responses, delivery errors, and commercial anti-spam gateway notifications (which are their own sort of spam, to the extent they’re careful to take the opportunity to pimp their miracle spam-fighting powers).
I was able to write some filters to catch the most likely patterns, but about 25% still made it through between me realizing what was going on (I woke up to the first 1,200 or so) and me not bothering to write filters against the odds and ends that represent individual mail server admin attempts at cleverness (Favorite 550 subject of the weekend: “Fuck of [sic], spammer.”)
Upside: That old work address, which no one uses except spam harvesters visiting articles I wrote three or four years ago, was disabled without question. I need to send a box of chocolates to our support people for just turning the damn address off without a fuss.
Lesson: If your organization does a major namespace reorg of some kind, rather than simply aliasing the old addresses over to the new domain, consider adding an X-Header with a filterable bit of text in it like “X-Old-Address-We-Maintain-So-the-Spammers-Can-Find-You-and-Fuck-Up-Your-Weekend: True. That way, your employees can write a filter or recipe in their mail client or procmail to file mail to the old addie in a special folder, figure out which contacts need the new address, notify them (or send an autoresponse notification), and then write filters sending the rest to /dev/null where it probably belongs.
Another Lesson: People who use challenge/response systems come off like dweebs no matter how hard they try to make the whole “Use the sekrit word” message sound polite or professional.
Anyhow. Dug out now. Back to work.