[HCoop-Discuss] Filtering out bogus bounce notification e-mails

Adam Chlipala adamc at hcoop.net
Thu Jan 25 06:46:51 EST 2007

I own a number of domains that years ago I set up so that I receive all 
e-mail sent to any of their e-mail addresses.  This is very handy for 
giving a different address to each online service that requests one, so 
that you can blacklist any address that ends up receiving spam.  
Unfortunately, spammers like to use made-up addresses in the From 
headers of their messages, and this includes random addresses at some of 
my domains.  Spammers also often send e-mail to nonexistent or full 
mailboxes.  The helpful mail servers at the other end send back bounce 
notifications to let the sender know that such messages couldn't be 
delivered.  When the fake From header points back to one of my e-mail 
addresses, I'm the one who receives the irrelevant bounce notification, 
not the spammer.

Recently, I've been receiving a lot more of this kind of bounce message, 
to the point where the usability of e-mail had been getting back to the 
low levels of pre-spam-filtering days.  I know some other members have 
the same problem.  Yesterday, I decided to try to do something about it, 
and I was pleasantly surprised to find that a trivial Exim filter can 
identify these dubious messages.  I have a feeling others would like to 
use my solution, too, so here it is:

if (error_message
        or $header_precedence: contains "bulk"
        or $header_precedence: contains "junk")
        and $h_to is not "adamc at hcoop.net" then
    save $home/Maildir/.Bounces/

The idea is that all bogus bounces should be moved into a special folder 
(which you would need to create manually over IMAP before using this 
filter), to be checked once a day for any false positives and then 
emptied.  I only send e-mail with a single From address, even though I 
receive e-mail at many more addresses.  As a result, any bounce directed 
to any address but the one I'm using for this mailing list post doesn't 
result from something I sent.  Exim has this lovely "error_message" 
variable built in that apparently applies some clever heuristics to tell 
which messages are error notifications.  This doesn't quite catch all 
cases, as I also often get "I'm on vacation" auto-replies to messages 
sent by spammers in my name.  The two other conditions based on the 
Precedence header seem to handle these remaining cases so far.

In the one day I've been test-driving this, it's worked _almost_ 
perfectly.  The single exception so far is that e-mail notifications 
from Mailman with moderation requests end up in my Bounces folder.  Any 
suggestions for improvements from the combined font of wisdom that we 
have on this mailing list?

More information about the HCoop-Discuss mailing list