Bounced mail - Backscatter/Forged sender addresses

10 posts / 0 new
Last post
#1 Thu, 04/17/2008 - 17:36
Blueforce

Bounced mail - Backscatter/Forged sender addresses

Hi Guys!

Is there anyone who have a solution to these backscatter mail, bounced mails with forged sender addresses??? If you know how these mails could be dropped by header and/or body checks... please let me know how this could be done.

I have read the Postfix manual, searching the web for some solution and yes I found a few guidelines on how this should be done. But I don't have the knowledge on how these checks should be written, I have tried a few times with NOT so good result... ;-)

We have been getting these MAILER-DAEMON bounces for about 3 weeks now. Sometimes 10-30 addresses get these each time, and I'm not talking just a few bounces. It vary from time to time, one time an account received about 300 to the inbox and about 2,500 to the spambox (in just an hour or so). Some times we can have up to 30 accounts "spammed" at the same time, and sometimes it's just a few or even just one account that is "spammed" each time. At the most we received about 15,000 MAILER-DAEMON bounces in one day.

So... if you have some ideas or solutions, Please let me know how and what to do to stop this!!

We are using Fedora Core 6 and Virtualmin Pro. At the moment we only have about 300 mail accounts on the server.

Thanks!!! Regards, Leif

Header from one of these mails to my own account. SpamAssassin did catch this mail.

SpamAssassin Info:

Content analysis details: (6.2 points, 5.0 required) pts rule name description

1.0 NO_REAL_NAME From: does not include a real name 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 1.4 MSGID_FROM_MTA_ID Message-Id for external message added locally 0.5 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date 0.2 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL -0.7 BAYES_20 BODY: Bayesian spam probability is 5 to 20% [score: 0.0594] 3.8 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist

[URIs: ccav.org.ar]

Mail Header

Return-Path: <> X-Original-To: MY-MAIL-ADDRESS Delivered-To: MY-ACCOUNT@OUR-SERVER-TLD Received: from pantheon.it (host120-148-static.15-79-b.business.telecomitalia.it [79.15.148.120])by OUR-SERVER-TLD (Postfix) with SMTP id 85B055900CBfor <MY-MAIL-ADDRESS>; Thu, 17 Apr 2008 21:04:18 +0200 (CEST) Received: (qmail 21051 invoked for bounce); 17 Apr 2008 13:49:03 -0000 Date: 17 Apr 2008 13:49:03 -0000 From: MAILER-DAEMON@pantheon.it To: MY-MAIL-ADDRESS Subject: failure notice

Message-Id: <20080417190418.85B055900CB@OUR-SERVER-TLD>

Included bounce Header info in body

Hi. This is the qmail-send program at pantheon.it. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out.

<it.hobby.motociclismo@pantheon.it>: Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <MY-MAIL-ADDRESS> Received: (qmail 20979 invoked from network); 17 Apr 2008 13:49:01 -0000 Received: from 61.17.176.142.static.vsnl.net.in (61.17.176.142) by pantheon.it with SMTP; 17 Apr 2008 13:49:01 -0000 Message-ID: <000901c8a091$05f9dd3d$bd11e6b7@wocsp> From: "dougie bradley" <MY-MAIL-ADDRESS> To: <it.hobby.motociclismo@pantheon.it> Subject: we caught you naked it.hobby.motociclismo! check the video Date: Thu, 17 Apr 2008 12:01:40 +0000 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0006_01C8A091.05F90F88" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

Sun, 04/20/2008 - 14:25
ronald
ronald's picture

if i understand it correctly...
You receive a spammail to a non existing box and then it bounces.
the bounce doesn't land anywhere as the sender is forged.
Then you receive a mailer-daemon message saying it couldn't deliver.

If that is the case make sure your mailboxes do not bounce.
By default virtualmin will make 4 mail ailiases (postmaster, abuse etc) and a bounce for all other non-existent mail addresses.

This bounce must be deleted on all domains and Postfix will by default reject the incoming mail for non-existent addresses. (virtualmin - choose a domain - go to &quot;edit mail aliases&quot; - delete the bounce and leave the postmaster, abuse etc intact).

Also remove this from your server template under &quot;mail for domain&quot;. uncheck &quot;Bounce email to invalid addresses&quot;

Bouncing email is not a proper policy as it is abused by spammers which now-a-days can get you blacklisted.
Rejecting email is better as this process happens while the two mailservers are still communicating with each-other.
While with bounce, the two mailservers are already disconnected from each-other. hence the mailer daemon messages.

hope this helps, else im sorry if i misunderstood.&lt;br&gt;&lt;br&gt;Post edited by: ronald, at: 2008/04/20 14:29

Mon, 04/21/2008 - 07:19 (Reply to #2)
Blueforce

Hi Ronald,

Our problem is that the spammer sends his mail to a account that we don't host on our server, and actually I think the spammer prefer to send it to a non existent account because the mail is supposed to bounce from the recipients server to the sender address - OUR MAIL ADDRESS!!!

The spammer have entered mail addresses that we host on our server as the sender/answer address in his mails!
None of these mails are sent from our server or directly to our server, they always send the mail from different servers around the world to servers that will &quot;bounce&quot; the mail to the sender.

In my example below the return address is my own e-mailaddress:
<i>Return-Path: &lt;<b>MY-MAIL-ADDRESS</b>&gt;
Received: (qmail 20979 invoked from network); 17 Apr 2008 13:49:01 -0000
Received: from 61.17.176.142.static.vsnl.net.in (61.17.176.142)
by pantheon.it with SMTP; 17 Apr 2008 13:49:01 -0000
Message-ID: &lt;000901c8a091$05f9dd3d$bd11e6b7@wocsp&gt;
From: &quot;dougie bradley&quot; &lt;<b>MY-MAIL-ADDRESS</b>&gt;
To: &lt;it.hobby.motociclismo@pantheon.it&gt;</i>

The receiving server can't deliver the mail and bounce the mail:
<i>Hi. This is the qmail-send program at pantheon.it.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

&lt;it.hobby.motociclismo@pantheon.it&gt;:

Sorry, no mailbox here by that name. (#5.1.1)</i>

To MY E-MAIL ADDRESS!!:
<i>Return-Path: &lt;&gt;
X-Original-To: <b>MY-MAIL-ADDRESS</b>
Delivered-To: <b>MY-ACCOUNT@OUR-SERVER-TLD</b>
Received: from pantheon.it (host120-148-static.15-79-b.business.telecomitalia.it [79.15.148.120])by <b>OUR-SERVER-TLD</b> (Postfix) with SMTP id 85B055900CBfor &lt;<b>MY-MAIL-ADDRESS</b>&gt;; Thu, 17 Apr 2008 21:04:18 +0200 (CEST)
Received: (qmail 21051 invoked for bounce); 17 Apr 2008 13:49:03 -0000
Date: 17 Apr 2008 13:49:03 -0000
From: MAILER-DAEMON@pantheon.it
To: <b>MY-MAIL-ADDRESS</b>
Subject: failure notice
Message-Id: &lt;20080417190418.85B055900CB@<b>OUR-SERVER-TLD</b>&gt;</i>

So, bottom line... I want to check that the mail originally was sent from our server, if so it will accept the bounce else the incoming bounce will be rejected without a reject/bounce message.

I have searched the net for solutions to backscatter and forged mail addresses and found lots of info but I cant get the header/body checks working. :-(

Regards,
Leif

Tue, 04/22/2008 - 17:12 (Reply to #3)
DanLong

Hi Leif,
I think what you want would be extremely tricky without causing a bounce loop. You'd have to modify the headers so that you would be bounce in an acceptable way to, say, spamcop or a reporting repository. Just simply rejecting it again could cause an indefinite loop of bounces with the problem being that the mail piece gets bigger with each bounce. I saw a server shut down due to a former employee having forwarded his mail to address X but then shutting down address X a couple months later. A piece of mail got forwarded, then bounced back which in turn forwarded it, then it bounced......

I think you get the picture.

I believe you use less resources just trashing the root level mailer replies when they come through.

I had to laugh at your original post. Our abuse, billing, sales and support emails all got that same email ;-)

Dan

Wed, 04/23/2008 - 07:15 (Reply to #4)
Blueforce

Hi Dan,

I understand what you are saying.
That I want to do is to trash or send these mails to blackhole, I DON'T want to bounce them! But if one of our customers send a mail, and let's say have misspell the recipients mail address or for some other reason the mail can't be delivered to the recipient, this bounce message have to be able to pass and be delivered to our customer(sender).

I also think that a mail originating from our server would have some header info that it was sent from our server, either in the mail-header or in the inserted header info in the message body. If a incoming bounce mail DON'T have any info showing that it was originally sent by our server, then this mail should get trashed/blackholed. The only bounce that should be able to pass is those that is originally came from our server.

And this can be done with header and body checks, see this info:
http://www.postfix.org/BACKSCATTER_README.html

I have tried to add these checks but I can't get them to work. :-(

I'm looking for a way to sort out those bounces that have a forged sender/return address, Mails that wasn't originally sent from our server. These should just get trashed.

Regards,
Leif

Wed, 04/23/2008 - 11:35 (Reply to #5)
Joe
Joe's picture

Hey Leif,

Sounds to me like we just need to get your header and body checks working. That is the way to solve this particular problem...so that's what we need to do.

So, are you getting errors when you try to use them? What do your header/body checks look like? How exactly are they failing to work?

--

Check out the forum guidelines!

Thu, 04/24/2008 - 17:07 (Reply to #6)
Blueforce

Hi Joe,

I have tried several ways, all was based on examples that I found on internet. I don't have the knowledge to write them on my own so I have been trying to use and modify the examples that I found.

I don't have the body/header checks saved... I did throw them away!! After many tries, lots of googling and reading and more tries... I finally gave up and deleted my test files!! ;-)

It's difficult for me to test this things on our production server, I don't want to mess up the server or in other ways disturb our customers with my &quot;tests&quot;. So I've been hoping to find someone that knows how this should be done, and hopefully would be kind enough to help me out.

Regards,
Leif

Thu, 05/22/2008 - 07:50 (Reply to #7)
Blueforce

Hi Eric,

Thanks for the advice!

I guess these checks could bee done like you describe, but I also know that it could be done directly on our mail server.
I don't think it's so hard to accomplish this directly on the mail server, because the incoming mailer daemon bounce mail should have some header info that it originated from our server, and if so the bounce should be able to pass, and if not the mail could just be dropped or sent to a blackhole.

Here is a link to postfix.org about backscatter.
http://www.postfix.org/BACKSCATTER_README.html

Unfortunately I don't have the knowledge to get these header and body checks working :-(

For the time being I have added some filter rules to SpamAssassin to get rid of these mails, unfortunately ALL bounce mails get flushed. But it's better to flush one or two &quot;real&quot; bounce mails than have irritated customers calling and complaining about hundreds and some times over thousands of mailer daemon mails, and these are the ones that did pass through SpamAssassin... the spam folder sometimes have picked up 5 to 10 times the amount that passed.

Regards,
Leif

Wed, 05/21/2008 - 08:56
andreychek

Howdy,

We've been looking into a way to deal with this at my workplace, as the backscatter spam problem has gotten a bit worse for us there.

It's apparently tricky to solve correctly :-)

One direction some people have gone with this is to use an RBL which lists hosts generating backscatter spam -- but only comparing emails from mailer-daemon or postmaster to it, not every email coming in (there'd be way too many false positives).

This still runs the risk of having a bounce message not get back to you, if that host happens to be listed in the RBL, but some feel the benefits outweigh the drawbacks.

It's pretty easy to set up, details on how to configure it on Postfix are here:

http://www.backscatterer.org/?target=usage

There's also some threads on the Postfix mailing list regarding this, including:

http://archives.neohapsis.com/archives/postfix/2008-05/0359.html

Good luck, and let us know what works!
-Eric

Wed, 05/21/2008 - 19:10 (Reply to #9)
velvetpixel

A proper SPF record will cut down on some of this.

Can the SpamAssassin Header and Body Tests allow you to filter what you need in a way that doesn't block acceptable user name mismatch?

Topic locked