Re: Bounce notification
dvesely [EMAIL PROTECTED] wrote: I have setup bounce notification for my spamassasin mail server but my server manager has reccomended that I do not use it. He wrote: We can't configure Bouncing the SPAM message at Server level, but we can do this at domain level. If we configured to bounce at Domain level, it will affect the server's performance, because the Server DS109 is blocking around 12,500 SPAM messages per day. If you want to bounce those entire messages then your mail server will comes to halt. The most of the SPAM message will have forged FROM address, So the server has to deals with returned bounce messages also. This is a processor and Memory hungry task. I don't know what level means. Mail for webprecision.com goes to smtp-in.webprecision.com. That host should either refuse spam during the SMTP transaction (like 550 This looks like spam), or accept and keep. It should never accept and then mail back a bounce. Most of the senders are not deliverable, and most of the rest are deliverable to innocent people whose addresses were faked by the spammer. I agree with your desire to notify senders because of false positives. This is accomplished by having smtp-in.webprecision.com refuse. Legit servers that get a 550 will notify the sender. If you mean that smtp-in.webprecision.com accepts everything, and re-sends to another host that runs Spamassassin, then all you can do is score and tag, and the recipient will have to notice the fp's. Joseph Brennan Columbia University Information Technology
Re: Bounce notification
dvesely wrote: My server manager tells me that my Windows version of SpamAssasin cannot reject email at the SMTP level. This is only possibble in the Unix version. True or False? False but for a different reason. False because the Unix version of SpamAssassin can't reject at the SMTP level either. SpamAssassin is not an MTA and does not transfer mail with SMTP. An MTA (mail transfer agent) such as the classic old Sendmail or the newer Postfix and Exim programs use SMTP to transfer mail from host to host. These could be MS-Windows but are usually Unix or GNU server machines. Usually on MS-Windows the MS-Exchange program is used. Only those programs can reject at the SMTP level. If the address is to an invalid address then the MTA has the capability to know immediately if the message should be rejected. It can't deliver it and therefore it should not accept the message. This has nothing to do with spam. This only has to do with valid addresses and being able to successfully deliver the message. If the message can't be delivered then it needs to be rejected. In the old days (and sadly today on some large organization site) border machines would receive the message and route the mail through multiple hops to a final destination machine. At the final destination it might be undeliverable. In that case a bounce message is generated and returned to the specified from address. This has been used by spammers in the past to bounce their spam to their victims. They create a known invalid address as the recipient at a site known to create bounce messages after having accepted them. They forge a victim address as the from address. The message can't be delivered and the bounce message then carries the spam payload message as a bounce reply to the forged victim from address as backscatter. Also known as a joe-job. As an additional (newish) capability people want to be able to reject spam immediately at SMTP time too. In order to do that many people have added plugins to the MTA (aka milters [mail filter]) to examine the message at the time of transfer and make an immediate decision before the SMTP accept as to whether the message is to be accepted or rejected. If the message is classified as spam by the plugin then the MTA can reject the message at that time. Using virus scanners and SpamAssassin as a plugin to the MTA to do this is quite popular. But SpamAssassin itself is not doing any of the bouncing. It is solely the responsibility of the MTA, perhaps based upon input from these plugins. If you don't have control over your MTA then you do not have the option of doing this. In which case you should only silently quarantine or silently discard messages classified as spam. Bob
Re: Bounce notification
On Fri, 21 Dec 2007, Bob Proulx wrote: dvesely wrote: My server manager tells me that my Windows version of SpamAssasin cannot reject email at the SMTP level. This is only possibble in the Unix version. True or False? False but for a different reason. False because the Unix version of SpamAssassin can't reject at the SMTP level either. SpamAssassin is [deleted] In the old days (and sadly today on some large organization site) border machines would receive the message and route the mail through multiple hops to a final destination machine. At the final destination it might be undeliverable. In that case a bounce message is generated and returned to the specified from address. This has been used by spammers in the past to bounce their spam to their victims. They create a known invalid address as the recipient at a site known to create bounce messages after having accepted them. They forge a victim address as the from address. The message can't be delivered and the bounce message then carries the spam payload message as a bounce reply to the forged victim from address as backscatter. Also known as a joe-job. This is a bit off topic, but I've noticed that a lot of backscatter arriving at my site has email addresses that are obviously forged to be incorrect, as in [EMAIL PROTECTED], where the same address without the _qq is a valid email address. Its not a dictionary attack because the addresses are all different, but each is a slight modification of a valid address, and I've always assumed that the spammers using this technique don't want the bounced messages delivered in order to cover their tracks. However, that doesn't make much sense since any messages that did get delivered (i.e. didn't get bounced) would have the same routing info so why not use a valid bounce address to improve the odds that the spam will get delivered somewhere. Has anyone else encountered forged from addresses that are obviously meant to be incorrect, and does anyone have any idea why a spammer might choose to do that, rather than forge a correct address and double the odds that the spam will get through. - rick
Re: Bounce notification
I am running a windows server with Smartermail and SpamAssasin. While I understand what you are telling me below I would really appreciate a suggestion or reccomendation on how to setup a system that will control spam and notify users who's email is blocked in error. Any suggestions or examples you can give would be appreciated. Dan Bob Proulx wrote: dvesely wrote: My server manager tells me that my Windows version of SpamAssasin cannot reject email at the SMTP level. This is only possibble in the Unix version. True or False? False but for a different reason. False because the Unix version of SpamAssassin can't reject at the SMTP level either. SpamAssassin is not an MTA and does not transfer mail with SMTP. An MTA (mail transfer agent) such as the classic old Sendmail or the newer Postfix and Exim programs use SMTP to transfer mail from host to host. These could be MS-Windows but are usually Unix or GNU server machines. Usually on MS-Windows the MS-Exchange program is used. Only those programs can reject at the SMTP level. If the address is to an invalid address then the MTA has the capability to know immediately if the message should be rejected. It can't deliver it and therefore it should not accept the message. This has nothing to do with spam. This only has to do with valid addresses and being able to successfully deliver the message. If the message can't be delivered then it needs to be rejected. In the old days (and sadly today on some large organization site) border machines would receive the message and route the mail through multiple hops to a final destination machine. At the final destination it might be undeliverable. In that case a bounce message is generated and returned to the specified from address. This has been used by spammers in the past to bounce their spam to their victims. They create a known invalid address as the recipient at a site known to create bounce messages after having accepted them. They forge a victim address as the from address. The message can't be delivered and the bounce message then carries the spam payload message as a bounce reply to the forged victim from address as backscatter. Also known as a joe-job. As an additional (newish) capability people want to be able to reject spam immediately at SMTP time too. In order to do that many people have added plugins to the MTA (aka milters [mail filter]) to examine the message at the time of transfer and make an immediate decision before the SMTP accept as to whether the message is to be accepted or rejected. If the message is classified as spam by the plugin then the MTA can reject the message at that time. Using virus scanners and SpamAssassin as a plugin to the MTA to do this is quite popular. But SpamAssassin itself is not doing any of the bouncing. It is solely the responsibility of the MTA, perhaps based upon input from these plugins. If you don't have control over your MTA then you do not have the option of doing this. In which case you should only silently quarantine or silently discard messages classified as spam. Bob -- View this message in context: http://www.nabble.com/Bounce-notification-tp14432035p14462333.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Bounce notification
On 21.12.07 13:01, dvesely wrote: I am running a windows server with Smartermail and SpamAssasin. While I understand what you are telling me below I would really appreciate a suggestion or reccomendation on how to setup a system that will control spam and notify users who's email is blocked in error. notify who about what? If you reject at SMTP level, notifications to senders are up to the sending SMTP servers. You even don't want to notify receivers - if you users don't want be abused by the spam, they surely don't want to be abused by the notifications about each spam blocked. Just configure rejection with score high enough (I use 10) and you won't have to take care about notifications. (scores above 7 may appear in some hams, sent by lame mailer from users who don't know about that) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: Bounce notification
dvesely [EMAIL PROTECTED] writes: What's the best way to setup bounce notification? The best way is to not bounce at all but reject with a 5xx code during the SMPT conversation. Though be careful to only do this at 'border' MTAs (those listed in the MX records for the destination domain) not on internal servers.
Re: Bounce notification
dvesely wrote: I have setup bounce notification for my spamassasin mail server but my server manager has reccomended that I do not use it. He wrote: Right. Best not to generate bounces to spam after you have received it because if you do you become a source of spam yourself. The most of the SPAM message will have forged FROM address, So the server has to deals with returned bounce messages also. This is a processor and Memory hungry task. The problem isn't that your server would become overloaded. The problem is that your server would become a source of backscatter spam because of the bounced messages to forged from addresses. *I* for one would blacklist your server because of this. Search the web for backscatter spam and read about the problems that it causes before attempting to set up a server that bounces spam messages. Rejecting at the SMTP level is the better way to go. Bob
Re: Bounce notification
Dan Vesely wrote: If you reject at the smtp level how are users notified? There has to be a way to notify users if they are rejected so that they can contact the sender to be put on the white list. The user would get a normal bounce return. As far as the person receiving the bounce message there is no difference between bouncing messages at SMTP time and bouncing them later after having received them. They see the same message. The critical difference is that rejecting at smtp time avoids many of the problems with forged addresses. Example of a valid bounce case: Alice sends Bob an email message. The MTA on Alice's server contacts the MTA on Bob's server using SMTP. But unfortunately the address is mistyped and can't be delivered. At SMTP time the MTA on Bob's machine rejects the message with the reason being no such user. The MTA on Alice's machine gets the rejection at SMTP time. The MTA delivers the bounce message to Alice. Example of Backscatter: Mallory sends Bob an spam email message. Mallory wants to fool Bob into thinking the message came from Alice. Mallory forges Alice's address on the message. The MTA on Mallory's server contacts the MTA on Bob's server. Bob has miss-configured his server to accept all messages and bounce undeliverable messages later. The MTA on Bob's server accepts the message. After accepting the message, possibly after forwarding to other internal servers such as is common on many large networks, the system determines that the message is spam. Bob has miss-configured the system to send a reject message. The MTA on Bob's server sends a bounce message to Alice. Alice gets a message from Bob's server. They payload of the message is the spam body from Mallory. Mallory repeats this with thousands of other servers. Alice is overloaded with joe-job backscatter spam. Specifically in the case of spam it is now best practice to silently discard messages without generating a rejection message to avoid being a source of backscatter spam. The same result of backscatter is possible if the message is not spam but is undeliverable due to an invalid address. Example of a Potential Backscatter Avoided: Mallory sends Bob an spam email message. Mallory wants to fool Bob into thinking the message came from Alice. Mallory forges Alice's address on the message. The MTA on Mallory's server contacts the MTA on Bob's server. Bob has properly configured his server to reject undeliverable messages as early as possible at SMTP time. The MTA on Mallory's server finds the message rejected during the SMTP handshake. Bob's server does not send a rejection notice to Alice and Alice avoids any backscatter from Bob's system. Bob Dan Vesely wrote: If you reject at the smtp level how are users notified? There has to be a way to notify users if they are rejected so that they can contact the sender to be put on the white list. Your help is appreciated. Thanks, Dan -Original Message- From: Bob Proulx [mailto:[EMAIL PROTECTED] Sent: Thursday, December 20, 2007 9:27 AM To: dvesely Cc: users@spamassassin.apache.org Subject: Re: Bounce notification dvesely wrote: I have setup bounce notification for my spamassasin mail server but my server manager has reccomended that I do not use it. He wrote: Right. Best not to generate bounces to spam after you have received it because if you do you become a source of spam yourself. The most of the SPAM message will have forged FROM address, So the server has to deals with returned bounce messages also. This is a processor and Memory hungry task. The problem isn't that your server would become overloaded. The problem is that your server would become a source of backscatter spam because of the bounced messages to forged from addresses. *I* for one would blacklist your server because of this. Search the web for backscatter spam and read about the problems that it causes before attempting to set up a server that bounces spam messages. Rejecting at the SMTP level is the better way to go. Bob
Re: Bounce notification
My server manager tells me that my Windows version of SpamAssasin cannot reject email at the SMTP level. This is only possibble in the Unix version. True or False? If false, can you give me a link to instructions on enabling this feature or any known workaround please? Thanks, Dan Bob Proulx wrote: dvesely wrote: I have setup bounce notification for my spamassasin mail server but my server manager has reccomended that I do not use it. He wrote: Right. Best not to generate bounces to spam after you have received it because if you do you become a source of spam yourself. The most of the SPAM message will have forged FROM address, So the server has to deals with returned bounce messages also. This is a processor and Memory hungry task. The problem isn't that your server would become overloaded. The problem is that your server would become a source of backscatter spam because of the bounced messages to forged from addresses. *I* for one would blacklist your server because of this. Search the web for backscatter spam and read about the problems that it causes before attempting to set up a server that bounces spam messages. Rejecting at the SMTP level is the better way to go. Bob -- View this message in context: http://www.nabble.com/Bounce-notification-tp14432035p14450828.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Bounce notification
dvesely wrote: My server manager tells me that my Windows version of SpamAssasin cannot reject email at the SMTP level. This is only possibble in the Unix version. True or False? If false, can you give me a link to instructions on enabling this feature or any known workaround please? SpamAssassin, in an of itself, cannot reject messages at any level. You can 'wrap' it with other scripts or applications that can reject messages based on their SA scores though - such as with MailScanner - www.mailscanner.info Chris
Bounce notification
I have setup bounce notification for my spamassasin mail server but my server manager has reccomended that I do not use it. He wrote: We can't configure Bouncing the SPAM message at Server level, but we can do this at domain level. If we configured to bounce at Domain level, it will affect the server's performance, because the Server DS109 is blocking around 12,500 SPAM messages per day. If you want to bounce those entire messages then your mail server will comes to halt. The most of the SPAM message will have forged FROM address, So the server has to deals with returned bounce messages also. This is a processor and Memory hungry task. === This is not acceptable to me because people have to be notified because there are always false positives. Is he correct? Will this kill my server? What's the best way to setup bounce notification? Thanks to anyone who can help! Dan -- View this message in context: http://www.nabble.com/Bounce-notification-tp14432035p14432035.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
