RE: Spam bounceback attack

[John D. Hardin]

On Tue, 10 Apr 2007, J. wrote:

> Thanks. Ok, I did some looking around and decided that
> http://qmail.jms1.net has the patch for me
> (netqmail-1.05-validrcptto.cdb.patch). The problem is that it seems
> that when people have tried to patch the Gentoo version of netqmail
> they get errors. Has anyone here gotten this working under Gentoo?

I'd respectfully suggest that the Gentoo forums is the place to pursue
this going forward, and that you might want to open a feature-request
Gentoo bugzilla entry for adding that patch to the qmail package with
a USE option so that others may benefit from it.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Phobias should not be the basis for laws.
---
 3 days until Thomas Jefferson's 264th Birthday

Re: Spam bounceback attack

[Rick Macdougall]

J. wrote:


Thanks. Ok, I did some looking around and decided that
http://qmail.jms1.net has the patch for me
(netqmail-1.05-validrcptto.cdb.patch). The problem is that it seems
that when people have tried to patch the Gentoo version of netqmail
they get errors. Has anyone here gotten this working under Gentoo?
Thanks.

  


The Gentoo emerge build of qmail is not recommended.  You'll be much 
better off building from source.  I don't use it myself but I've heard 
horror stories from people on th list.


Another option, that we use, is http://www.shupp.org and the toaster 
patch.  That way clients can login and add users and all invalid users 
are rejected (users don't have to actually be local, you can remove the 
domains from virtualdomains, the user check will still work but the 
smtproutes will be followed).


More info off list if you want.

Regards,

Rick

RE: Spam bounceback attack

[J.]

--- R Lists06 <[EMAIL PROTECTED]> wrote:

> > Jason wrote:
> > Thanks Jim and John, that helps a lot. I'm glad that qmail is like
> this
> > by default because otherwise my setup would be to blame. :) I'm
> using
> > qmail to handle incoming and outgoing mail for my domain but using
> a
> > very old lan based mail server to actually deliver mail to our
> users so
> > the qmail machine doesn't have any idea who's a valid user and who
> > isn't, all non-junk goes into a single mailbox which our lan server
> > then retrieves via pop. Outbound works similarly where our lan
> server
> > relays through the qmail machine (no it's not an open relay).
> > 
> > I'm loking at this patch at the moment:
> > 
> > http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch
> > 
> > ...but will also look at the ones Jim suggested. Thanks again.
> > 
> > -Jason
> > 
> 
> We highly recommend John Simpson's http://qmail.jms1.net and the
> validrcptto
> patch as well.
> 
> There is actually a group of patches that John Simpson rolled into
> one
> 
> Many goodies there that can be utilized...
> 
> He started that as an addon in regards to and with
> http://www.qmailrocks.org
> and there is still good info although the site hasn't been as well
> kept as
> it could have been the last 6 to 12 months.
> 
> There are many other items and links to check out on
> http://qmail.jms1.net
> as well...
> 
> If you know and understand everything on that site and a coupla
> others
> related to it, you will do extremely well with your mail server
> overall.
> 
> Of course, the tie in is that at some point I had to better learn
> about
> Spamassassin and joined here for that.
> 
> Kind regards,
> 
>  - rh

Thanks. Ok, I did some looking around and decided that
http://qmail.jms1.net has the patch for me
(netqmail-1.05-validrcptto.cdb.patch). The problem is that it seems
that when people have tried to patch the Gentoo version of netqmail
they get errors. Has anyone here gotten this working under Gentoo?
Thanks.

-Jason



   

Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html 

RE: Spam bounceback attack

[R Lists06]

> Jason wrote:
> Thanks Jim and John, that helps a lot. I'm glad that qmail is like this
> by default because otherwise my setup would be to blame. :) I'm using
> qmail to handle incoming and outgoing mail for my domain but using a
> very old lan based mail server to actually deliver mail to our users so
> the qmail machine doesn't have any idea who's a valid user and who
> isn't, all non-junk goes into a single mailbox which our lan server
> then retrieves via pop. Outbound works similarly where our lan server
> relays through the qmail machine (no it's not an open relay).
> 
> I'm loking at this patch at the moment:
> 
> http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch
> 
> ...but will also look at the ones Jim suggested. Thanks again.
> 
> -Jason
> 

We highly recommend John Simpson's http://qmail.jms1.net and the validrcptto
patch as well.

There is actually a group of patches that John Simpson rolled into one

Many goodies there that can be utilized...

He started that as an addon in regards to and with http://www.qmailrocks.org
and there is still good info although the site hasn't been as well kept as
it could have been the last 6 to 12 months.

There are many other items and links to check out on http://qmail.jms1.net
as well...

If you know and understand everything on that site and a coupla others
related to it, you will do extremely well with your mail server overall.

Of course, the tie in is that at some point I had to better learn about
Spamassassin and joined here for that.

Kind regards,

 - rh

--
Abba Communications Internet 
PO Box 7175
Spokane, WA 99207-7175
www.abbacomm.net

Re: Spam bounceback attack

[J.]

--- Jim Maul <[EMAIL PROTECTED]> wrote:

> John D. Hardin wrote:
> > On Tue, 10 Apr 2007, J. wrote:
> > 
> >> I didn't realize that most people are denying smtp connections for
> >> bad addresses. That's great that this is possible. So most of the
> >> people on this list reject connections that are for bad addresses?
> >> That's great. I think that would cut down the spam we get by 90%.
> >> I had no idea this was possible.
> > 
> > That's not *quite* what we're talking about. Sorry if this is a
> rehash
> > of what you already know:
> > 
> > Proper behavior is to check addresses *during* the SMTP
> conversation
> > with the submitting MTA/MUA, and reject invalid/nonexistent address
> as
> > the other guy submits them. If any valid addresses are submitted,
> the
> > mail goes through. If no valid addresses are submitted, it is up to
> > the *other guy* to take some action, such as notifying the sender
> the
> > mail couldn't be delivered. The connection itself is not blocked or
> > rejected, though you could set up a log watcher to detect IPs that
> > continually submit bad addresses and firewall/tarpit them.
> > 
> > A bulk spam mail tool will likely just ignore the "no such address"
>  
> > rejections, leading to no additional impact on innocent third
> parties.
> > 
> > Contrast this with having your MTA accept the message for delivery,
> 
> > pass the message on down the chain, and then have some later step 
> > realize the address is invalid and generate a notice to the sender 
> > address that the message was undeliverable.
> > 
> > You're now generating outbound mail based on a spam you received.
> This 
> > is bad.
> > 
> > If the address was forged and nonexistent, your bounce will be 
> > rejected by the supposed sender's MTA; that's not as bad as
> actually 
> > delivering a bounce to a real user, but you're still generating 
> > pointless traffic to some innocent third party.
> > 
> > Multiply that by the millions of messages in a typical spam run and
> 
> > you can get a DDoS against whatever address or domain was forged on
> 
> > the spams as the sender address.
> > 
> > Rejecting the addresses during the SMTP conversation doesn't
> generate 
> > this extra traffic.
> > 
> > Configuring your MTA to refuse to accept nonexistent addresses is
> > typically a boolean option in its basic configuration settings, not
> > something esoteric requiring complex addons. Any MTA that doesn't
> > support this basic capability is badly broken by current standards.
> > 
> > Some MTAs will also allow you to slow down the SMTP conversation
> (e.g.  
> > pause a few seconds before sending responses) if more than a few
> bad
> > addresses are submitted, to mitigate against dictionary attacks.
> > 
> > 
> 
> qmail, which i believe the OP was using is one of these "badly broken
> by 
> current standards" MTAs as you put it.  By default, it accepts ALL
> mail 
> regardless of the validity of the recipient.  It will then generate a
> 
> bounce to the (most likely) forged address when it figures out the 
> recipient does not exist.  There are many addons/patches to correct
> this 
> behavior.  I would check (using something other than IE) 
> http://qmail.jms1.net for general information and useful patches. 
> And 
> more specifically,
> http://qmail.jms1.net/patches/validrcptto.cdb.shtml 
> which gives you the ability to reject invalid recipients at SMTP
> time.

Thanks Jim and John, that helps a lot. I'm glad that qmail is like this
by default because otherwise my setup would be to blame. :) I'm using
qmail to handle incoming and outgoing mail for my domain but using a
very old lan based mail server to actually deliver mail to our users so
the qmail machine doesn't have any idea who's a valid user and who
isn't, all non-junk goes into a single mailbox which our lan server
then retrieves via pop. Outbound works similarly where our lan server
relays through the qmail machine (no it's not an open relay).

I'm loking at this patch at the moment:

http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch

...but will also look at the ones Jim suggested. Thanks again.

-Jason


   

Finding fabulous fares is fun.  
Let Yahoo! FareChase search your favorite travel sites to find flight and hotel 
bargains.
http://farechase.yahoo.com/promo-generic-14795097

Re: Spam bounceback attack

[Jim Maul]

John D. Hardin wrote:

On Tue, 10 Apr 2007, J. wrote:


I didn't realize that most people are denying smtp connections for
bad addresses. That's great that this is possible. So most of the
people on this list reject connections that are for bad addresses?
That's great. I think that would cut down the spam we get by 90%.
I had no idea this was possible.


That's not *quite* what we're talking about. Sorry if this is a rehash
of what you already know:

Proper behavior is to check addresses *during* the SMTP conversation
with the submitting MTA/MUA, and reject invalid/nonexistent address as
the other guy submits them. If any valid addresses are submitted, the
mail goes through. If no valid addresses are submitted, it is up to
the *other guy* to take some action, such as notifying the sender the
mail couldn't be delivered. The connection itself is not blocked or
rejected, though you could set up a log watcher to detect IPs that
continually submit bad addresses and firewall/tarpit them.

A bulk spam mail tool will likely just ignore the "no such address"  
rejections, leading to no additional impact on innocent third parties.


Contrast this with having your MTA accept the message for delivery, 
pass the message on down the chain, and then have some later step 
realize the address is invalid and generate a notice to the sender 
address that the message was undeliverable.


You're now generating outbound mail based on a spam you received. This 
is bad.


If the address was forged and nonexistent, your bounce will be 
rejected by the supposed sender's MTA; that's not as bad as actually 
delivering a bounce to a real user, but you're still generating 
pointless traffic to some innocent third party.


Multiply that by the millions of messages in a typical spam run and 
you can get a DDoS against whatever address or domain was forged on 
the spams as the sender address.


Rejecting the addresses during the SMTP conversation doesn't generate 
this extra traffic.


Configuring your MTA to refuse to accept nonexistent addresses is
typically a boolean option in its basic configuration settings, not
something esoteric requiring complex addons. Any MTA that doesn't
support this basic capability is badly broken by current standards.

Some MTAs will also allow you to slow down the SMTP conversation (e.g.  
pause a few seconds before sending responses) if more than a few bad

addresses are submitted, to mitigate against dictionary attacks.




qmail, which i believe the OP was using is one of these "badly broken by 
current standards" MTAs as you put it.  By default, it accepts ALL mail 
regardless of the validity of the recipient.  It will then generate a 
bounce to the (most likely) forged address when it figures out the 
recipient does not exist.  There are many addons/patches to correct this 
behavior.  I would check (using something other than IE) 
http://qmail.jms1.net for general information and useful patches.  And 
more specifically, http://qmail.jms1.net/patches/validrcptto.cdb.shtml 
which gives you the ability to reject invalid recipients at SMTP time.


-Jim

Re: Spam bounceback attack

[J.]

--- ram <[EMAIL PROTECTED]> wrote:

> On Mon, 2007-04-09 at 07:18 -0700, J. wrote:
> > --- ram <[EMAIL PROTECTED]> wrote:
> > 
> > > On Sun, 2007-04-08 at 11:14 -0700, J. wrote:
> > > > Not sure if this is connected to my agressive smtp connection
> > > rejection
> > > > campaign over the past week, but we've been hit for the first
> time
> > > in
> > > > many months with a backscatter spam attack. Spammer(s) use
> random
> > > > addresses with our domain for their spamming so we get the
> flood
> > > > (13000+ since midnight) of bounces.
> > > > 
> > > > Is there a good way to deal with this? 70-80% are getting
> caught by
> > > > spamassassin, but there are still thousands that get through
> and I
> > > have
> > > > to filter manually (maildrop). Also, I hate the servers that
> just
> > > keep
> > > > the subject line intact when they bounce a message because I
> can't
> > > > figure out how to filter those. As it is I'm already filtering
> over
> > > 30
> > > > different subject line types to catch different types of
> bounces.
> > > And
> > > > how to I find the legitimate bounces in that haystack? It's a
> lot
> > > of
> > > > fun!
> > > > 
> > > > Thanks.
> > > 
> > > 1) Verify recipient addresses
> > > 2) Add SPF records for your domain. And blacklist those servers
> who
> > > accept forged mails from your domain and bounce them 
> > > 3) If you are suddenly facing a flush of Mailer-"Demons" give a
> > > TEMPFAIL
> > > for <>  , not a great idea but sometimes you have to do this to
> save
> > > your mail server :-) 
> > 
> > Thanks Ram.  Not sure how to implement recipient verification with
> my
> > setup, but I'll look into it. I have an SPF record for my domain
> > installed afaik and I'm using the plugin for spamassassin that
> scores
> > non-spf emails. When these types of attacks happen we get about
> 15,000
> > bounces per day so I don't know how to blacklist every server that
> > sends bounces without looking at the ip address of every email.
> 
> 
> No your bounces will notbe nonspf mails. They wil be from <>  which
> you
> must accept. Adding SPF checks allows servers not to accept forged
> messages from your domain, if they still do and the plan to send you
> NDR's IMHO you have every right to blacklist them ( YMMV ) 
> 
> 
> Blacklisting usually is best done at the firewall, a 10 liner
> perlscript
> will give you all ips , simply drop packets at your firewall for such
> ips and keep refreshing the lists 
> 
> Recipient address verification is an *Absolute must*. If you dont do
> that you will get your own server into trouble and get them listed in
> all RBLs Just like you are cursing mailservers that are flooding you
> with backscatter your server too may be generating backscatter for
> others. Dont be a part of the problem please 

We're using the version of qmail smtp that does rbl checking so
hopefully one of those recipient checking patches will work. I didn't
realize that most people are denying smtp connections for bad
addresses. That's great that this is possible. So most of the people on
this list reject connections that are for bad addresses? That's great.
I think that would cut down the spam we get by 90%. I had no idea this
was possible.



   

Now that's room service!  Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097

Re: Spam bounceback attack

[John D. Hardin]

On Tue, 10 Apr 2007, J. wrote:

> I didn't realize that most people are denying smtp connections for
> bad addresses. That's great that this is possible. So most of the
> people on this list reject connections that are for bad addresses?
> That's great. I think that would cut down the spam we get by 90%.
> I had no idea this was possible.

That's not *quite* what we're talking about. Sorry if this is a rehash
of what you already know:

Proper behavior is to check addresses *during* the SMTP conversation
with the submitting MTA/MUA, and reject invalid/nonexistent address as
the other guy submits them. If any valid addresses are submitted, the
mail goes through. If no valid addresses are submitted, it is up to
the *other guy* to take some action, such as notifying the sender the
mail couldn't be delivered. The connection itself is not blocked or
rejected, though you could set up a log watcher to detect IPs that
continually submit bad addresses and firewall/tarpit them.

A bulk spam mail tool will likely just ignore the "no such address"  
rejections, leading to no additional impact on innocent third parties.

Contrast this with having your MTA accept the message for delivery, 
pass the message on down the chain, and then have some later step 
realize the address is invalid and generate a notice to the sender 
address that the message was undeliverable.

You're now generating outbound mail based on a spam you received. This 
is bad.

If the address was forged and nonexistent, your bounce will be 
rejected by the supposed sender's MTA; that's not as bad as actually 
delivering a bounce to a real user, but you're still generating 
pointless traffic to some innocent third party.

Multiply that by the millions of messages in a typical spam run and 
you can get a DDoS against whatever address or domain was forged on 
the spams as the sender address.

Rejecting the addresses during the SMTP conversation doesn't generate 
this extra traffic.

Configuring your MTA to refuse to accept nonexistent addresses is
typically a boolean option in its basic configuration settings, not
something esoteric requiring complex addons. Any MTA that doesn't
support this basic capability is badly broken by current standards.

Some MTAs will also allow you to slow down the SMTP conversation (e.g.  
pause a few seconds before sending responses) if more than a few bad
addresses are submitted, to mitigate against dictionary attacks.

HTH.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Think Microsoft cares about your needs at all?
  "A company wanted to hold off on upgrading Microsoft Office for a
  year in order to do other projects. So Microsoft gave a 'free' copy
  of the new Office to the CEO -- a copy that of course generated
  errors for anyone else in the firm reading his documents. The CEO
  got tired of getting the 'please re-send in XX format' so he
  ordered other projects put on hold and the Office upgrade to be top
  priority."-- Cringely, 4/8/2004
---
 3 days until Thomas Jefferson's 264th Birthday

Re: Spam bounceback attack

[David Morton]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Apr 10, 2007, at 12:13 PM, J. wrote:



Recipient address verification is an *Absolute must*. If you dont do
that you will get your own server into trouble and get them listed in
all RBLs Just like you are cursing mailservers that are flooding you
with backscatter your server too may be generating backscatter for
others. Dont be a part of the problem please


We're using the version of qmail smtp that does rbl checking so
hopefully one of those recipient checking patches will work. I didn't
realize that most people are denying smtp connections for bad
addresses. That's great that this is possible. So most of the  
people on

this list reject connections that are for bad addresses? That's great.
I think that would cut down the spam we get by 90%. I had no idea this
was possible.



???

There are all sorts of ways to reject bad addresses.  Mail servers  
*must* reject unknown recipients; it's not just common practice, it's  
the only sane thing to do.  Why waste resources for nonexistent  
addresses?


Here's a link that has links for many MTA's.

http://spamlinks.net/prevent-secure-backscatter.htm


David Morton
Maia Mailguard http://www.maiamailguard.com
[EMAIL PROTECTED]



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFGG8fuUy30ODPkzl0RAsyjAJ47RTzHHwEInBTFDrpAJ15KQNRtdQCfTQJ7
5Jqsc1gIM4ttDVkxhTf6E/Y=
=Lewd
-END PGP SIGNATURE-

Re: Spam bounceback attack

[ram]

On Mon, 2007-04-09 at 07:18 -0700, J. wrote:
> --- ram <[EMAIL PROTECTED]> wrote:
> 
> > On Sun, 2007-04-08 at 11:14 -0700, J. wrote:
> > > Not sure if this is connected to my agressive smtp connection
> > rejection
> > > campaign over the past week, but we've been hit for the first time
> > in
> > > many months with a backscatter spam attack. Spammer(s) use random
> > > addresses with our domain for their spamming so we get the flood
> > > (13000+ since midnight) of bounces.
> > > 
> > > Is there a good way to deal with this? 70-80% are getting caught by
> > > spamassassin, but there are still thousands that get through and I
> > have
> > > to filter manually (maildrop). Also, I hate the servers that just
> > keep
> > > the subject line intact when they bounce a message because I can't
> > > figure out how to filter those. As it is I'm already filtering over
> > 30
> > > different subject line types to catch different types of bounces.
> > And
> > > how to I find the legitimate bounces in that haystack? It's a lot
> > of
> > > fun!
> > > 
> > > Thanks.
> > 
> > 1) Verify recipient addresses
> > 2) Add SPF records for your domain. And blacklist those servers who
> > accept forged mails from your domain and bounce them 
> > 3) If you are suddenly facing a flush of Mailer-"Demons" give a
> > TEMPFAIL
> > for <>  , not a great idea but sometimes you have to do this to save
> > your mail server :-) 
> 
> Thanks Ram.  Not sure how to implement recipient verification with my
> setup, but I'll look into it. I have an SPF record for my domain
> installed afaik and I'm using the plugin for spamassassin that scores
> non-spf emails. When these types of attacks happen we get about 15,000
> bounces per day so I don't know how to blacklist every server that
> sends bounces without looking at the ip address of every email.


No your bounces will notbe nonspf mails. They wil be from <>  which you
must accept. Adding SPF checks allows servers not to accept forged
messages from your domain, if they still do and the plan to send you
NDR's IMHO you have every right to blacklist them ( YMMV ) 


Blacklisting usually is best done at the firewall, a 10 liner perlscript
will give you all ips , simply drop packets at your firewall for such
ips and keep refreshing the lists 

Recipient address verification is an *Absolute must*. If you dont do
that you will get your own server into trouble and get them listed in
all RBLs Just like you are cursing mailservers that are flooding you
with backscatter your server too may be generating backscatter for
others. Dont be a part of the problem please 



Thanks
Ram

Re: Spam bounceback attack

[J.]

--- "Rob McEwen (PowerView Systems)" <[EMAIL PROTECTED]> wrote:

> "J." said:
> >Thanks Ram.  Not sure how to implement recipient verification with
> my
> >setup, but I'll look into it. I have an SPF record for my domain
> 
> I'm confused. Are you all saying that J's mail server was processing
> all incoming e-mails, even if there wasn't an alias set up on that
> domain? in other words, "catch-all" accounts? I thought that just
> about everyone has moved away from "catch-all" accounts due to
> dictionary attacks.
> 
> I was thinking, isn't recipient verification a "given"??!!
> 
> Surely, I must be confused! Please clarify. 
> 
> Rob McEwen

Hi Rob,

Yes, I am using a catch-all account for the domain with our qmail
machine. Once spam has been filtered we pass all ham along to a lan
based email server which will bounce mails sent to bad recipients.
Qmail puts all the ham into a single mail account and the lan mail
server uses pop to get it all and then redistributes it to the local
users. The problem is that not all spam bounces were being caught by
spamassassin, so we'd end up generating some bounces. I could just
ignore that issue, but I'd rather just ignore/delete bounces that
aren't from mail we sent.


 

Don't pick lemons.
See all the new 2007 cars at Yahoo! Autos.
http://autos.yahoo.com/new_cars.html 

Re: Spam bounceback attack

[Rob McEwen (PowerView Systems)]

"J." said:
>Thanks Ram.  Not sure how to implement recipient verification with my
>setup, but I'll look into it. I have an SPF record for my domain

I'm confused. Are you all saying that J's mail server was processing all 
incoming e-mails, even if there wasn't an alias set up on that domain? in other 
words, "catch-all" accounts? I thought that just about everyone has moved away 
from "catch-all" accounts due to dictionary attacks.

I was thinking, isn't recipient verification a "given"??!!

Surely, I must be confused! Please clarify. 

Rob McEwen
PowerView Systems
[EMAIL PROTECTED]

Re: Spam bounceback attack

[Jamie L. Penman-Smithson]

On 9 Apr 2007, at 15:18, J. wrote:

--- ram <[EMAIL PROTECTED]> wrote:



1) Verify recipient addresses
2) Add SPF records for your domain. And blacklist those servers who
accept forged mails from your domain and bounce them
3) If you are suddenly facing a flush of Mailer-"Demons" give a
TEMPFAIL
for <>  , not a great idea but sometimes you have to do this to save
your mail server :-)


Thanks Ram.  Not sure how to implement recipient verification with my
setup, but I'll look into it. I have an SPF record for my domain
installed afaik and I'm using the plugin for spamassassin that scores
non-spf emails. When these types of attacks happen we get about 15,000
bounces per day so I don't know how to blacklist every server that
sends bounces without looking at the ip address of every email.


Recipient verification with qmail:


-j


PGP.sig
Description: This is a digitally signed message part

Re: Spam bounceback attack

[J.]

--- ram <[EMAIL PROTECTED]> wrote:

> On Sun, 2007-04-08 at 11:14 -0700, J. wrote:
> > Not sure if this is connected to my agressive smtp connection
> rejection
> > campaign over the past week, but we've been hit for the first time
> in
> > many months with a backscatter spam attack. Spammer(s) use random
> > addresses with our domain for their spamming so we get the flood
> > (13000+ since midnight) of bounces.
> > 
> > Is there a good way to deal with this? 70-80% are getting caught by
> > spamassassin, but there are still thousands that get through and I
> have
> > to filter manually (maildrop). Also, I hate the servers that just
> keep
> > the subject line intact when they bounce a message because I can't
> > figure out how to filter those. As it is I'm already filtering over
> 30
> > different subject line types to catch different types of bounces.
> And
> > how to I find the legitimate bounces in that haystack? It's a lot
> of
> > fun!
> > 
> > Thanks.
> 
> 1) Verify recipient addresses
> 2) Add SPF records for your domain. And blacklist those servers who
> accept forged mails from your domain and bounce them 
> 3) If you are suddenly facing a flush of Mailer-"Demons" give a
> TEMPFAIL
> for <>  , not a great idea but sometimes you have to do this to save
> your mail server :-) 

Thanks Ram.  Not sure how to implement recipient verification with my
setup, but I'll look into it. I have an SPF record for my domain
installed afaik and I'm using the plugin for spamassassin that scores
non-spf emails. When these types of attacks happen we get about 15,000
bounces per day so I don't know how to blacklist every server that
sends bounces without looking at the ip address of every email.



 

Now that's room service!  Choose from over 150,000 hotels
in 45,000 destinations on Yahoo! Travel to find your fit.
http://farechase.yahoo.com/promo-generic-14795097

Re: Spam bounceback attack

[ram]

On Sun, 2007-04-08 at 11:14 -0700, J. wrote:
> Not sure if this is connected to my agressive smtp connection rejection
> campaign over the past week, but we've been hit for the first time in
> many months with a backscatter spam attack. Spammer(s) use random
> addresses with our domain for their spamming so we get the flood
> (13000+ since midnight) of bounces.
> 
> Is there a good way to deal with this? 70-80% are getting caught by
> spamassassin, but there are still thousands that get through and I have
> to filter manually (maildrop). Also, I hate the servers that just keep
> the subject line intact when they bounce a message because I can't
> figure out how to filter those. As it is I'm already filtering over 30
> different subject line types to catch different types of bounces. And
> how to I find the legitimate bounces in that haystack? It's a lot of
> fun!
> 
> Thanks.

1) Verify recipient addresses
2) Add SPF records for your domain. And blacklist those servers who
accept forged mails from your domain and bounce them 
3) If you are suddenly facing a flush of Mailer-"Demons" give a TEMPFAIL
for <>  , not a great idea but sometimes you have to do this to save
your mail server :-) 

Thanks
Ram

Re: Spam bounceback attack

[Loren Wilton]

One issue is that I have fast_spamassassin turned on so I don't get to
filter on specific rules that a mail hits. Do you use this and if so,
do you know if you have to filter based on the rule getting hit?


This is the Qmail thing that throws away the SA markup, isn't it?

I'm not running vbounce here, but I'd expect that they add score like any 
rules, so you should be able to filate on a high score from SA, which is 
probably what you are doing now.  You might want to tweak some of the scores 
in the ruleset, and for that you might want to enable the SA markup for a 
while to see what it is showing.


   Loren

Re: Spam bounceback attack

[Bill Landry]

J. wrote the following on 4/8/2007 4:11 PM -0800:
> --- Bill Landry <[EMAIL PROTECTED]> wrote:
>
>   
>> Also, have you taken a look at the SA "vbounce" ruleset?  See:
>>
>> http://wiki.apache.org/spamassassin/VBounceRuleset
>> 
>
> One issue is that I have fast_spamassassin turned on so I don't get to
> filter on specific rules that a mail hits. Do you use this and if so,
> do you know if you have to filter based on the rule getting hit?
>
>   
Sorry, I don't have a clue what fast_spamassassin is.  I block
backscatter via Postfix, so I don't use the vbounce plugin.

Bill

Re: Spam bounceback attack

[J.]

--- Bill Landry <[EMAIL PROTECTED]> wrote:

> Also, have you taken a look at the SA "vbounce" ruleset?  See:
> 
> http://wiki.apache.org/spamassassin/VBounceRuleset

One issue is that I have fast_spamassassin turned on so I don't get to
filter on specific rules that a mail hits. Do you use this and if so,
do you know if you have to filter based on the rule getting hit?


 

It's here! Your new message!  
Get new email alerts with the free Yahoo! Toolbar.
http://tools.search.yahoo.com/toolbar/features/mail/

Re: Spam bounceback attack

[J.]

--- Bill Landry <[EMAIL PROTECTED]> wrote:

> J. wrote the following on 4/8/2007 11:14 AM -0800:
> > Not sure if this is connected to my agressive smtp connection
> rejection
> > campaign over the past week, but we've been hit for the first time
> in
> > many months with a backscatter spam attack. Spammer(s) use random
> > addresses with our domain for their spamming so we get the flood
> > (13000+ since midnight) of bounces.
> >
> > Is there a good way to deal with this? 70-80% are getting caught by
> > spamassassin, but there are still thousands that get through and I
> have
> > to filter manually (maildrop). Also, I hate the servers that just
> keep
> > the subject line intact when they bounce a message because I can't
> > figure out how to filter those. As it is I'm already filtering over
> 30
> > different subject line types to catch different types of bounces.
> And
> > how to I find the legitimate bounces in that haystack? It's a lot
> of
> > fun!
> >
> > Thanks
> What MTA are you using?  If Postfix, take a look at:
> http://www.postfix.org/BACKSCATTER_README.html
> 
> Also, have you taken a look at the SA "vbounce" ruleset?  See:
> 
> http://wiki.apache.org/spamassassin/VBounceRuleset

Thanks. That's great that there's a rule and plugin. I'm using qmail.


 

Sucker-punch spam with award-winning protection. 
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html

Re: Spam bounceback attack

[Matt Kettler]

J. wrote:
> Not sure if this is connected to my agressive smtp connection rejection
> campaign over the past week, but we've been hit for the first time in
> many months with a backscatter spam attack. Spammer(s) use random
> addresses with our domain for their spamming so we get the flood
> (13000+ since midnight) of bounces.
>
> Is there a good way to deal with this?
If the addresses are random, then most of them shouldn't match local
accounts.. So you shouldn't be accepting them at the MTA layer.

Only accepting mail for proper recipients is your first line of defense
here.
>  70-80% are getting caught by
> spamassassin, but there are still thousands that get through and I have
> to filter manually (maildrop). Also, I hate the servers that just keep
> the subject line intact when they bounce a message because I can't
> figure out how to filter those. As it is I'm already filtering over 30
> different subject line types to catch different types of bounces. And
> how to I find the legitimate bounces in that haystack? It's a lot of
> fun!
>   
Backscatter's a PITA. Personally, I strongly suggest blacklisting all
the servers that originate it. There's no excuse to do mass-volume
post-delivery bouncing anymore, and anyone doing so should be regarded
as a form of "smurf amplifier" or open relay. Sure, the occasional
post-delivery bounce will happen, but it should be the exception (ie:
mail delivery while you're in the middle of deleting a terminated
account), not the rule (accept everything then bounce later).

Spamcop lists sites generating backscatter, so you could use that, or
just hard blacklist them manually.

Re: Spam bounceback attack

[Bill Landry]

J. wrote the following on 4/8/2007 11:14 AM -0800:
> Not sure if this is connected to my agressive smtp connection rejection
> campaign over the past week, but we've been hit for the first time in
> many months with a backscatter spam attack. Spammer(s) use random
> addresses with our domain for their spamming so we get the flood
> (13000+ since midnight) of bounces.
>
> Is there a good way to deal with this? 70-80% are getting caught by
> spamassassin, but there are still thousands that get through and I have
> to filter manually (maildrop). Also, I hate the servers that just keep
> the subject line intact when they bounce a message because I can't
> figure out how to filter those. As it is I'm already filtering over 30
> different subject line types to catch different types of bounces. And
> how to I find the legitimate bounces in that haystack? It's a lot of
> fun!
>
> Thanks
What MTA are you using?  If Postfix, take a look at:
http://www.postfix.org/BACKSCATTER_README.html

Also, have you taken a look at the SA "vbounce" ruleset?  See:

http://wiki.apache.org/spamassassin/VBounceRuleset

Good luck!

Bill

Spam bounceback attack

[J.]

Not sure if this is connected to my agressive smtp connection rejection
campaign over the past week, but we've been hit for the first time in
many months with a backscatter spam attack. Spammer(s) use random
addresses with our domain for their spamming so we get the flood
(13000+ since midnight) of bounces.

Is there a good way to deal with this? 70-80% are getting caught by
spamassassin, but there are still thousands that get through and I have
to filter manually (maildrop). Also, I hate the servers that just keep
the subject line intact when they bounce a message because I can't
figure out how to filter those. As it is I'm already filtering over 30
different subject line types to catch different types of bounces. And
how to I find the legitimate bounces in that haystack? It's a lot of
fun!

Thanks.


 

Food fight? Enjoy some healthy debate 
in the Yahoo! Answers Food & Drink Q&A.
http://answers.yahoo.com/dir/?link=list&sid=396545367