Backscatter spam not getting filtered by SA

M

modem

Verified User
Joined
Apr 7, 2004
Messages
362
Hello all,

About 10pm on Sept 14 I started receiving upwards of 150 backscatter emails per hour. Prior to 10pm I had maybe 5 total spams in 6 hours. Anyway I noticed some of the backscatter email was getting flagged and tagged by SA and the other half was not. When I checked the email headers I noticed that for the spam that was NOT being tagged by SA, it was showing it's score as -2.6 (negative).

I immediately checked my SpamAssassin configuration to make sure that no certain domains were being intentionally allowed through. None were not.

The next thing I checked was the spam assassin headers. For email being tagged it was checking the email against BAYES_00,URIBL_BLACK, URIBL_OB_SURBL,URIBL_RHS_DOB,URIBL_SBL,URIBL_WS_SURBL lists. However for the spam being allowed through with the negative -2.6 rating, only Bayes_00 was being used.

Is this something I can fix? How do I go about it? Here is the sample of the headers from a tagged and non tagged spam email:

X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
stargatesg1.modemnet.net
X-Spam-Level: ****
X-Spam-Status: Yes, score=4.9 required=3.0 tests=BAYES_00,URIBL_BLACK,
URIBL_OB_SURBL,URIBL_RHS_DOB,URIBL_SBL,URIBL_WS_SURBL autolearn=no
version=3.2.5

********************

X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
stargatesg1.modemnet.net
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00 autolearn=ham
version=3.2.5
 
I emailed John (DA Support) the following wondering if these have anything to do with the recent surge in backscatter email in the last 12hours. If anyone can offer any thoughts or suggestions to this problem, it would be greatly appreciated!

Bradley

*****************
John,

Yesterday around 10pm I started getting a ton of 'backscatter/blowback' emails that were being sent back from email servers all around the world. This was a major spam attack with upwards of 5 emails per minute bouncing back. Upon closer inspection and research on the DA forums and on SA mailing list archives, this shouldn't be happening. Jlasman indicated in one of the forums that the Exim.conf file will not accept email back on the server that didn't originate from the server. I'm wondering why so much 'return' email is coming at me.

Am I correct in believing that Jlasman means that if someone sends email through another SMTP gateway using my email address as the 'return to' address that when other servers reject the email that my server with Exim and the exim.conf file that Jlasman created should ignore those emails with me never seeing them?

Also this leads me to a question that recently I've seen in the Exim mail queue there are frozen emails from legitimate email addresses of customers of mine destined for odd email addresses. Upon inspection of the body of those emails it's clearly porn/drug/stock emails. But the mail queue says they are originating from my server. Does that mean my server is *NOT* secure as an SMTP gateway? Has something been compromised? Or is a client PC in those accounts compromised/infected and thus sending out spam?

Thanks!

Bradley
 
The problem with this backscatter is some bot/person is massmailing to [email protected] (hosted at your server) with [email protected] in the reply-to header. Your server doesn't accept the mail because de mailaccount doesn't exist. So it sends an NDR. But what Exim _really_ has to do is deny relay to non existing accounts before queuing the mail for processing. Sending NDRs is oldskool and should only be done for local mail accounts.
With the default config I got with DA this isn't fixed at all.
 
modem, please post the (non-munged) headers from at least one of those emails.

Jeff
 
Return-path: <>
Envelope-to: <<REMOVED MY EMAIL ADDRESS>>
Delivery-date: Fri, 19 Sep 2008 18:41:53 -0400
Received: from mail by <<REMOVED>>.modemnet.net with spam-scanned (Exim 4.69)
id 1Kgofg-0004zW-JW
for <<REMOVED MY EMAIL ADDRESS>>; Fri, 19 Sep 2008 18:41:53 -0400
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
<<REMOVED>>.modemnet.net
X-Spam-Level:
X-Spam-Status: No, score=-2.4 required=3.0 tests=ANY_BOUNCE_MESSAGE,BAYES_00,
BOUNCE_MESSAGE,HTML_MESSAGE autolearn=no version=3.2.5
Received: from <<REMOVED>>.everyone.net ([216.200.145.37] helo=omta0101.mta.everyone.net)
by <<REMOVED>>.modemnet.net with esmtp (Exim 4.69)
id 1Kgofg-0004zQ-FS
for <<REMOVED MY EMAIL ADDRESS>>; Fri, 19 Sep 2008 18:41:52 -0400
Received: from dm36.mta.everyone.net (sj1-slb03-gw2 [172.16.1.96])
by omta0101.mta.everyone.net (Postfix) with ESMTP id 258C57C3B6B
for <<REMOVED MY EMAIL ADDRESS>>; Fri, 19 Sep 2008 15:42:01 -0700 (PDT)
X-Eon-Delivered-To: <<REMOVED MY EMAIL ADDRESS>>
X-Eon-Dm: dm36
Received: from blackhole2.hknet.com (202.67.240.245 [202.67.240.245])
by dm36.mta.everyone.net (EON-INBOUND) with ESMTP id dm36.48d2823c.520a55
for <<REMOVED MY EMAIL ADDRESS>>; Fri, 19 Sep 2008 15:42:00 -0700
Received: from hknpx5.hknet.com (hknpx5.hknet.com [202.67.240.147])
by blackhole2.hknet.com (Postfix) with ESMTP id 1464515545D
for <<REMOVED MY EMAIL ADDRESS>>; Mon, 15 Sep 2008 12:57:33 +0800 (HKT)
Received: by hknpx5.hknet.com (Postfix)
id 0BAFF1A7310; Mon, 15 Sep 2008 12:57:33 +0800 (HKT)
Date: Mon, 15 Sep 2008 12:57:33 +0800 (HKT)
From: [email protected] (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: <<REMOVED MY EMAIL ADDRESS>>
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="98B461A7338.1221454653/hknpx5.hknet.com"
Message-Id: <[email protected]>
 
What part of non-munged don't you understand ;) ?

I understand that you probably don't want to show any information you believe to be private. I don't blame you.

But this sort of tracking is hard enough for me to do even if all the information is there; I don't even attempt to do it if anything is munged ... because I can't look up anything to see if the DNS is correct or where any spoofing might be happening.

So perhaps someone else can help you with the information in your post.

Note that you shouldn't send me the information privately unless you want to pay me for support; we're happy to offer support to the community as time and resources allow, but since our main business is third-party support for DirectAdmin users we cannot afford to offer private support at no charge. I can only hope you'll understand.

Jeff
 
Hi Jeff, check this:

2008-09-21 19:18:00 1KhSZM-0003yn-FW <= [email protected] H=(host-79-164-131-28.qwerty.ru) [79.164.131.28] P=esmtp S=1571 id=89830.tania@alain T="fast and great results" from <[email protected]> for *@*.nl
2008-09-21 19:18:03 H=localhost [127.0.0.1] F=<[email protected]> rejected RCPT <*@*.nl>:
2008-09-21 19:18:03 H=localhost [127.0.0.1] incomplete transaction (QUIT) from <[email protected]>
2008-09-21 19:18:03 1KhSZM-0003yn-FW ** *@*.nl F=<[email protected]> R=amavis T=amavis: SMTP error from remote mail server after end of data: host localhost [127.0.0.1]: 550 5.1.0 Failed, id=31068-17, from MTA([127.0.0.1]:10025): 550 "Unknown User"
2008-09-21 19:18:03 1KhSZP-0003yw-Bd <= <> R=1KhSZM-0003yn-FW U=mail P=local S=870 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2008-09-21 19:18:03 1KhSZM-0003yn-FW Completed
2008-09-21 19:18:04 1KhSZP-0003yw-Bd ** [email protected] F=<> R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:<[email protected]>: host mail.mx5.compuserve.com [149.174.40.183]: 550 5.1.1 <[email protected]>... Mailbox not found
2008-09-21 19:18:04 1KhSZP-0003yw-Bd Frozen (delivery error message)

My Exim queue is for over 90% filled with this kind of frozen messages where it couldn't return an NDR.
 
Last edited:
Someone has spoofed your machine's hostname or IP# in the return-path of the spam. So the spam goes back to you. You get the spam because RFCs require you accept email from the Mailer-Daemon. But you can't deliver it because the user isn't on your box, and you can't relay it because the From address doesn't exist.

You can delete frozen messages this way:
Code: 
# exiqgrep -z -i | xargs exim -Mrm

Note that exiqgrep is NOT the same as exigrep.

Most DirectAdmin systems have exigrep installed, but NOT exiqgrep.

If your system doesn't have exiqgrep you can get it here. Be sure to rename it to take off the .txt extension. When I install it i chown it root:root, chmod it 700, and put it into the same directory where exigrep is found.

(Why am I giving away all my secrets ;) )?

Jeff
 
jlasman said:
Someone has spoofed your machine's hostname or IP# in the return-path of the spam. So the spam goes back to you. You get the spam because RFCs require you accept email from the Mailer-Daemon. But you can't deliver it because the user isn't on your box, and you can't relay it because the From address doesn't exist.

You can delete frozen messages this way:
Code: 
# exiqgrep -z -i | xargs exim -Mrm

Note that exiqgrep is NOT the same as exigrep.

Most DirectAdmin systems have exigrep installed, but NOT exiqgrep.

If your system doesn't have exiqgrep you can get it here. Be sure to rename it to take off the .txt extension. When I install it i chown it root:root, chmod it 700, and put it into the same directory where exigrep is found.

(Why am I giving away all my secrets ;) )?

Jeff
Click to expand...

Yeah I do understand that, but why does my server have to send an NDR? This way we're just looping around with spam? This mail is not send from my server and the recepient does not exist, so drop this mail and return the bounce to the sending server directly over the same connection. Hmm maybe smtp is more stupid than I thought ;-)
 
Andy was referring to your statement:
Hmm maybe smtp is more stupid than I thought
Click to expand...
He included some good information on backscatter because obviously you're not the only one who reads replies; it's important that we all be as helpful as possible, even to those who find our pages through a google search; that's how DirectAdmin becomes better known and better used. And the more of that ... well, then the more we all benefit.

Jeff
 
Actually I had never HEARD of the word munged before so I just thought it was smart to protect the email/server names.

Regardless of that, the back scatter email has virtually stopped. However in the same regards I'm getting still tons of regular spam that SpamAssassin isn't catching. As with the headers I posted above, it was rating the spam with a NEGATIVE rating. None of these addresses or domains are in my whitelist so I know it's not that. here is a sample header with data untouched for evaluation. Any help is appreciated:

*****************************

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Fri, 26 Sep 2008 06:04:29 -0400
Received: from mail by stargatesg1.modemnet.net with spam-scanned (Exim 4.69)
(envelope-from <[email protected]>)
id 1KjABX-0007Pj-J8
for [email protected]; Fri, 26 Sep 2008 06:04:29 -0400
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
stargatesg1.modemnet.net
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=3.0 tests=BAYES_00 autolearn=ham
version=3.2.5
Received: from sitemail3.everyone.net ([216.200.145.37] helo=omta0103.mta.everyone.net)
by stargatesg1.modemnet.net with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1KjABX-0007Pg-GY
for [email protected]; Fri, 26 Sep 2008 06:04:27 -0400
Received: from dm46.mta.everyone.net (sj1-slb03-gw2 [172.16.1.96])
by omta0103.mta.everyone.net (Postfix) with ESMTP id ED3083C7348
for <[email protected]>; Fri, 26 Sep 2008 03:04:29 -0700 (PDT)
X-Eon-Delivered-To: <[email protected]>
X-Eon-Dm: dm46
Received: from stargatesg1.modemnet.net (69.64.171.88 [69.64.171.88])
by dm46.mta.everyone.net (EON-INBOUND) with ESMTP id dm46.48d28291.1ce3a81
for <[email protected]>; Fri, 26 Sep 2008 03:04:29 -0700
Received: from mail by stargatesg1.modemnet.net with spam-scanned (Exim 4.69)
(envelope-from <[email protected]>)
id 1KjABS-0007PQ-Gx; Fri, 26 Sep 2008 06:04:25 -0400
Received: from [117.4.125.124] (helo=dxmfazvpw)
by stargatesg1.modemnet.net with esmtp (Exim 4.69)
(envelope-from <[email protected]>)
id 1KjABR-0007PM-Ox; Fri, 26 Sep 2008 06:04:22 -0400
In-Reply-To: <308e01c91c72$fd1a8e66$b52cd97e@9wvzqs3>
Date: Fri, 26 Sep 2008 02:42:10 -0700
To: <[email protected]>
Subject: University Degree based on Work Experience, No exam/test flepcm uld
Reply-To: "Aileen Anabel" <[email protected]>
X-Sender: <[email protected]>
From: "Aileen Anabel" <[email protected]>
Sender: <[email protected]>
Message-ID: <[email protected]>
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
 
modem said:
Actually I had never HEARD of the word munged before so I just thought it was smart to protect the email/server names.
Click to expand...
It often is, but it makes it impossible to do the necessary research.

Now that things have settled down a bit (backscatter usually eventually stops until the next time it happens) you might want to edit your posts in this thread and anonymize (do you like that word better :)?; my spellcheck likes munged but it doesn't like anonymize), spammers who scrape these forums don't pick them up.

Jeff
 
Actually before I go through and remove any nessecary parts... can you review those headers above and see why I'm getting a -2.0 score? I notice that the spam that *IS* getting flagged by SA is getting high scores like 9.0+ and has a series of tests run on it. However like the spam header above... it gets a negative score and only BAYES test is run. I'm not sure why that is happening.

Brad
 
The score doesn't come from the headers or the return address; it comes from your SpamAssassin rules on your server. Someone would have to log into your server and do an analysis. They'd have to have the entire original email.

I'm not the guy to do that; I wrote SpamBlocker because I really don't like the SpamAssassin approach.

Jeff
 
Are you saying that the score being reported is coming from the Spamblocker (exim.conf) and NOT spam assassin? Then why is it when I kill the spamassassin process that the scores stop being entered into the email headers?

I have seemed to notice a pattern with these emails. It stems from me having two domains. Domain #1 (mydomain.net) has the MX records pointed to the everyone.net email hosting service so all email is first sent there. There is a long story behind this setup, but simply put, I have a forwarder in place so that [email protected] forwards to [email protected].

Mydomain.org is Domain #2 on my own linux server which holds the POP3 account.

When spam is sent to [email protected] it seems to be more accurately flagged as spam a vast majority of the time. Compared to spam that is sent to [email protected] where the majority of the spam comes back with a -x.x score.

I have checked the SpamAssassin rules and I do NOT have a whitelist rule setup that would interfere or cause this. I can NOT confirm that these suspicions are correct, however this seems to be a continuing pattern.

I just simply can't explain why these spam emails which are clearly spam, are getting flagged as negative points...??
 
modem said:
Are you saying that the score being reported is coming from the Spamblocker (exim.conf) and NOT spam assassin?
Click to expand...

No; that was simply an error on my part when I posted. I've fixed it to say SpamAssassin.
I have seemed to notice a pattern with these emails. It stems from me having two domains. Domain #1 (mydomain.net) has the MX records pointed to the everyone.net email hosting service so all email is first sent there. There is a long story behind this setup, but simply put, I have a forwarder in place so that [email protected] forwards to [email protected].

Mydomain.org is Domain #2 on my own linux server which holds the POP3 account.

When spam is sent to [email protected] it seems to be more accurately flagged as spam a vast majority of the time. Compared to spam that is sent to [email protected] where the majority of the spam comes back with a -x.x score.
Click to expand...
Then the problem is with the mail that comes from everyone.net. If it's working correctly when spam comes directly to your server but not when it comes from everyone.net, then your job is to figure out what everyone.net is adding. It may be that everyone.net is actually flagging the spam total, and it's not even running on your system, or something about everyone.net is lowering the score.
I have checked the SpamAssassin rules and I do NOT have a whitelist rule setup that would interfere or cause this. I can NOT confirm that these suspicions are correct, however this seems to be a continuing pattern.
Click to expand...
Configure everyone.net to save the email as well as forward it back to you, and compare headers from the two servers.

Jeff
 
You must log in or register to reply here.
Back
Top