Can one block wrong return-path mails?

Richard G

Richard G

Verified User
Joined
Jul 6, 2008
Messages
13,872
Location
Maastricht
Lets say you have a strict SPF record and you also have DKIM and DMARC in place.

Now some spammer sends mail around from his own server, but uses an existing e-mail address of your domain in his returnpath, like this and I won't mask the spamming system:

Code: 
Return-path: <[email protected]>
Received: from [77.40.62.178] (port=24600 helo=bqyel)
    by server.straighthost.ro with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.93)
    (envelope-from <[email protected]>)
    id 1l1pdP-0004yS-5I; Tue, 19 Jan 2021 13:57:19 +0200
MessageID: [email protected]
Subject: Poste meine Fotos auf der Site
To: "[email protected]" <[email protected]>
From: "Olesya" <[email protected]>

This was send via mailchimp this system never contacted our servers, but the customer got the mail back in his inbox, because his email address was specified as the From and Return-path address.

However, I'm wondering if there is no method, to refuse those mails somehow, since the return-path is not correct.
 
Today I also saw these e-mails, it's a first for me like this I think. Annoying thing about it it makes you investigate whether it's coming from your server. If someone knows a quick fix I'm all ears as well.
The mails seem to have a mailchimp abuse link with a unique ID in it, but if you visit it, you still need to copy all headers in the page or you could forward the mail to them it says. But I don't really feel up to that task. It's not massive amounts of mails so if it's like this I'll just ignore it.
 
Yea problem with Mailchimp and such kind of mail services is they have all a kind of HIGH NO SPAM SCORE and TRUST paying a lot to be on the expensive profesional/omercial "no spam" "REPUTATION" mail filters and services.

Better to have al those ... also freemails as gmail outlook/hotmail abadonded, while they block to oft mails from smaller no spammers, but want to be nr1 in the market, still also if that mailservices are abused very often in teh same time. HAHA ;)

With mailchimp and other such systems users could easy abuse your domainname mails, such should be forbidden by LAW with high FEES for mailchimp and co if..
YOU can read how they avoid spam filters here> https://mailchimp.com/resources/avoid-spam-filters/
 
Last edited:
Don't know or this also block the returned mails if it was real from mailchimp original?

lifehacker.com

Block Marketing Emails By Going Straight to MailChimp

Yes, you can unsubscribe from individual email lists, but what if I told you that you could unsubscribe from every single marketing email being sent t
lifehacker.com lifehacker.com
King specifically laid out instructions on how to handle MailChimp emails. He contacted the company’s abuse team and gave him email address asking to be added to to MailChimp’s “blocklist.” When you do, you’ll no longer be able to get emails from anyone using MailChimp (even people you want to hear from) unless you ask to be removed from the master block list in the future. For this reason, it’s not a move to undertake if there are marketing emails you might want or need to be getting, say, for work-related reasons.

That said, if you’re routinely getting a lot of marketing emails, then blocking them at the source could mean huge things for your inbox.
Click to expand...
 
Last edited:
bdacus01 said:
I am good just sending you urls.. LOL
Click to expand...
I don't mind as long as they contain solutions. ;)
And they do for a certain type. I already used such option for .xyz domanins for example. Unfortunately today I got various of these mails, still getting them, from various ip's so blocking will be a ball. I think I will just ignore them.
Only Mailchimp I send an abuse notice, becaue their system was in the original header so it was send via their system. As for the rest I'm sure some of them were hacked accounts. So blocking them definately like with spamd or blacklist is not the best idea in that case.
But thank you for looking things up for me!

Arieh said:
Annoying thing about it it makes you investigate whether it's coming from your server.
Click to expand...
Exactly. I did not encounter this for the first time, I've known about this abuse option, had some in the past, but very few, not as much as today coming from so many systems.
I was just wondering if there was no option Exim could check the headers, see return-path and verify with SPF and say "this was not originally send form here, refusing" or something like that. But maybe that is technically impossible.

I'm already pleased it was indeed not send from any of our systems, but still... work and time investigating what happend again. And then I was just laying nice on the couch at 19.30 and telephone rang, then again such idiot from collectief mkb, wanting so sell electricity or other crap. I just hang up almost instantly again.

I could have Mailchimp blocked, but I don't want to do that yet and decide this for my customers who might want to receive those mails. I only got 2 of them via Mailchimp. The rest were all different other providers.

However, since the customers return-path was in the mails, I've seen several mails now coming in stating the sending system (several of them in Romania and Hungary) were blacklisted now for spam. Not my ip.

I'm only worried my customer's domain name gets a bad reputation now because that was in the return-to and from path. Spoofed, but still....
 
Richard G said:
However, since the customers return-path was in the mails, I've seen several mails now coming in stating the sending system (several of them in Romania and Hungary) were blacklisted now for spam. Not my ip.

I'm only worried my customer's domain name gets a bad reputation now because that was in the return-to and from path. Spoofed, but still....
Click to expand...
That should be very bad as SPF is strict and DKIM and that stuf correct for those domains, then the other side should check domainsmail spam spoofers and block, no return should be send only block if such failed for domains havings strict settings.

As therefore reputation should become bad for the real domains, then it is way to easy to have some others ( compatitors blacklisted) so if someon else know better then please? ;)
 
I don't think reputation should suffer, since it's only the reply-to address. I think if anything, the mailservers should not send these bounce mails to the reply-to addresses if that reply-to domain differs from the sending host. Not sure why it doesn't do it like this; it could be a new way of spamming, if this has not been covered by the regular dkim/spf setups.
 
What about adding your own header if the mail is sent from your own system?
Something like:
acl_check_message:
warn add_header = X-MyOutGoingHeader: <some value>

When receiving a new mail and if the reply-to is used, the mail will contain a 'In-Reply-To' header.

Just thinking out loud now, but you might handle mails with an in-reply-to header but no 'X-MyOutGoingHeader' by adding spampoints to them... or something like that.
 
EXIM configuration @DA

Then also the spamblocker parts ...?

is custom possible?
#EDIT#13:
acl_not_smtp = acl_script
acl_smtp_auth = acl_check_auth
acl_smtp_connect = acl_connect
acl_smtp_helo = acl_check_helo
acl_smtp_mail = ${if ={$interface_port}{587} {accept} {${if ={$interface_port}{10025} {acl_smtp_mail_proxy}{acl_check_mail}}}}
acl_smtp_mailauth = smtp_mailauth
acl_smtp_rcpt = acl_check_recipient
acl_smtp_dkim = ${if ={$interface_port}{587} {accept}{acl_check_dkim}}
acl_smtp_data = acl_check_message
acl_smtp_mime = acl_check_mime
Click to expand...
And under this?
##################################################################################
# Access Control Lists
##################################################################################
begin acl
Click to expand...
 
Last edited:
Arieh said:
I think if anything, the mailservers should not send these bounce mails to the reply-to addresses if that reply-to domain differs from the sending host.
Click to expand...
Agree, but seems a lot do. Including big company's like yahoo.it and vodafone.de and hotmail.de. At least from the last one I would have expected they would do SPF checking at the least.
Even stronger, this customers domain does not only have SPF, DKIM and DMARC but also DNSSEC enabled. So it seems loads of company's, even big ones like hotmail.de don't even bother to do some simple checks.

Today I got loads of mails on the customer's account which all contained the "non-deliverable" mail messages and the "refused due to spam" messages, unbelievable.

@sysdev Might be an option. Not sure. It's not spam the customer gets, it's bounced messages and undeliverable mail messages.

@ikkeben I've been running the latest Spamblocker exim.conf etc. already for years. But I'm not into customizing that, too little knowledge. And probably it will stop after a while. At this point only 1 domain is getting these kinds of mails.

By the way... seems the spammer can spoof Mailchimp stuff into the header.
Code: 
X-Mailer: Atomic Mail Sender
List-Unsubscribe: xxxxxxxxxxxxxxxxxx
X-AntiAbuse: Do you want to report abuse? Please send this message as an attachment to  or report abuse here: https://mailchimp.com/contact/abuse/?u=8250e8d3xxxxxxxxxxxx=14c958axxxx=3955xxxxx

I send this to the Mailchip abuse address, and got this answer.
However, after a thorough review, our delivery team has confirmed these emails did not originate from Mailchimp's servers.
Click to expand...
So if that is true, it seems the spammers can spoof X-AntiAbuse headers too.
 
The mailchimp header is indeed inside the e-mail body itself, not in the actual headers of the mail we receive. If we believe that the Mail Delivery System mail is giving us the original headers of the mail, then it indeed means the spammers are just including a mailchimp header in there. If I look in these headers the mta is giving us, they're indeed not mailchimp IPs. It may be that they include these headers, hoping that the spamfilters will take the presence of the header as a - in the spam score.
 
Last edited:
You must log in or register to reply here.
Back
Top