Can one protect forwards against spammers?

[Richard G]

It seems that spammers have found a new way to spam. Or at least it's only now starting on our servers.
Some customers maken various forwards to their home isp email address.

Like [email protected] -> [email protected].
[email protected] -> [email protected].
[email protected] -> [email protected].

Now it seems that spammers are sending mail to the domain.com addresses. The server sees it's only a forward and just forwards it to the @homeisp.com address.
Now there they are seeing spam is coming from our server and they block our server ip.

Is there anything we can do against these kind fo practices? We still want to run our own mailservers, and we haven't been on any blacklists for years.

 

[sparek]

This has been an issue with email forwarders since the beginning. It's just recently started to come to a head and people started realizing that it's a problem.

The long and short answer is - don't use email forwarders to forward mail off of the server. If someone is only interested in checking their [email protected] then they probably need to advertise their [email protected] email address however they are giving out their email address. When they try to mask this by using an @hosteddomain.com email address, that's when problems start.

That's not really a direct answer to your question. But sometimes the best solution is educating users and informing them as to why doing something like this is a bad decision.

 

[Richard G]

Thank you for your answer.
I know that it's an issue since the beginning, it just seems that this method wasn't abused anymore for some time, maybe because there aren't that many forwarders.
We would like to disable forwarders, but that's not an option as customers just need forwarders, to their home isp, or to another office department on another domain and other things.

Luckily we just found out that they did not block our server ip because of the spam via our server. I was already wondering about this, because normally you would block the spammer, so the originating mail server, and not the forwarding server.
It seemed the notice was that our ip was blocked, but it was in fact a complete netblock, because some other server on the same netblock was or is running a spambot.
We got lucky they even wanted to help us by giving a piece of log and talking about the netbock, so we could send a mail to the abuse section of the datacenter so they can take appropriate action.

However, it would still be nice if just like on an airport, pass-thru traffic would also be scanned by maybe a RBL's.

 

[ikkeben]

Mailcheckers try to get them used to such.

Other thing that could be handy, a script /. programm that send a email notice if mail is in mailbox.

Then roundcube and co after that.

For important mails that are from a emailadres they know you can handle AUTOMATED FORWARDS FOR ONLY THOSE MAYBE.

 

[AndreV]

idk what's going on since 3/4 days my logs are getting filled with this
happens almost every second
(replaced my domain with mydomainname.nl)

2020-08-28 18:20:15 H=37.30.50.39.nat.umts.dynamic.t-mobile.pl [37.30.50.39] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:20 H=([31.177.96.21]) [31.177.96.88] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:21 H=([190.183.192.232]) [190.183.192.232] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:22 H=([94.73.34.163]) [94.73.34.163] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:24 H=77.255.62.94.rev.vodafone.pt [94.62.255.77] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:25 H=([95.76.66.105]) [95.76.66.105] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:25 H=(host-176-221-123-235.dynamic.mm.pl) [176.221.123.235] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:25 H=([190.14.129.197]) [190.14.129.197] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:27 H=(101-198-28-181.fibertel.com.ar) [181.28.198.101] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:28 H=r186-50-118-35.dialup.adsl.anteldata.net.uy [186.50.118.35] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:29 H=adsl190-28-132-115.epm.net.co [190.28.132.115] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:30 H=([94.73.34.163]) [94.73.34.163] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:34 H=188.147.119.53.nat.umts.dynamic.t-mobile.pl [188.147.119.53] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:36 H=(SCZ-177-222-62-00120.tigo.bo) [177.222.62.120] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:37 H=([179.0.235.64]) [179.0.235.64] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:37 H=([94.73.34.163]) [94.73.34.163] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:38 H=37.30.50.39.nat.umts.dynamic.t-mobile.pl [37.30.50.39] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:39 H=(cmodem-200-114.108-200.cescom.net.ar) [200.114.108.200] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:42 H=([161.18.8.236]) [161.18.8.236] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:43 H=87.red-79-152-21.dynamicip.rima-tde.net [79.152.21.87] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:44 H=([94.73.34.163]) [94.73.34.163] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:44 H=(101-198-28-181.fibertel.com.ar) [181.28.198.101] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:46 H=r186-50-118-35.dialup.adsl.anteldata.net.uy [186.50.118.35] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:52 H=([223.25.62.157]) [223.25.62.157] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:55 H=([95.76.66.105]) [95.76.66.105] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:55 H=bband-dyn182.178-40-27.t-com.sk [178.40.27.182] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:20:56 H=([41.60.67.100]) [41.60.67.100] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:21:00 H=(cmodem-200-114.108-200.cescom.net.ar) [200.114.108.200] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:21:01 H=188.147.119.53.nat.umts.dynamic.t-mobile.pl [188.147.119.53] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:21:06 H=([103.143.0.131]) [103.143.0.131] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:21:06 H=([179.0.235.64]) [179.0.235.64] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:21:08 H=([84.238.218.218]) [84.238.218.218] F=<[email protected]> rejected RCPT <[email protected]>:
2020-08-28 18:21:10 H=([203.189.116.205]) [203.189.116.205] F=<[email protected]> rejected RCPT <[email protected]>:

 

[Richard G]

Yep... I'm also in NL and it seems last week they are retrying this way of spamming.
Once they find a forward, they keep spamming it.

Also they now are using mailbox full return messages and bounce messages. They just spoof the return path. But it's coming from the same ip's.

 

[sparek]

What is leading you to believe that this has anything to do with email forwarders?

What is distinguishing this from just someone trying to spam as many email addresses as they can - as sort of brute force as you might say, for spamming?

 

[Richard G]

What is leading you to believe that this has anything to do with email forwarders?

Log files ofcourse. I can see it happening. I even had a short time that specifically these couple of forwarders of this specific domain were targeted by several spammers but other addresses were not or only few.

What is distinguishing this from just someone trying to spam

That's a different question.
Probably there is no difference in somebody trying to spam, from the spammers point of view, like sya target wise. I'm not sure if they specifically target forwarders although sometimes it seems like it.

But from my (hoster's) point of view, there is a difference between normal spam and spamming to forwarders.
Because spam to normal email addresses go through our spam filters and lots of them get rejected. Spam to forwarders, are just forwarded to the forwarded destination without check.

I already have got some complaints about this, in spite of the fact that normally one would complaint with the originating systems and not with the forwarding systems.
That's why it might be nice if forwarded mails could be filtered through our anti spam stuff like spamassassin and spamblocker etc. before being forwarded. It would at least also reduce some spam in the world imho. Or am I missing something?