Exim backscatter spam with BOUNCE messages.

[floyd]

I already don't remember was it the only what you need to change but now I have next options:

bounce_return_message = false
bounce_return_body = false

check_recipient:

# stop bounce from us, lets do it by sender's server
    accept domains = +local_domains
    endpass
    message = unknown user
    verify = recipient

# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
    accept  hosts = :

# if somebody send something like T="Mail delivery failed: returning message to sender" from <> or other with empty "from"

    deny    senders = :
    message = A valid sender header is required for bounces
##    !verify  = header_sender

and don't have problems with spam (bounces).

So, try it. If you still have problems, than it can be related with something else. For ex., sending spam through the sockets. It's also looks like bounce. I have professional solution for that

Still could not get it to work. I used this on my server. I sent an email using my server to a definite unknown user email address. That end server rejected the email. My server then sent the rejection to the from address I specified which is my yahoo address. I did not use yahoo to send the email. I used my mail client connecting to my server. Yahoo had nothing to with the initial delivery but yet it got the bounce.

 

[floyd]

The last post here works http://www.linuxquestions.org/quest...to-stop-bounce-back-emails-with-exim.-503934/

However no bounces get returned, to local users or otherwise.

 

[floyd]

Jeff does this make any sense to you:
http://tldp.org/HOWTO/Spam-Filtering-for-MX/exim-bounces.html

 

[diradmin]

Still could not get it to work. I used this on my server. I sent an email using my server to a definite unknown user email address. That end server rejected the email. My server then sent the rejection to the from address I specified which is my yahoo address. I did not use yahoo to send the email. I used my mail client connecting to my server. Yahoo had nothing to with the initial delivery but yet it got the bounce.

Of course! If you are using your own server as outgoing server than it will sent bounce to you (or to the victim). The problem you describe is not solved in this way. But actually it is not a problem. You talk about sending spam through bounces from your local server. It means that only your users can do it. But the bounce-spam problem is that unauthorized users spaming by bounces. If you are user on the local server, then you are not going to use such bounce-method, because you can use the most productive methods. And the defence against spam by local users - it is another matter. Read my second post in this thread. There is more explanation about bounce-problem. Did you get it now?

 

[floyd]

If you are using your own server as outgoing server than it will sent bounce to you (or to the victim).

Same thing will happen if I use my isp server.

That means anybody who uses my server to forward their email to another address can send backscatter spam.

A spammer signs up and set up a domain on my server. Forwards that domain to a fake address. Then proceeds to send email to the domain hosted on my server with fake from addresses. All the bounces go to the fake from email addresses.

The only way to detect that this is happening is that they would all be coming from the same ip address. But even then how would you know that is was the user who signed up who is responsible for this.

I want my server to stop sending bounces, which I have by the way. But bow it does not send any bounces. I would like bounces to go to local users only. I do not want bounces to go to external addresses.

Remember a bounce is completely different than a rejection at SMTP time.

 

[diradmin]

Wait, wait, wait...
If I understood you right, you are talking again about case, when someone has domain on your server and set up forwarding that domain to a fake address... so he is your customer anyway if he can do it.

... Ok, lets ask that way

If I will try now to send email to sldksldksdk@normal_domain_on_your_server.com with From: "existing_email@gmail_com" than will it be bounced to exist_email@gmail_com?

 

[floyd]

so he is your customer anyway if he can do it.

That is correct. I said:

A spammer signs up and set up a domain on my server.

If I will try now to send email to sldksldksdk@normal_domain_on_your_server.com with From: "existing_email@gmail_com" than will it be bounced to exist_email@gmail_com?

No. But the spammer sets up a real domain and sets up a real email address and then forwards it to a fake address. Then he can send to the real email address hosted by my server from his own server with a bunch of different from addresses and then the end of the line server rejects it and then my server will bounce it to the fake from addresses.

I am not saying that this is an efficient way to send spam and it may not be practical but it can be done. But I know even I can write a script to take advantage of this to send out several thousand spam emails.

 

[nobaloney]

I like the idea of serverwide postmaster and abuse addresses sent to the main admin address, and I'm going to implement it for me instead of per-client addresses. If my client is getting abuse and postmaster email, I think I want to know about it.

Will everyone accept that?

Jeff

 

[nobaloney]

Jeff does this make any sense to you:
http://tldp.org/HOWTO/Spam-Filtering-for-MX/exim-bounces.html

It's interesting.

But... many of us DO send email from a postmaster address.

And ...

since we use multiple styles of mailboxes, I'm not sure how to check if it exists, or if we even have to; there's got to be a better way.

I'll look at it further as soon as I'm caught up on some other issues.

Note that I've added the word backscatter to the thread name so it's something I'll find when I'm looking for backscatter discussions.

Jeff

 

[diradmin]

That is correct. I said:
No. But the spammer sets up a real domain and sets up a real email address and then forwards it to a fake address. Then he can send to the real email address hosted by my server from his own server with a bunch of different from addresses and then the end of the line server rejects it and then my server will bounce it to the fake from addresses.

I am not saying that this is an efficient way to send spam and it may not be practical but it can be done. But I know even I can write a script to take advantage of this to send out several thousand spam emails.

Ok, now everything clear. I didn't say that my "patch" solve that. It solve lets say "classical bounce problem" from unauthorized users. Yes, you are right that "it can be done". But more that 10 years I never see it. So I can say for sure that it is not the problem for me that I want to solve, at least now. If somebody will do that way spam I'll easy find problematic account. So for me it will be normal spam-problem from local user, who ordered my subscription.

I like the idea of serverwide postmaster and abuse addresses sent to the main admin address, and I'm going to implement it for me instead of per-client addresses. If my client is getting abuse and postmaster email, I think I want to know about it.

Will everyone accept that?

Jeff

I don't want to know about it. I have enough spam, so I don't want to read more "spam" from my users abuses. Serverwide postmaster and abuse are set in another place - /etc/mail/aliases
Moreover, for abuse people usually use emails that presented in RIPE for network. Spamcop and other DB always do so. ...Also, some customers want to have (and already have) postmaster and abuse boxes on their accounts, so we can't take it from them.

 

[calimero1505]

What we have done (thanks to Wunk) is setup an sendmail server on a different IP address.

All email for a pattern is send to this bounce server and is returned to the "sender". So we keep our own IP clean. It is no problem if the other IP gets listed. It is not a real mailserver

The rules in exim.conf (first beneath the routers config):

bouncer:
driver = manualroute
domains = !+local_domains
senders = ^postmaster@.*:^mailer-daemon@.*:^hostmaster: :
transport = remote_smtp
route_list = * bouncer.whereveritis.com

 

[LawsHosting]

Can anyone tell me if this modification you guys are conversing about actually works?


I found this on here:

If you run a mail server you have a responsibility not to send backscatter. Bounces should ideally only be generated by a mail server to a local recipient. Mail servers should not generate bounces to non-local recipients, but should instead reject the mail during the SMTP session, and leave the remote sending server to handle the bounce: if a rejected mail is a legitimate message, the bounce gets generated by the remote sending machine, as expected; if a rejected mail is not a legitimate message, the remote end will probably not generate a bounce, and all is still well.

So, is this a requirement of all mail servers? I read the link for Exim, but it goes on about quotas, doesn't make sense to me!

I also would like to know how to implement this check cleanly, as I suffer from backscatter a lot (personal sites) i.e the from and to mail fields are the same are forged externally.....

Maybe the Return-Paths could be checked to see if its from a domain hosted on the server, as most of this backscatter I receive have different addresses - or is this a flawed theory? I know the return paths can be forged too

 

[floyd]

But... many of us DO send email from a postmaster address.

And those addresses would continue to receive email without the default accepting of postmaster addresses.

 

[nobaloney]

So, reading what user Peter Laws wrote above, do we now know that this works and can be installed into the new default exim.conf file?

Jeff

 

[Chrysalis]

This is back to the problem we discussed many months ago.

The fundamental issue is that the DA exim config rejects mail too late, it rejects after it has accepted the mail.

Also the accept all mail to postmaster/hostmaster is a weakness as the other guys stated.

I did pass on a config to Jeff that filters out all bounces from postmaster@ etc. which reduces the problem greatly.

The fact is the vast majority of users do not utilise a postmaster@ address and this as a result has become an easy target for backscatter spam. Since DA exim will accept the email always and then bounce it back to the forged address when it see's that postmaster is either full or doesnt exist.

I disagree with your idea Jeff on routing all postmaster@ to the sysadmin, the amount of mail to look through would just be too immense. The better solution is simply just not accept it by default anymore and let each user decide if they want to create a postmaster account or not.

The problem reported by the OP if I understand correctly is as follows?

Send a email to a DA exim server with the from/to address matching, the email address must not exist on the server. Exim will then send out a bounce to that address?

 

[floyd]

I thought a solution was already found. I do not understand your update.

 

[nobaloney]

His problem is he's complaining to me .

@Chrysalis please feel free to send me again whatever you sent me previously, to make sure I have it.

However I must say I won't either throw away or refuse postmaster email in any MTA configuration I write; doing the former may eventually get you blocklisted. Doing the latter will definitely get you eventually onto The RFC ignorant list.

I don't know what you mean by mail is accepted before it's rejected. Please show me an example. It's not supposed to do that, and I don't believe it does it for me.

The latest version shouldn't even do that for postmaster email.

And I don't have any idea wha tyou mean by your last paragraph:

Send a email to a DA exim server with the from/to address matching, the email address must not exist on the server. Exim will then send out a bounce to that address?
Edit/Delete Message

Note that I'm no longer adding features to Version 3, and that I'm bringing out the last RC this weekend and hopefully the final next weekend.

Jeff

 

[soulshepard]

okok,
after this post i got confused in all the misunderstandings..
so for my humble debubbing brains, that is trying to grasp the problem:

so what changes would i need to make ro my default exim.conf?
i understand it will eliminate the change to get me listed at backscatter.org
and i want to try it.

my current section of the exim.conf is

# ACL that is used after the RCPT command
check_recipient:

# to block certain wellknown exploits, Deny for local domains if
# local parts begin with a dot or contain @ % ! / |
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]

# to restrict port 587 to authenticated users only
# see also daemon_smtp_ports above
accept hosts = +auth_relay_hosts
condition = ${if eq {$interface_port}{587} {yes}{no}}
endpass
message = relay not permitted, authentication required
authenticated = *

# allow local users to send outgoing messages using slashes
# and vertical bars in their local parts.
# Block outgoing local parts that begin with a dot, slash, or vertical
# bar but allows them within the local part.
# The sequence \..\ is barred. The usage of @ % and ! is barred as
# before. The motivation is to prevent your users (or their virii)
# from mounting certain kinds of attacks on remote sites.
deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./

# local source whitelist
# accept if the source is local SMTP (i.e. not over TCP/IP).
# Test for this by testing for an empty sending host field.
accept hosts = :

...
many lines in between
...

# deny using email address in blacklist_senders
deny message = Email blocked by BSAL - to unblock see http://www.example.com/
domains = use_rbl_domains
deny senders = +blacklist_senders

and i need to repace it with.... ?

bounce_return_message = false
bounce_return_body = false

check_recipient:

# stop bounce from us, lets do it by sender's server
accept domains = +local_domains
endpass
message = unknown user
verify = recipient

# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

# if somebody send something like T="Mail delivery failed: returning message to sender" from <> or other with empty "from"

deny senders = :
message = A valid sender header is required for bounces
## !verify = header_sender

 

[floyd]

okok,
after this post i got confused in all the misunderstandings..
so for my humble debubbing brains, that is trying to grasp the problem:

so what changes would i need to make ro my default exim.conf?
i understand it will eliminate the change to get me listed at backscatter.org
and i want to try it.

my current section of the exim.conf is



and i need to repace it with.... ?

The problem is that backscatter can be cause in different ways. What worked for me was commenting out this portion:

# accept mail to postmaster in any local domain, regardless of source 
#  accept  local_parts = postmaster
#          domains     = +local_domains

# accept mail to abuse in any local domain, regardless of source
#  accept  local_parts = abuse
#          domains     = +local_domains

# accept mail to hostmaster in any local domain, regardless of source
#  accept  local_parts = hostmaster
#          domains     =+local_domains

Any autoresponders and mailling lists can also cause backscatter.

 

[Chrysalis]

I have just reread this thread, and tested this (using a modded spamblocker v4 config) and the backscatter didnt occur.

I sent an email from a external mail server to a non existant address on my server, I set the from and reply-to address to my hotmail address. Hotmail never got an email.