mail gurus: stopping spoofed delivery failures..

S

scoob8000

2[H]4U
Joined
May 4, 2002
Messages
2,832
Our company has been getting a lot of spam in the form of spoofed delivery failure notices.

The reason I say they are spoofed is they look as if they actually originated from our server, from one of our users. They have not.

Has anyone else been running into this? What have you done to help block them?

Attached is some of the header from one such message. We are the forcomm.net, and carlj is a valid mail address. The 66.187.175.107 address is our mail server.

Date: Tue, 2 Nov 2004 12:06:46 -0500
From: Mail Delivery Subsystem <[email protected]>
To: <[email protected]>
Subject: Returned mail: User unknown
Auto-Submitted: auto-generated (failure)

The original message was received at Tue, 2 Nov 2004 12:06:46 -0500
from mail.forcomm.net [66.187.175.107]

----- The following addresses had permanent fatal errors -----
<[email protected]>
(expanded from: <[email protected]>)

----- Transcript of session follows -----
mail.local: unknown name: attila
550 <[email protected]>... User unknown
Reporting-MTA: dns; mx1.comcast.net
Received-From-MTA: DNS; mail.forcomm.net
Arrival-Date: Tue, 2 Nov 2004 12:06:46 -0500

Final-Recipient: RFC822; <[email protected]>
X-Actual-Recipient: RFC822; [email protected]
Action: failed
Status: 5.1.1
Last-Attempt-Date: Tue, 2 Nov 2004 12:06:46 -0500
Received: from 201-13-178-76.dial-up.telesp.net.br
([201.13.178.76](misconfigured sender))
by sccrmxc15.comcast.net (sccrmxc15) with SMTP
id <20041102163145s1500m8htse>; Tue, 2 Nov 2004 16:31:52 +0000
X-Originating-IP: [201.13.178.76]
Received: from forcomm.net (mail.forcomm.net [66.187.175.107])
by 201-13-178-76.dial-up.telesp.net.br (Postfix) with ESMTP id
B2D46FB616
for <[email protected]>; Tue, 02 Nov 2004 10:31:10 -0600
Message-ID: <[email protected]>
From: "Guffaws O. Dossiers" <[email protected]>
To: Attila <[email protected]>
 
Spoofed? Yes.

From your own server? No.

Most likely they are fishing for valid email addresses. There isn't really a way to block these kinds of messages. Only filter them out if necessary. Something that I do on my email sever is to deny outbound Non Delivery Receipts (NDRs) so that these a**holes don't get a taste of what's a real address and what isn't.

Ultimately what this is...it's an NDR BACK to your user indicating that the user "attila" doesn't exist. Chances are here that they were spamming for users on Comcast's email server and spoofing your own user's address as a return address.
 
Hrm.. My server software has a feature called tarpitting, where if someone trys to email to X non-existant addresses in XX minutes it temporarly blacklists the sending IP.

Am I right in thinking this would help cut down on the amount of "fishing" going on?

-scoob8000
 
That would definitely cut things down however, what you posted is a rejection notice from Comcast.net's email servers. You would not be able to get rid of these I'm sure as it's 'responding' to a valid address. Even tho originally that valid address was used to spoof a reply address.
 
I'd actually check to see if they are coming from you. The way it looks to me, they may be using your box as a relay, in which case, those messges really are coming from you. Check to make sure your security is locked down so you can't be used as a relay. Being a relay will get you on SRL's real quick. Try a piece of software called XWall, it'll help out a ton with SPAM filtering as well. I belive the price to very reasonable at 350. I use it and dropped from over 14,000 SPAM messages a day to about 1,000.
 
Hrm.. I've done a few different relay tests, but everything looks fine.. I've done the abuse.net tests, as well as the ordb.org tests.

I looked around the xwall site briefly, but failed to see if it supports any mail server.

From the diagram though it looks as if it can reside on its own machine and act as a smtp proxy of sorts..

[EDIT]
Intresting, we just turned on reverse dns lookups on incoming messages and a boatload are getting filtered.. :)

-scoob8000
 
Those are virus bounces. When a virus replicates it grabs a name from the victim's email client to use as the fake source. When the virus mail bounces YOU get the notification. Not much you can do.
 
LittleMe said:
I'd actually check to see if they are coming from you. The way it looks to me, they may be using your box as a relay, in which case, those messges really are coming from you. Check to make sure your security is locked down so you can't be used as a relay. Being a relay will get you on SRL's real quick. Try a piece of software called XWall, it'll help out a ton with SPAM filtering as well. I belive the price to very reasonable at 350. I use it and dropped from over 14,000 SPAM messages a day to about 1,000.
Click to expand...

No they are definitely not coming from his own server. They are NDRs sent to him in response to bullshit like SPAM, viruses, etc...
 
Wolf-R1 said:
No they are definitely not coming from his own server. They are NDRs sent to him in response to bullshit like SPAM, viruses, etc...
Click to expand...

I know , but from what he posted above, the IP of the delivery server is that of his email server. And unless it's spoofed, which odds are it's not since most spammers/virus authors don't go to the extent, it was from him.
 
You must log in or register to reply here.
Back
Top