The topic is the main point. Our firewall is the address that gets listed. It is listed every few weeks, and the gets automatically removed. The last few times it has happened, it was removed before we had any complaints so I don't even know why Spam Cop is listing us. There are more than 20 Exchange servers behind our firewall (Sidewinder G2). The firewall only allows 4 machines to send mail outbound. 3 of them are SuSE10.0 Hardened DNS and Mail servers. The 4th is an Exchange server. The 4th is my primary suspect, but I have no idea how to prove it. It is setup as a bridgehead (I'm the Unix/Linux guy, so I've never really understood the bridgehead and have threatened to turn it off on numerous occasions because of problems it has caused.) The rest of the exchange servers in the network pass mail first to Symantec Virus Scanners (Also set to do heuristics for SPAM) that relay to the 3 Linux DNS & Mail servers. The biggest problem is that all of those exchange servers are administered by different people.
Any help on figuring out were this is originating, or ideas on how to find the culprit would be appeciated.

Thank you,

Server Info: 138.180.190.67

The only two old reports that I (as a paying user) can see are two post-facto 'bounces' with 'undelverable' in the subject line. It seems that one of your receiving servers is sending 'undeliverable' messages to the spoofed 'From' envelope in spam AFTER the SMTP transaction. If you must bounce please do it with a 5xx error DURING the SMTP process. There is faq here about 'backscatter' and why it such a bad idea.

Hi Scott,

it seems like your bridgehead server is accepting any mail that comes his way:


Hmm, I don't believe you have a user named derimdwicmewocnwod_rismwujcs.wufnmewop18950302[at]navy.mil ;-)

So this mail gets relayed to other mail servers until finally one server has the guts to say: "Hey, there is no such user!" Depending on the config of this machine this might result in a non-delivery message being sent back to the alleged sender. However, since spammers regularly fake the from-address, it's more likely the bounce will end up at some innocent bystander.

More about bounces (aka blow-back, aka backscatter) here:
http://www.spamcop.net/fom-serve/cache/329.html

There are three ways to solve this problem:
1. The Good Way
Your bridgehead server should know what addresses exist on the other servers. This way you can directly reject any message to a non-existing recipient without generating a bounce. However, this would imply you have access to a complete directory of all users, either via AD or LDAP. If this is not feasible, you can try...
2. The Not-So-Good-But-Acceptable Way
Ask all administrators to disable NDRs on their mail servers. For E2K3, you launch the Exchange System Manager, then go to Global Settings -> Internet Message Format. Select the Advanced tab. Uncheck Allow non-delivery reports. For E2K, you need to download a patch from Microsoft. If your colleagues won't cooperate, you still have...
3. The Hard-But-Hey-It-Works Way
Discard outgoing NDRs on your bridgehead server. This isn't very nice, I know, but it should solve the problem.

There might be other solutions, but that's all I can come up with on short term...

Good luck,

A. Friend