Jump to content
Sign in to follow this  
comcarind

Misdirected Bounces

Recommended Posts

I am attempting to stop my email server from sending misdirected bounces, which has caused me to be put on the spamcop blacklist three times in the last two weeks.

I am using groupwise 5.5 and I cannot find any settings that would prevent the email from being sent to the potentially forged from address. One suggestion from my ISP was to change it so that it sent to the IP address of the mail server/network as opposed to the from address, however, I cannot find anyway to do that in groupwise 5.5

Share this post


Link to post
Share on other sites

Yes, I have searched on novell's support site, and also posted there. I have located a few settings that could help cut down on this, but so far can't find any information that relate to specifically having the mail server bounce to the IP instead of the from address. On a side note, groupwise 6.5 seems to do this by default.

Share this post


Link to post
Share on other sites

If there is an option to return unknown mail to the sender then turn it off and it will reject it properly.

Share this post


Link to post
Share on other sites

GroupWise 5.5's GWIA appears to use the now-deprecated accept-then-bounce-to-envelope-sender paradigm, and appears never to have more than a passing relationship with certain Internet Standards. I've tried talking an admin through turning off bounces altogether for one installed instance over the phone, but that doesn't seem to have worked, so I'm going to try in person, perhaps tomorrow.

EDIT: The article referred to by the previous post appears so old as to be nearly useless. Although not the exact original intent, http://support.novell.com/cgi-bin/search/s...i?/10008142.htm should help guide you in changing the Outbound Status Level to "none", turning off bounces altogether.

Edited by Jeff G.

Share this post


Link to post
Share on other sites

There does not seem to be a way to stop it from sending bounces at all, I am just trying to get it to not send to the from address that is potentially forged.

At this point, I would gladly set it up to send all undeliverable or bounceworthy messages to anoher user or folder. But no settings I have changed are accomplishing this.

Groupwise 6.5 doesn't seem to have any setting sto turn off bounces either, however, it does send bounces back to the IP address or email server of the message as opposed to the from address.

I am an email newbie so not sure if I am saying this correctly.

Share this post


Link to post
Share on other sites

I have documented cases of GWIA sending a bounce to the envelope sender, because the destination is not the original from address. Spammers appear to be causing this behavior to happen all the time, although sometimes the envelope sender is the same as the from address. Do you have a documented case of GWIA sending a bounce to the from address, rather than the envelope sender?

Share this post


Link to post
Share on other sites

I am an email newbie, so excuse the dumb question, but what is the difference between the envelope sender and the from address? Should I copy into here the report I recieved from spamcop?

Share this post


Link to post
Share on other sites

The SMTP Envelope Sender is the address used by the spammer's system when connecting to an SMTP mail server on port 25, and is preceded by "MAIL FROM:" without quotes. The From Address is in the Header, is preceded by "From:" without quotes, and is sent along with the data as a part of the message. Some systems record the SMTP Envelope Sender in a "Return-Path:" Header Line; they are all supposed to before delivering the message to the intended recipient.

Share this post


Link to post
Share on other sites

Yes, you should copy into here the report you recieved from SpamCop, munging what you feel you need to munge and removing the body of any actual spam.

Share this post


Link to post
Share on other sites

Ok, so the spammer used the open proxy at usen-221x117x246x108.ap-US01.usen.ad.jp [221.117.246.108], pretending that:

  • he was sending from a mailserver named "gadgetscope.com"
  • his message was mailed from (MAIL FROM, SMTP Envelope Sender) an address in a domain served by astro.phpwebhosting.com
  • he was mailing 'From: "Muireadhach Nash" <x>' (obscured by the SpamCop Parsing and Reporting Service)

GWIA failed to record the SMTP Envelope Sender, but tried to bounce there anyway. If you still have the "BAD" message in your problem directory or your postmaster's mailbox, you can find the unobscured "From" address.

That bounce is one of two incidents I can see for your IP Address, the other being:

Submitted: Wednesday, February 09, 2005 6:10:06 AM -0500:

Message status - undeliverable

  • 1356228889 ( 12.108.61.66 ) To: spamcop<at>imaphost.com
  • 1356228886 ( 12.108.61.66 ) To: abuse<at>att.net

Reading between the lines, there must have been at least one misdirected bounce to a SpamCop spamtrap (on top of the reported bounce this morning) that elevated your IP Address to listable status.

Share this post


Link to post
Share on other sites

unobscured from address is donovan<at>gadgetscope.com

Where do you find the information:

Submitted: Wednesday, February 09, 2005 6:10:06 AM -0500:

Message status - undeliverable

1356228889 ( 12.108.61.66 ) To: spamcop<at>imaphost.com

1356228886 ( 12.108.61.66 ) To: abuse<at>att.net

?

Also, I cannot thank you folks enough for taking the time to help a newb like me!

<Moderator: munged donovan email address to prevent scraping>

Edited by StevenUnderwood

Share this post


Link to post
Share on other sites
Where do you find the information:

That is one of the advantages to a paid reporting account. When you submit an IP address, it gives you minimal report history as shown.

Also, I cannot thank you folks enough for taking the time to help a newb like me!

That is the reason I started hanging out here, first to learn, then to pass on that knowledge. We were all newbs at one point or another.

Share this post


Link to post
Share on other sites

Little update.

I set my delivery status to none, and it now does not send bounce emails from my 5.5 server

However, also on this network setup as an external system is a 5.2 groupwise server running ADA, that system is still bouncing. ARGH!! heh, I can see why people get frustrated with all this.

Share this post


Link to post
Share on other sites

Just to make sure that your aggravation is pointed in the right direction .... it's the spammers that have turned a system written from a "trusted user" perspective into the exploited mess that you are fighting now. The non-delivery notification thing was there for all the right reasons ... exploiting thus function to spew spam was not something obvious to have to worry about way back when.

Share this post


Link to post
Share on other sites

5.5 is painful enough, 5.2 is downright ancient (by today's warped software version inflation standards).

The spammer probably used the same gadgetscope.com address for both "From" and "MAIL FROM". Mail for gadgetscope.com is in fact served by astro.phpwebhosting.com [66.33.60.221] in its guise as mail.gadgetscope.com.

Share this post


Link to post
Share on other sites

On a side note, you will probably find that if you siphon off the circling double-bounces by establishing (for example) a Mailer-Daemon<at>gwmail.comcar.com account or alias, your system will run faster. We had to do that (at another domain, of course) in order to bring a system back from its comatose state (from the outside - the inside was too busy processing double-bounces to do anything productive). A few thousand siphoned double-bounces later, it was happy again. :)

Share this post


Link to post
Share on other sites
Just to make sure that your aggravation is pointed in the right direction ....

25521[/snapback]

Agree, I am not aggravated at spamcop, or the people who operate it or browse these forums. I am aggravated at having an ancient email system, running on a platform I know nothing about.

SpamCop provides a very valuable service, and I use it's RBL as one of two RBL's for my spam filtering solution. Sorry if that came out wrong!

Edited by comcarind

Share this post


Link to post
Share on other sites
On a side note, you will probably find that if you siphon off the circling double-bounces by establishing (for example) a Mailer-Daemon<at>gwmail.comcar.com account or alias, your system will run faster.  We had to do that (at another domain, of course) in order to bring a system back from its comatose state (from the outside - the inside was too busy processing double-bounces to do anything productive).  A few thousand siphoned double-bounces later, it was happy again. :)

Good tip. I already have created a mailer-deamon account today, of course, that was in effort to create a rule of sometype to prevent messages with that account name from leaving my network heh.

Share this post


Link to post
Share on other sites

Of course, it doesn't work unless it's spelled "Mailer-Daemon" exactly. :)

Share this post


Link to post
Share on other sites

heh, that would explain why it wasn't working.

Another strange note. now that I have blocked bounce messages, I am still getting one from the 5.2 system as I said. However, the message I recieved is not user not found, it is access denied.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×