Jump to content

Misdirected Bounces


comcarind

Recommended Posts

I am attempting to stop my email server from sending misdirected bounces, which has caused me to be put on the spamcop blacklist three times in the last two weeks.

I am using groupwise 5.5 and I cannot find any settings that would prevent the email from being sent to the potentially forged from address. One suggestion from my ISP was to change it so that it sent to the IP address of the mail server/network as opposed to the from address, however, I cannot find anyway to do that in groupwise 5.5

Link to comment
Share on other sites

Yes, I have searched on novell's support site, and also posted there. I have located a few settings that could help cut down on this, but so far can't find any information that relate to specifically having the mail server bounce to the IP instead of the from address. On a side note, groupwise 6.5 seems to do this by default.

Link to comment
Share on other sites

GroupWise 5.5's GWIA appears to use the now-deprecated accept-then-bounce-to-envelope-sender paradigm, and appears never to have more than a passing relationship with certain Internet Standards. I've tried talking an admin through turning off bounces altogether for one installed instance over the phone, but that doesn't seem to have worked, so I'm going to try in person, perhaps tomorrow.

EDIT: The article referred to by the previous post appears so old as to be nearly useless. Although not the exact original intent, http://support.novell.com/cgi-bin/search/s...i?/10008142.htm should help guide you in changing the Outbound Status Level to "none", turning off bounces altogether.

Link to comment
Share on other sites

There does not seem to be a way to stop it from sending bounces at all, I am just trying to get it to not send to the from address that is potentially forged.

At this point, I would gladly set it up to send all undeliverable or bounceworthy messages to anoher user or folder. But no settings I have changed are accomplishing this.

Groupwise 6.5 doesn't seem to have any setting sto turn off bounces either, however, it does send bounces back to the IP address or email server of the message as opposed to the from address.

I am an email newbie so not sure if I am saying this correctly.

Link to comment
Share on other sites

I have documented cases of GWIA sending a bounce to the envelope sender, because the destination is not the original from address. Spammers appear to be causing this behavior to happen all the time, although sometimes the envelope sender is the same as the from address. Do you have a documented case of GWIA sending a bounce to the from address, rather than the envelope sender?

Link to comment
Share on other sites

The SMTP Envelope Sender is the address used by the spammer's system when connecting to an SMTP mail server on port 25, and is preceded by "MAIL FROM:" without quotes. The From Address is in the Header, is preceded by "From:" without quotes, and is sent along with the data as a part of the message. Some systems record the SMTP Envelope Sender in a "Return-Path:" Header Line; they are all supposed to before delivering the message to the intended recipient.

Link to comment
Share on other sites

Yes, you should copy into here the report you recieved from SpamCop, munging what you feel you need to munge and removing the body of any actual spam.

Link to comment
Share on other sites

Ok, so the spammer used the open proxy at usen-221x117x246x108.ap-US01.usen.ad.jp [221.117.246.108], pretending that:

  • he was sending from a mailserver named "gadgetscope.com"
  • his message was mailed from (MAIL FROM, SMTP Envelope Sender) an address in a domain served by astro.phpwebhosting.com
  • he was mailing 'From: "Muireadhach Nash" <x>' (obscured by the SpamCop Parsing and Reporting Service)

GWIA failed to record the SMTP Envelope Sender, but tried to bounce there anyway. If you still have the "BAD" message in your problem directory or your postmaster's mailbox, you can find the unobscured "From" address.

That bounce is one of two incidents I can see for your IP Address, the other being:

Submitted: Wednesday, February 09, 2005 6:10:06 AM -0500:

Message status - undeliverable

  • 1356228889 ( 12.108.61.66 ) To: spamcop<at>imaphost.com
  • 1356228886 ( 12.108.61.66 ) To: abuse<at>att.net

Reading between the lines, there must have been at least one misdirected bounce to a SpamCop spamtrap (on top of the reported bounce this morning) that elevated your IP Address to listable status.

Link to comment
Share on other sites

unobscured from address is donovan<at>gadgetscope.com

Where do you find the information:

Submitted: Wednesday, February 09, 2005 6:10:06 AM -0500:

Message status - undeliverable

1356228889 ( 12.108.61.66 ) To: spamcop<at>imaphost.com

1356228886 ( 12.108.61.66 ) To: abuse<at>att.net

?

Also, I cannot thank you folks enough for taking the time to help a newb like me!

<Moderator: munged donovan email address to prevent scraping>

Link to comment
Share on other sites

Where do you find the information:

That is one of the advantages to a paid reporting account. When you submit an IP address, it gives you minimal report history as shown.

Also, I cannot thank you folks enough for taking the time to help a newb like me!

That is the reason I started hanging out here, first to learn, then to pass on that knowledge. We were all newbs at one point or another.

Link to comment
Share on other sites

Little update.

I set my delivery status to none, and it now does not send bounce emails from my 5.5 server

However, also on this network setup as an external system is a 5.2 groupwise server running ADA, that system is still bouncing. ARGH!! heh, I can see why people get frustrated with all this.

Link to comment
Share on other sites

Just to make sure that your aggravation is pointed in the right direction .... it's the spammers that have turned a system written from a "trusted user" perspective into the exploited mess that you are fighting now. The non-delivery notification thing was there for all the right reasons ... exploiting thus function to spew spam was not something obvious to have to worry about way back when.

Link to comment
Share on other sites

5.5 is painful enough, 5.2 is downright ancient (by today's warped software version inflation standards).

The spammer probably used the same gadgetscope.com address for both "From" and "MAIL FROM". Mail for gadgetscope.com is in fact served by astro.phpwebhosting.com [66.33.60.221] in its guise as mail.gadgetscope.com.

Link to comment
Share on other sites

On a side note, you will probably find that if you siphon off the circling double-bounces by establishing (for example) a Mailer-Daemon<at>gwmail.comcar.com account or alias, your system will run faster. We had to do that (at another domain, of course) in order to bring a system back from its comatose state (from the outside - the inside was too busy processing double-bounces to do anything productive). A few thousand siphoned double-bounces later, it was happy again. :)

Link to comment
Share on other sites

Just to make sure that your aggravation is pointed in the right direction ....

25521[/snapback]

Agree, I am not aggravated at spamcop, or the people who operate it or browse these forums. I am aggravated at having an ancient email system, running on a platform I know nothing about.

SpamCop provides a very valuable service, and I use it's RBL as one of two RBL's for my spam filtering solution. Sorry if that came out wrong!

Link to comment
Share on other sites

On a side note, you will probably find that if you siphon off the circling double-bounces by establishing (for example) a Mailer-Daemon<at>gwmail.comcar.com account or alias, your system will run faster.  We had to do that (at another domain, of course) in order to bring a system back from its comatose state (from the outside - the inside was too busy processing double-bounces to do anything productive).  A few thousand siphoned double-bounces later, it was happy again. :)

Good tip. I already have created a mailer-deamon account today, of course, that was in effort to create a rule of sometype to prevent messages with that account name from leaving my network heh.

Link to comment
Share on other sites

heh, that would explain why it wasn't working.

Another strange note. now that I have blocked bounce messages, I am still getting one from the 5.2 system as I said. However, the message I recieved is not user not found, it is access denied.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...