Jump to content
Sign in to follow this  
yokel

Misdirected Bounces

Recommended Posts

Hi All

We have been listed in the SpamCop Black lists for (as I understand it) sending misdirected bounce emails.

http://www.spamcop.net/w3m?action=checkblock&ip=202.14.101.7

I have read the FAQ'a and Guidelines on what to do to stop these bounce emails occuring in the future and I "think" I have rectified the problem. However I am not confident that I have completely prevented the relisting of our MX record.

Our current setup uses an Interscan box to do AV filtering and spam flitering, this Interscan box then relays (internally of course) mail to our exchange servers.

As interscan seems to be incapable of checking the validity of the destination address before accepting the email, I have set exchange to not NDR. Additionally I have also removed a notifications to people who's mail has been classified as spam by interscan. Which should stop any NDR's and automated replies (for spam emails). Is this the correct approach?

Also I am confused about one aspect of the misdirected bounced email concept.

We still have virus notifications and automatic replies( for 2 email addresses only. These auto replies are only generated if a mail is sent to a specific email address.

However I can see that the virus notifications and the above auto replies could still have the reply to address, spoofed, and subsequently the response is sent. Would this still contravene SpamCop's guidelines? If so could you please suggest what action I could take to modify the above setup.

Thanks

Share this post


Link to post
Share on other sites
We have been listed in the SpamCop Black lists for (as I understand it) sending misdirected bounce emails.

39254[/snapback]

Hi yokel!

I trust you're not offended to be called yokel since you chose the username - but where I come from it isn't a term of endearment :)

Looking at your report history I can see that most reports are going to spam traps but the one I can see (cos I'm a user not admin) has the subject: Mail could not be delivered

So it would appear that your mail system is accepting mail for delivery, then recognising that the address doesn't exist then bouncing back the reject reply. This approach is pretty much guaranteed to get your server listed as soon as you reply to messages with forged headers. That some of the forged addresses are spam traps means you've been listed even more quickly.

To avoid this situation you need to reject incoming messages during the SMTP transactions. If you have set your system to refuse the messages and provide a 5xx rejection during the SMTP handshake then that should do the trick for you.

I think you're saying that you use Exchange mail server and there are plenty of folk around here who could point you to the correct settings if are unsure. However, if you're using an Interscan box prior to Exchange I'm not sure whether the rejection should happen prior to Exchange receiving the message. Others will hopefully be able to assist you.

Because you (or someone on your behalf) has already used the quick de-list option without the problem being properly addressed, this option isn't available to you any longer. It seems like you'll be de-listed in 11 hours. At that time recipients of Email from your system who block using the SCBL will start accepting mail again.

Thanks for your positive and willing attempts to tighten up your handling of UCE.

Andrew

Share this post


Link to post
Share on other sites
Also I am confused about one aspect of the misdirected bounced email concept.

We still have virus notifications and automatic replies( for 2 email addresses only. These auto replies are only generated if a mail is sent to a specific email address.

However I can see that the virus notifications and the above auto replies could still have the reply to address, spoofed, and subsequently the response is sent. Would this still contravene SpamCop's guidelines? If so could you please suggest what action I could take to modify the above setup.

I am not a server admin, but I think that any sort of auto reply is likely to send email to forged addresses.

IMHO virus notifications are a total waste of time since almost all viruses do have forged return addresses.

There was a discussion just recently on how to set up auto replies so that they don't go to indiscriminate email addresses. If I understood it correctly, basically you have a whitelist of addresses and auto replies only go to that list.

This is only a matter of semantics. I suppose you could say that SpamCop's blocklist does have 'guidelines' I think it is more accurate to say the scbl is based on reports of unsolicited email. The guidelines are for what kinds of unsolicited email can be reported. And basically the guidelines say that any kind of unsolicited email that is unwanted is reportable unless one had a prior relationship with the sender. That includes all viruses and all undeliverable email messages to email that you didn't send as well as advertisements and newsletters that were not requested and confirmed and also scam email. If one has requested email, then one must use the 'remove' function to stop it. Spamcop allows people to report mailing lists that refuse to honor removes, but it is generally a waste of time since one reporter cannot list an IP address.

Other blocklists have other criteria. Basically, however the general 'guidelines' are based on being a good netizen: preventing unsolicited email from leaving your network and being sure that what you do is RFC compliant. At one time, accepting email and then sending non-deliverable email was acceptable, but the spammers spoiled that function of email as well as autoreplies. At one time open relays were considered 'friendly' and the spammers spoiled that also. So one has to keep up with what the spammers have spoiled for use and also on what other server admins are doing to prevent spam from entering their networks (I am not sure I can give a good example, but I think the way that MXs are configured is an example. It used to be that people would accept misconfigured ones, but now many admins won't. However, that may not be accurate and it is not a guideline for the scbl.)

As someone else said, thank you for being interested in being a responsible admin.

Miss Betsy

Share this post


Link to post
Share on other sites
Our current setup uses an Interscan box to do AV filtering and spam flitering, this Interscan box then relays (internally of course) mail to our exchange servers.

As interscan seems to be incapable of checking the validity of the destination address before accepting the email, I have set exchange to not NDR. Additionally I have also removed a notifications to people who's mail has been classified as spam by interscan. Which should stop any NDR's and automated replies (for spam emails). Is this the correct approach?

It's an approach - requires least work, effective, but with the potential to dump legitimate mail without notifying the sender.

For me the correct approach would be to scan for viruses/spam/invalid_recipients at the edge server during the SMTP transaction and 5XX reject unwanted mails with an appropriate reason for rejection. Why don't you ask Interscan about that, or install Linux/BSD on the box and configure your mail system to do that with open source software. This has the advantage that legitimate senders will still get notification that you've rejected their mail along with a reason for rejection via a bounce from their local MTA while not sending any bounces or notifications yourself. If you have a secondary MX, you'll need to configure it in a similar way to avoid junk getting in 'through the back door'.

Also I am confused about one aspect of the misdirected bounced email concept.

We still have virus notifications and automatic replies( for 2 email addresses only. These auto replies are only generated if a mail is sent to a specific email address.

However I can see that the virus notifications and the above auto replies could still have the reply to address, spoofed, and subsequently the response is sent. Would this still contravene SpamCop's guidelines? If so could you please suggest what action I could take to modify the above setup.

Such mail has the potential to hit spamtrap addresses and SpamCop users and is reportable. Why don't you send virus notifications and autoreply messages as SMTP 5XX reason for rejection messages instead?

Share this post


Link to post
Share on other sites

Thanks for the replies. It appears ( for the time being at least) that we have been automatically removed from the blacklist. In the mean time I looked into getting Interscan to do the checking against AD for legitimate usernames etc. However it requires Interscan to be upgraded and for us that is a $40k proposition....not nice!

So we are pushing the politics bandwagon to get approval to use open source solutions such as spamassin that do support such functionality....and its free.

Share this post


Link to post
Share on other sites
Thanks for the replies. It appears ( for the time being at least) that we have been automatically removed from the blacklist. In the mean time I looked into getting Interscan to do the checking against AD for legitimate usernames etc. However it requires Interscan to be upgraded and for us that is a $40k proposition....not nice!

So we are pushing the politics bandwagon to get approval to use open source solutions such as spamassin that do support such functionality....and its free.

39347[/snapback]

I am not an admin but couldn't you put a linux box between the 'net and interscan, just to weed out the non-deliverables at the SMTP stage? an old Pentuim II box with free software is a lot less than $40K!

Share this post


Link to post
Share on other sites

In the mean time I looked into getting Interscan to do the checking against AD for legitimate usernames etc. However it requires Interscan to be upgraded and for us that is a $40k proposition....not nice! 

So we are pushing the politics bandwagon to get approval to use open source solutions such as spamassin that do support such functionality....and its free.

39347[/snapback]

If I've read your posts correctly, you are using Trendmicro Interscan Messaging Security Suite and Exchange 2k/2k3?

I'm using almost the same outfit and am currently trying to get the same accomplished, namely rejecting messages to unknown users at the SMTP dialogue instead of bouncing them at the Exchange server (and then filtering the bounces on their way out with Trendmicro).

Currently I'm trying to get this working with nothing but some shell- and scri_pt-fu (and let me tell you, my fu's aren't very strong ;-). If you're interested in how it's going, let me know...

Share this post


Link to post
Share on other sites

Hi All - I am back again. It seems that removing NDR's and stopping virus notifications has not prevented us from being listed on the BL again.

What else can I do to find out why we are being listed. I know that spamcop like to keep the honeypot email addresses secret - but it would be a bit easier for trouble shooting if they posted a copy of the body of the message (minus headers so the addresses remain secret) that way you could see the exact cause of the problem. Anyway Could someone please suggest alternatives to fixing our mail system so we dont get listed on the BL again.

Currently I'm trying to get this working with nothing but some shell- and scri_pt-fu (and let me tell you, my fu's aren't very strong ;-). If you're interested in how it's going, let me know...

39395[/snapback]

A_Friend - Yes I am interested in how you are going with this.

Share this post


Link to post
Share on other sites
What else can I do to find out why we are being listed. I know that spamcop like to keep the honeypot email addresses secret - but it would be a bit easier for trouble shooting if they posted a copy of the body of the message (minus headers so the addresses remain secret) that way you could see the exact cause of the problem.

39578[/snapback]

That information is ONLY available by contacting the deputies[at]spamcop.net address.

I just did a quick test to see if you still send misdirected bounces. I will let you know if I receive any.

220 202.14.101.7 Trend Micro InterScan Messaging Security Suite, ready at Mon, 23 Jan 2006 10:51:18 +0800

helo underwood[at]spamcop.net

250 202.14.101.7 Hello [66.168.115.246]

mail from: <underwood+test[at]spamcop.net>

250 <underwood+test[at]spamcop.net>: Sender Ok

rcpt to: <tester1234567890[at]dcd.wa.gov.au>

250 <tester1234567890[at]dcd.wa.gov.au>: Recipient Ok

data

354 202.14.101.7: Send data now.  Terminate with "."

This is a test for misdirected bounces.  If this is sent to my spamcop account,

it is misdirected.

.

250 202.14.101.7: Message accepted for delivery

quit

221 202.14.101.7 closing connection. Goodbye!

Connection to host lost.

Share this post


Link to post
Share on other sites
That information is ONLY available by contacting the deputies[at]spamcop.net address.

I just did a quick test to see if you still send misdirected bounces. I will let you know if I receive any.

39580[/snapback]

Thanks Steve, I have also done similar tests and have not received any responses because NDR's have been turned off. If you get a response I will be very surprised. Let me know what the outcome is.

Share this post


Link to post
Share on other sites
It seems that removing NDR's and stopping virus notifications has not prevented us from being listed on the BL again.

39578[/snapback]

As Steve has noted you need to contact the deputies for more detail on the messages that are reaching the spam traps. They are generally a helpful bunch - especially when the person concerned is trying hard to diagnose a problem so it can be fixed.

Looking at the telnet transaction Steve has posted it would seem that your system still accepts messages for delivery even though the address does not exist. It would be better to drop messages right at the beginning of the transaction with a 550 error message. Unless, by chance, Steve chose a real address in 'test1234567890' <_<

Andrew

Share this post


Link to post
Share on other sites
Thanks Steve, I have also done similar tests and have not received any responses because NDR's have been turned off. If you get a response I will be very surprised. Let me know what the outcome is.

39581[/snapback]

I have not seen an NDR. Have you also turned off out of office messages, anti-virus messages or possibly anti-spam messages? Any message sent to the header addresses is likely to cause this problem.

Share this post


Link to post
Share on other sites
I have not seen an NDR.  Have you also turned off out of office messages, anti-virus messages or possibly anti-spam messages?  Any message sent to the header addresses is likely to cause this problem.

39616[/snapback]

Steve Out of Office is turned off, As is AV and antispam notifications.

Unfortunately I cant get the mail system to check for valid email addresses because the interscan version that I have is not capable of checking against the Directory of email addresses, so I have to accept the email messages and stop the NDR's being sent back to the internet.

I have noticed that it is the same email address that keeps listing us.

http://www.spamcop.net/sc?track=202.14.101.7

ianc[at]lima.dialix.oz.au

I will send an email to the spamcop guys and see what they say.

Share this post


Link to post
Share on other sites

Sent this to the deputies. I have seen posts in other forums about not getting a response at all so hopefully they are not too busy.

Sent: Tuesday, 24 January 2006 9:18 AM

To: 'deputies[at]spamcop.net'

Subject: Blacklisting of 202.14.101.7

Hi

I am writing this email because we keep getting listed in the spamcop blacklist. I have reconfigured our email system so that NDR’s, AV notifications, Anti-spam notificatione etc etc. have all been disabled. I have also followed the FAQ’a and the advice of other forum members. The link to the forum posts is below.

http://forum.spamcop.net/forums/index.php?showtopic=5779

In light of the fact that I still cannot prevent us from getting on the black list I was hoping you could provide me with more information so that I can determine if there is a problem with my mail configuration, or if there is something else causing us to get listed.

Additionally it appears that the same email address keeps listing us ianc[at]lima.dialix.oz.au . As we do not have the ability to terminate mail at the mail gateway with 5xx messages, we accept all email. I have searched through all of the log files and we have not sent any NDR/automated responses to this email address. Is it possible that you could assist us to resolve the problem.

Thanks

DCD Mail Administrator

Share this post


Link to post
Share on other sites

I hope, also, that they will be able to assist you!

One of the characteristics of a good spam fighter is persistence! And you certainly qualify!

Miss Betsy

Share this post


Link to post
Share on other sites
I have reconfigured our email system so that NDR’s, AV notifications, Anti-spam notificatione etc etc. have all been disabled.

39623[/snapback]

Does that etc. etc. include out-of-office / vacation notices? These can easily get you listed.

Share this post


Link to post
Share on other sites

DerekT - Yes Out of office notifications are turned off to the internet. Although I would actually say that the out of office autoresponse is quite selective in how it responds.

The default behaviour is to only respond once to each different sender during the entire period that it is enabled.

eg: if the out of office is enabled for 1 week and somebody sends 5 emails to the account with out of office enabled, then out of office will only respond on the first email and it wont respond to that same person again.

Regardless - it has been turned off. As have automatic replies, automatic forwards, delivery reports and non-delivery reports

Share this post


Link to post
Share on other sites
The default behaviour is to only respond once to each different sender during the entire period that it is enabled.

39660[/snapback]

Just for completeness sake, what happens if the same spam is sent to 2 or 3 different addresses which all have the out of office turned on.

I know in the Lotus Domino I administer, that agent is a per user, and we get lots of the same spam to multiple addresses here (though greatly reduced since incorporating Postini). That means that one message sent to 10-20 people at my company could easily hit 2-3 OOO responses during a company shutdown or during the summer, causing a listing if the sender address were forged to be a spamtrap address.

Share this post


Link to post
Share on other sites
Just for completeness sake, what happens if the same spam is sent to 2 or 3 different addresses which all have the out of office turned on. 

39684[/snapback]

Steve - In that case the out of office (OOO) for each user would respond once to the email. So one email sent in would generate 3 out of office responses. However if the same spoofed/spam address was used to send to the any of the same 3 users again while they still had their out of office, then the OOO would not respond again to that senders address.

Incedentally it is now Friday and I have had no response from the Deputies. I figure that they are busy and havent had a chance to respond. Though I noticed that they "reserve the right to ignore frivolous requests to delist the address"

Also my address has now been removed from the BL. So I am not sure if I am not getting a response because I am no longer listed or because I am being ignored or because they are busy.

Share this post


Link to post
Share on other sites
Though I noticed that they "reserve the right to ignore frivolous requests to delist the address"

39737[/snapback]

That depends...was your request to delist the address or for more information about what was hitting the spamtraps?

Share this post


Link to post
Share on other sites
That depends...was your request to delist the address or for more information about what was hitting the spamtraps?

39747[/snapback]

If this request was the same as what he posted, he asked for information on what was causing the listing.

He might try brevity. "I am trying to avoid getting xxx.xxx.xxx.xx listed. Can you tell me what more I can do besides turning off NDRs, etc."

He also mentions "Additionally it appears that the same email address keeps listing us ianc[at]lima.dialix.oz.au"

That can't be spamtraps, though I don't know how he has figured out an email address as listing him since reports have special addressses.

Miss Betsy

Share this post


Link to post
Share on other sites
If this request was the same as what he posted, he asked for information on what was causing the listing.

He might try brevity.  "I am trying to avoid getting xxx.xxx.xxx.xx listed. Can you tell me what more I can do besides turning off NDRs, etc."

He also mentions "Additionally it appears that the same email address keeps listing us ianc[at]lima.dialix.oz.au"

That can't be spamtraps, though I don't know how he has figured out an email address as listing him since reports have special addressses. 

Miss Betsy

39766[/snapback]

I actually posted the email that I sent to the deputies for all to see in the forums. I have sent off another email to the same address with the original attached. Hopefully this time I get a response.

Miss Betsy - I know they are busy, but I figured brevity would result in the email being more likely ignored.

As mentioned about the dialix.oz.au email address, I found that information by searching my Ip address in the blacklist.

http://www.spamcop.net/w3m?action=blcheck&ip=202.14.101.7

Which incedentally isnt listed anymore. I then clicked on the "trace IP" link which took me to

http://www.spamcop.net/sc?track=202.14.101.7

Unless I misunderstood what this link was for....I though that it was telling me what email address had reported us.

Share this post


Link to post
Share on other sites
Which incedentally isnt listed anymore. I then clicked on the "trace IP" link which took me to

http://www.spamcop.net/sc?track=202.14.101.7

Unless I misunderstood what this link was for....I though that it was telling me what email address had reported us.

39824[/snapback]

No, that's showing the "reporting" address for that IP address ... specifically, where complaints would "go" on submitted items seen coming "from" that IP address.

Share this post


Link to post
Share on other sites
No, that's showing the "reporting" address for that IP address ... specifically, where complaints would "go" on submitted items seen coming "from" that IP address.

39825[/snapback]

Sorry I am showing my ignorance here but do you mean like a Postmaster[at] address?? where people can send complaints about issues they have encountered with emails from the domain, for example.

Share this post


Link to post
Share on other sites
Sorry I am showing my ignorance here but do you mean like a Postmaster[at] address?? where people can send complaints about issues they have encountered with emails from the domain, for example.

39826[/snapback]

In general yes, but to prevent any confusion, let's start with pointing to an existing FAQ .. please see http://forum.spamcop.net/forums/index.php?act=faq&article=1 , a basic overview on How it works

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×