Stuck with "Misdirected Bounces"

[sweetwaters]

Hello,

I manage a Qmail mail server for a virtual hosting business, and over the last month, I have been blacklisted a number of times. The message is the following:

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it.

Since I first got blacklisted, I have done a number on things to help prevent this. I have:

1) Disabled ALL autoresponders on our mail server.

2) Confirmed chkuser is running correctly (this is suggested in the FAQ for Qmail servers).

3) Confirmed that the spamcontrol patch is up and running correctly (also suggested in the FAQ).

4) Went through our mail logs with a fine-toothed comb to confirm no spammers had slipped on past my notice. Nothing unusual was found.

However, I still keep getting blacklisted for the above reasons. Is there anything else I can do? I'm simply out of ideas, as I've followed the SpamCop FAQ and nothing seems to be getting me off.

Thanks!

Francis

[StevenUnderwood]

However, I still keep getting blacklisted for the above reasons. Is there anything else I can do? I'm simply out of ideas, as I've followed the SpamCop FAQ and nothing seems to be getting me off.

First, thanks for trying and coming in here with a plan and telling us what you have already tried. So far you seem to be headed in the right direction.

If you provide the IP address of the server that is blocked, we may be able to provide at least the subject line and report time of recent bounces.

[sweetwaters]

Steven,

Thank you for your response. The IP in question is 209.183.220.8.

Francis

[StevenUnderwood]

Thank you for your response. The IP in question is 209.183.220.8.

Strange: 80.77.113.30 not listed in bl.spamcop.net AND I see no reports at all (UUBE or not). What we can not see any longer is the listing history. If you are sure that is the IP address that was listed, you are going to need to contact the deputies.

Something else strange here as I do a senderbase lookup on that IP address. There is a thread in the lounge talking about your domain not currently accepting reports about spamvertized websites. Those reports are completely different. They are complaining that a spam (possibly sent by some other machine) has a link to a website you control. In this case, porn related sites (http ://www.2.livejasmin.com/allperformers.php?st=beautifulbarbi). Are those reports related to your questions here today?

[sweetwaters]

Steven,

I said:

The IP in question is 209.183.220.8.

Then you said:

Strange: 80.77.113.30 not listed in bl.spamcop.net AND I see no reports at all

I'm not sure where the "80.77.113.30" IP came from, but it is not on our network. My mail server IP is 209.183.220.8. Could you tell me anything about that one?

Thank you again for your help.

[StevenUnderwood]

Steven,

I said:

Then you said:

I'm not sure where the "80.77.113.30" IP came from, but it is not on our network. My mail server IP is 209.183.220.8. Could you tell me anything about that one?

Thank you again for your help.

Ooops.... it must have come from that other thread.... you can ignore all of that post and I'll try again. Looking at the new data, I think I had the correct lookup info for previous reports as that other IP address DOES have previous reports.

209.183.220.8 listed in bl.spamcop.net (127.0.0.2)

Parsing input: 209.183.220.8

host 209.183.220.8 = mail.thisismyserver.net (cached)

host 209.183.220.8 = mail.thisismyserver.net (cached)

[report history]

Routing details for 209.183.220.8

[refresh/show] Cached whois for 209.183.220.8 : noc[at]atlantech.net

Using abuse net on noc[at]atlantech.net

abuse net atlantech.net = abuse[at]atlantech.net

Using best contacts abuse[at]atlantech.net

Statistics:

209.183.220.8 listed in bl.spamcop.net (127.0.0.2)

More Information..

209.183.220.8 not listed in dnsbl.njabl.org

209.183.220.8 not listed in dnsbl.njabl.org

209.183.220.8 not listed in cbl.abuseat.org

209.183.220.8 not listed in dnsbl.sorbs.net

209.183.220.8 not listed in relays.ordb.org.

Reporting addresses:

abuse[at]atlantech.net

Following the [report history] link, I still see no reports at all (UUBE or not). What we can not see any longer is the listing history. You are going to need to contact the deputies for more information. You will need to prove you are responsible for the server at that IP address, the easiest way would be to use the abuse address listed above(abuse[at]atlantech.net).

[turetzsr]

I manage a Qmail mail server for a virtual hosting business, and over the last month, I have been blacklisted a number of times. The message is the following:

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it.

Since I first got blacklisted, I have done a number on things to help prevent this. I have:

Hi, Francis,

...As StevenUnderwood wrote, I also wish to thank you for your efforts so far and your explanation of what you have done to try to resolve the problem.

...Since the SpamCop check block message (which you included in your post) mentions only spam traps, I believe you will have to contact the SpamCop Deputies at deputies[at]admin.spamcop.net. Please include as much relevant information as you can, including evidence that you have administrative responsibility for the server in question (209.183.220.8). The Deputies receive a great deal of e-mail and an inquiry that does not include all the information they need may result in it being "back-burnered."

...Good luck!

[Miss Betsy]

Went through our mail logs with a fine-toothed comb to confirm no spammers had slipped on past my notice. Nothing unusual was found.

Since I am not a server admin, I am timid about offering advice when others have commended your efforts to stop the spam.

However, I have noticed that sometimes, when all else fails, an admin will find the answer in the /firewall/ logs.

With all your efforts, we certainly want you to be successful!!!

Miss Betsy

[sweetwaters]

Hello,

I contacted the deputies, and here was their response:

This is what we were seeing:

Received: from mail.thisismyserver.net ([209.183.220.8])

[trap servername] with SMTP; 06 Sep 2006 10:xx:xx -0700

Subject: Bounced Message

Hi. This is the qmail-send program at thisismyserver.net.

I'm afraid I wasn't able to deliver your message to the following addresses.

This is a permanent error; I've given up. Sorry it didn't work out.

However, I'm confused as to what I can do at this point. Here is how I understand what is happening:

This is the standard bounce message that Qmail sends when a sent email can't be received. So it looks to me that a SpamCop trap address is being used somewhere and then the mail bounces to it. My assumption is that someone (on my server?) is faking that address and thus the bounce is going to SC.

Is this correct? If so, I really want to correct that problem, but I'm unsure how to proceed. Is it just a matter of finding who is faking the address (an almost impossible task, it seems), or can Qmail be configured to know that the address is faked, and thus don't bounce back to the faked address?

Like I said earlier, I've reviewed the FAQ, specifically about Qmail, to see what I can do to patch and correct the problem, but I didn't see anything that can prevent the above from happening. Am I missing something?

I will continue to investigate on my own, but any direction would be appreciated.

[Jank1887]

here's a page in the original Spamcop FAQ addressing misdirected bounces, corrections, and a specific entry on Qmail:

http://www.spamcop.net/fom-serve/cache/329.html

(to save Wazoo the time of posting the obligatory "you could have just searched the FAQ..." statement, this page didn't come up in a first attempt search using the "spamcop forum and spamcop FaQ" search option. I had to switch it to "Spamcop.net and original FAQ". the first attempt (search terms: qmail bounce) was just a wash of people who had qmail messages somewhere in their posts. I.e., qmail 8481 invoked from network, etc., etc.

Would adding a 'spamcop faq only' search option be helpful? or just one other thing commonly ignored by people looking for help?

Another thought (and likely an implementation headache unless someone's got a better idea), instead of a dropdown box for the search options, maybe some sort of radio button select, that way all options are visible, and a searcher is more likely to select an appropriate one? Not that this would have helped in the above case, but it's a thought.

[sweetwaters]

here's a page in the original Spamcop FAQ addressing misdirected bounces, corrections, and a specific entry on Qmail:

http://www.spamcop.net/fom-serve/cache/329.html

(to save Wazoo the time of posting the obligatory "you could have just searched the FAQ..." statement, this page didn't come up in a first attempt search using the "spamcop forum and spamcop FaQ" search option. I had to switch it to "Spamcop.net and original FAQ". the first attempt (search terms: qmail bounce) was just a wash of people who had qmail messages somewhere in their posts. I.e., qmail 8481 invoked from network, etc., etc.

Would adding a 'spamcop faq only' search option be helpful? or just one other thing commonly ignored by people looking for help?

Thank you, but I did look at that. The FAQ specifically says:

If you use qmail, please apply a patch: spamcontrol or qmail-ldap.

I have applied spamcontrol.

It also says:

PZInternet.com reports chkuser is a very good qmail patch to avoid misdirected bounces - very easy to install too! http://www.interazioni.it/opensource/chkuser/

I have applied the chkuser patch (it is a very useful patch).

As I read the FAQ, this should take care of the problem, but obviously doesn't in my case. If I'm missing something obvious, I'm happy to claim stupidity and fix it, but I just don't see anything else I can do.

[Jank1887]

well, I'm already going to claim stupidity at this point then, and wait for someone a little more clued in on Qmail to respond. I'm not familiar with what those patches attempt to do, and why they wouldn't be working for you.

[StevenUnderwood]

So it looks to me that a SpamCop trap address is being used somewhere and then the mail bounces to it. My assumption is that someone (on my server?) is faking that address and thus the bounce is going to SC.

Is this correct?

Yes, that is correct, though they may not be on your server. Someone has forged an address (that happens to be a spamtrap address) as the sender of a message going to an invalid address on your server.

Unfortunately, I am not a qmail authority either. It does seem those patches were designed to fix this problem. Perhaps one is disabling the other or they simply need to be configured differently?

chkuser patch SPECIFICALLY seems to do what you want, reject unknown users during the SMTP process.

qmail-smtpd patched with chkuser may check the existence of e-mail recipients immediately in the SMTP acceptance phase of a message and rejects instantly all messages not directed to existing users, avoiding additional traffic, work and messages bounced more times.

[Miss Betsy]

Another possibility is that you have a user who has Mailwasher or some other program that fakes bounce messages?

Miss Betsy

[Paranoid2000]

Another possibility is that your server is bouncing email for other reasons which could include:

• a valid account that is over-quota (chkuser requires customisation to handle this);
  
• a valid account that is not accepting email for other reasons;
  
• other software (e.g. anti-virus email scanners) bouncing email.
  

The best way to investigate this would be to check the qmail bounce queue (copy the files there for further review) to identify the cause - which could also be user-initiated as Miss Betsy has pointed out.

[sweetwaters]

I appreciate everyone's help here.

I think I might have figured out the issue. From the email that SpamCop received in their spam Trap, it appears that it is just a standard bounce. Here is what I suspect is happening:

(1) A valid user on our server is sending an email with a "from" address that is a SpamCop trap.

(2) Some of the emails being sent are bounced, and Qmail sends the bounce to the SpamCop trap (because it was the "from" address).

Thus, the problem is allowing (1) to occur; i.e. allowing a user to set a "from" address that is different than their actual account with us (yes, we do require SMTPAuth, but that doesn't force the "from" address). So I have reconfigured Qmail to only allow emails to be sent that have a "from" domain that is valid for our server. Since I have done this, we have not been blacklisted for over 30 hours, which is the longest we have gone for a while.

I am hoping that this is the solution.

[turetzsr]

<snip>

I think I might have figured out the issue. From the email that SpamCop received in their spam Trap, it appears that it is just a standard bounce. Here is what I suspect is happening:

(1) A valid user on our server is sending an email with a "from" address that is a SpamCop trap.

<snip>

...Wow! If this is, in fact, what is happening, you would be well advised to find this user and have a serious discussion with her or him about how she or he found this spam trap address. From what I understand, the only way to find such spam trap addresses is to harvest them. Anyone found doing that should, IMHO, be banned from sending e-mails; possibly banned from being able to use any internet service at all.

...Good luck!

[sweetwaters]

turetzsr,

Trust me, I'll ban anyone I find doing something like that.

However, I was just blacklisted again, so my suspicions were not correct. Back to the drawing board...

[Telarin]

Anyone found doing that should, IMHO, be banned from sending e-mails; possibly banned from being able to use any internet service at all.

Banned from breathing might not be a bad next step either...

[Paranoid2000]

From the email that SpamCop received in their spam Trap, it appears that it is just a standard bounce.

What was the reason for the bounce? As mentioned above, some cases require extra configuration of chkuser.

[sweetwaters]

What was the reason for the bounce? As mentioned above, some cases require extra configuration of chkuser.

I don't know, as the SpamCop deputies gave me a truncated message - the part that explains the reason for the bounce wasn't included.

However, I have configured uquotachk, which checks for the over-quota limit.

What I still can't figure out is why a bounce message from my server would EVER go to a SpamCop trap. The only thing I could think of what what I mentioned earlier, which is clearly incorrect.

[Paranoid2000]

What I still can't figure out is why a bounce message from my server would EVER go to a SpamCop trap. The only thing I could think of what what I mentioned earlier, which is clearly incorrect.

Perhaps the key question is, what sort of emails would your server now accept which could trigger a bounce? Valid but disabled accounts ("This address no longer accepts mail.") would seem the most likely cause left.

[sweetwaters]

Perhaps the key question is, what sort of emails would your server now accept which could trigger a bounce? Valid but disabled accounts ("This address no longer accepts mail.") would seem the most likely cause left.

If an email is sent to our mail server and the email address is:

invalid: it will not bounce, but cause an SMTP connection error (as it should)

over quota: it will not bounce, but cause an SMTP connection error (as it should)

We don't have a "disabled" setting on our server - it either exists or it doesn't.

The ONLY time I know of our mail server creating a bounce message like the one SpamCop sent me is when someone on OUR server sends OUT a message from our server to an invalid email account on another server (like an invalid yahoo account). But since the only mail sent from our server MUST have a return address that is also on our server, I don't see how a SpamCop trap could ever receive it. Obviously I'm missing something - having the extra information on the bounce email would be helpful as well.

[Miss Betsy]

he ONLY time I know of our mail server creating a bounce message like the one SpamCop sent me is when someone on OUR server sends OUT a message from our server to an invalid email account on another server (like an invalid yahoo account). But since the only mail sent from our server MUST have a return address that is also on our server, I don't see how a SpamCop trap could ever receive it. Obviously I'm missing something - having the extra information on the bounce email would be helpful as well.

Perhaps being technically non-fluent and asking questions might help in this situation - I have found that explaining something to someone often helps in finding where I have overlooked something.

So, when you say 'someone on OUR server sends OUT a message' that means that a message one of your end users has sent has been returned by the receiving server because it is an invalid email account and then your email server creates a message to your end user (the address in the return path) telling them that the message cannot be delivered. That's the way it is supposed to work. And what you are saying is that only if your end user forged the return path would it go to the spam trap and that's not possible because you don't allow email that doesn't have your domain in the return path to leave your server. Is that correct?

Received: from mail.thisismyserver.net ([209.183.220.8])

[trap servername] with SMTP; 06 Sep 2006 10:xx:xx -0700

Subject: Bounced Message

Hi. This is the qmail-send program at thisismyserver.net.

I'm afraid I wasn't able to deliver your message to the following addresses.

This is a permanent error; I've given up. Sorry it didn't work out.

Does qmail say in the subject "Bounced Message"? I thought that the subject was usually 'Undeliverable Mail'?

Could you alter what your STMP rejects say, if it does use 'Bounced Message'? Then you can look at your outgoing logs and see if the old subject line is still being used. Or is that not feasible?

And why is it not feasible to check all qmail rejects to your end users to see whether they all conform?

Usually real undeliverable messages have no return path. Could you filter outgoing messages for those with no return path? Possibly filter for the subject line and return path so that if there was not a null return path with the subject, you would find the message.

I don't know how authentic 'bounce' messages composed by mailwasher or other programs are. They might use the same message body as qmail.

Just some thoughts and while you are explaining why they can't be done, maybe you will see something that might shine some light on your problem.

Miss Betsy

[GraemeL]

Usually real undeliverable messages have no return path. Could you filter outgoing messages for those with no return path? Possibly filter for the subject line and return path so that if there was not a null return path with the subject, you would find the message.

From memory, bounces usually have a return path of MAILER-DAEMON at the domain doing the bounce. Double bounces have a null return path to avoid loops.