Jump to content
Sign in to follow this  
ScottKnauss

Firewall listed

Recommended Posts

The topic is the main point. Our firewall is the address that gets listed. It is listed every few weeks, and the gets automatically removed. The last few times it has happened, it was removed before we had any complaints so I don't even know why spam Cop is listing us. There are more than 20 Exchange servers behind our firewall (Sidewinder G2). The firewall only allows 4 machines to send mail outbound. 3 of them are SuSE10.0 Hardened DNS and Mail servers. The 4th is an Exchange server. The 4th is my primary suspect, but I have no idea how to prove it. It is setup as a bridgehead (I'm the Unix/Linux guy, so I've never really understood the bridgehead and have threatened to turn it off on numerous occasions because of problems it has caused.) The rest of the exchange servers in the network pass mail first to Symantec Virus Scanners (Also set to do heuristics for spam) that relay to the 3 Linux DNS & Mail servers. The biggest problem is that all of those exchange servers are administered by different people.

Any help on figuring out were this is originating, or ideas on how to find the culprit would be appeciated.

Thank you,

Server Info: 138.180.190.67

Share this post


Link to post
Share on other sites

The only two old reports that I (as a paying user) can see are two post-facto 'bounces' with 'undelverable' in the subject line. It seems that one of your receiving servers is sending 'undeliverable' messages to the spoofed 'From' envelope in spam AFTER the SMTP transaction. If you must bounce please do it with a 5xx error DURING the SMTP process. There is faq here about 'backscatter' and why it such a bad idea.

Edited by Derek T

Share this post


Link to post
Share on other sites
Any help on figuring out were this is originating, or ideas on how to find the culprit would be appeciated. Server Info: 138.180.190.67

Hi Scott,

it seems like your bridgehead server is accepting any mail that comes his way:

telnet 138.180.190.67 25
Trying 138.180.190.67...
Connected to g2ha.naples.navy.mil (138.180.190.67).
Escape character is '^]'.
220 g2a.naples.navy.mil ESMTP Wed, 22 Nov 2006 11:29:28 +0100 (CET)
helo my_domain.xxx
250 g2a.naples.navy.mil Hello mi1.al-systems.com [195.243.162.146], pleased to meet you
mail from:me[at]my_domain.xxx
250 2.1.0 me[at]my_domain.xxx... Sender ok
rcpt to:derimdwicmewocnwod_rismwujcs.wufnmewop18950302[at]navy.mil
250 2.1.5 derimdwicmewocnwod_rismwujcs.wufnmewop18950302[at]navy.mil... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Test
.
250 2.0.0 kAMATSWD024658 Message accepted for delivery
quit
221 2.0.0 g2a.naples.navy.mil closing connection
Connection closed by foreign host.

Hmm, I don't believe you have a user named derimdwicmewocnwod_rismwujcs.wufnmewop18950302[at]navy.mil ;-)

So this mail gets relayed to other mail servers until finally one server has the guts to say: "Hey, there is no such user!" Depending on the config of this machine this might result in a non-delivery message being sent back to the alleged sender. However, since spammers regularly fake the from-address, it's more likely the bounce will end up at some innocent bystander.

More about bounces (aka blow-back, aka backscatter) here:

http://www.spamcop.net/fom-serve/cache/329.html

There are three ways to solve this problem:

1. The Good Way

Your bridgehead server should know what addresses exist on the other servers. This way you can directly reject any message to a non-existing recipient without generating a bounce. However, this would imply you have access to a complete directory of all users, either via AD or LDAP. If this is not feasible, you can try...

2. The Not-So-Good-But-Acceptable Way

Ask all administrators to disable NDRs on their mail servers. For E2K3, you launch the Exchange System Manager, then go to Global Settings -> Internet Message Format. Select the Advanced tab. Uncheck Allow non-delivery reports. For E2K, you need to download a patch from Microsoft. If your colleagues won't cooperate, you still have...

3. The Hard-But-Hey-It-Works Way

Discard outgoing NDRs on your bridgehead server. This isn't very nice, I know, but it should solve the problem.

There might be other solutions, but that's all I can come up with on short term...

Good luck,

A. Friend

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×