comcarind Posted March 15, 2005 Share Posted March 15, 2005 I am attempting to stop my email server from sending misdirected bounces, which has caused me to be put on the spamcop blacklist three times in the last two weeks. I am using groupwise 5.5 and I cannot find any settings that would prevent the email from being sent to the potentially forged from address. One suggestion from my ISP was to change it so that it sent to the IP address of the mail server/network as opposed to the from address, however, I cannot find anyway to do that in groupwise 5.5 Link to comment Share on other sites More sharing options...
Merlyn Posted March 15, 2005 Share Posted March 15, 2005 Have you tried http://support.novell.com ? Link to comment Share on other sites More sharing options...
comcarind Posted March 15, 2005 Author Share Posted March 15, 2005 Yes, I have searched on novell's support site, and also posted there. I have located a few settings that could help cut down on this, but so far can't find any information that relate to specifically having the mail server bounce to the IP instead of the from address. On a side note, groupwise 6.5 seems to do this by default. Link to comment Share on other sites More sharing options...
Merlyn Posted March 15, 2005 Share Posted March 15, 2005 If there is an option to return unknown mail to the sender then turn it off and it will reject it properly. Link to comment Share on other sites More sharing options...
comcarind Posted March 15, 2005 Author Share Posted March 15, 2005 I cannot thank you enough. I did a search on that exact phrase (return unkhown mail to the sender) and it found an article with a setting to change. Thank you very much! http://support.novell.com/cgi-bin/search/s...gi?/2922717.htm Link to comment Share on other sites More sharing options...
Jeff G. Posted March 15, 2005 Share Posted March 15, 2005 GroupWise 5.5's GWIA appears to use the now-deprecated accept-then-bounce-to-envelope-sender paradigm, and appears never to have more than a passing relationship with certain Internet Standards. I've tried talking an admin through turning off bounces altogether for one installed instance over the phone, but that doesn't seem to have worked, so I'm going to try in person, perhaps tomorrow. EDIT: The article referred to by the previous post appears so old as to be nearly useless. Although not the exact original intent, http://support.novell.com/cgi-bin/search/s...i?/10008142.htm should help guide you in changing the Outbound Status Level to "none", turning off bounces altogether. Link to comment Share on other sites More sharing options...
comcarind Posted March 15, 2005 Author Share Posted March 15, 2005 There does not seem to be a way to stop it from sending bounces at all, I am just trying to get it to not send to the from address that is potentially forged. At this point, I would gladly set it up to send all undeliverable or bounceworthy messages to anoher user or folder. But no settings I have changed are accomplishing this. Groupwise 6.5 doesn't seem to have any setting sto turn off bounces either, however, it does send bounces back to the IP address or email server of the message as opposed to the from address. I am an email newbie so not sure if I am saying this correctly. Link to comment Share on other sites More sharing options...
Jeff G. Posted March 15, 2005 Share Posted March 15, 2005 I have documented cases of GWIA sending a bounce to the envelope sender, because the destination is not the original from address. Spammers appear to be causing this behavior to happen all the time, although sometimes the envelope sender is the same as the from address. Do you have a documented case of GWIA sending a bounce to the from address, rather than the envelope sender? Link to comment Share on other sites More sharing options...
comcarind Posted March 15, 2005 Author Share Posted March 15, 2005 I am an email newbie, so excuse the dumb question, but what is the difference between the envelope sender and the from address? Should I copy into here the report I recieved from spamcop? Link to comment Share on other sites More sharing options...
Jeff G. Posted March 15, 2005 Share Posted March 15, 2005 The SMTP Envelope Sender is the address used by the spammer's system when connecting to an SMTP mail server on port 25, and is preceded by "MAIL FROM:" without quotes. The From Address is in the Header, is preceded by "From:" without quotes, and is sent along with the data as a part of the message. Some systems record the SMTP Envelope Sender in a "Return-Path:" Header Line; they are all supposed to before delivering the message to the intended recipient. Link to comment Share on other sites More sharing options...
Jeff G. Posted March 15, 2005 Share Posted March 15, 2005 Yes, you should copy into here the report you recieved from SpamCop, munging what you feel you need to munge and removing the body of any actual spam. Link to comment Share on other sites More sharing options...
comcarind Posted March 15, 2005 Author Share Posted March 15, 2005 Here is the link that my ISP sent to me. http://www.spamcop.net/w3m?i=z1381519257zc...049af3a4e51114z Link to comment Share on other sites More sharing options...
Jeff G. Posted March 15, 2005 Share Posted March 15, 2005 Ok, so the spammer used the open proxy at usen-221x117x246x108.ap-US01.usen.ad.jp [221.117.246.108], pretending that: he was sending from a mailserver named "gadgetscope.com" his message was mailed from (MAIL FROM, SMTP Envelope Sender) an address in a domain served by astro.phpwebhosting.com he was mailing 'From: "Muireadhach Nash" <x>' (obscured by the SpamCop Parsing and Reporting Service) GWIA failed to record the SMTP Envelope Sender, but tried to bounce there anyway. If you still have the "BAD" message in your problem directory or your postmaster's mailbox, you can find the unobscured "From" address. That bounce is one of two incidents I can see for your IP Address, the other being: Submitted: Wednesday, February 09, 2005 6:10:06 AM -0500: Message status - undeliverable 1356228889 ( 12.108.61.66 ) To: spamcop<at>imaphost.com 1356228886 ( 12.108.61.66 ) To: abuse<at>att.net Reading between the lines, there must have been at least one misdirected bounce to a SpamCop spamtrap (on top of the reported bounce this morning) that elevated your IP Address to listable status. Link to comment Share on other sites More sharing options...
comcarind Posted March 15, 2005 Author Share Posted March 15, 2005 unobscured from address is donovan<at>gadgetscope.com Where do you find the information: Submitted: Wednesday, February 09, 2005 6:10:06 AM -0500: Message status - undeliverable 1356228889 ( 12.108.61.66 ) To: spamcop<at>imaphost.com 1356228886 ( 12.108.61.66 ) To: abuse<at>att.net ? Also, I cannot thank you folks enough for taking the time to help a newb like me! <Moderator: munged donovan email address to prevent scraping> Link to comment Share on other sites More sharing options...
StevenUnderwood Posted March 15, 2005 Share Posted March 15, 2005 Where do you find the information: That is one of the advantages to a paid reporting account. When you submit an IP address, it gives you minimal report history as shown. Also, I cannot thank you folks enough for taking the time to help a newb like me! That is the reason I started hanging out here, first to learn, then to pass on that knowledge. We were all newbs at one point or another. Link to comment Share on other sites More sharing options...
comcarind Posted March 15, 2005 Author Share Posted March 15, 2005 Little update. I set my delivery status to none, and it now does not send bounce emails from my 5.5 server However, also on this network setup as an external system is a 5.2 groupwise server running ADA, that system is still bouncing. ARGH!! heh, I can see why people get frustrated with all this. Link to comment Share on other sites More sharing options...
Wazoo Posted March 15, 2005 Share Posted March 15, 2005 Just to make sure that your aggravation is pointed in the right direction .... it's the spammers that have turned a system written from a "trusted user" perspective into the exploited mess that you are fighting now. The non-delivery notification thing was there for all the right reasons ... exploiting thus function to spew spam was not something obvious to have to worry about way back when. Link to comment Share on other sites More sharing options...
Jeff G. Posted March 15, 2005 Share Posted March 15, 2005 5.5 is painful enough, 5.2 is downright ancient (by today's warped software version inflation standards). The spammer probably used the same gadgetscope.com address for both "From" and "MAIL FROM". Mail for gadgetscope.com is in fact served by astro.phpwebhosting.com [66.33.60.221] in its guise as mail.gadgetscope.com. Link to comment Share on other sites More sharing options...
Jeff G. Posted March 15, 2005 Share Posted March 15, 2005 On a side note, you will probably find that if you siphon off the circling double-bounces by establishing (for example) a Mailer-Daemon<at>gwmail.comcar.com account or alias, your system will run faster. We had to do that (at another domain, of course) in order to bring a system back from its comatose state (from the outside - the inside was too busy processing double-bounces to do anything productive). A few thousand siphoned double-bounces later, it was happy again. Link to comment Share on other sites More sharing options...
comcarind Posted March 15, 2005 Author Share Posted March 15, 2005 Just to make sure that your aggravation is pointed in the right direction .... 25521[/snapback] Agree, I am not aggravated at spamcop, or the people who operate it or browse these forums. I am aggravated at having an ancient email system, running on a platform I know nothing about. SpamCop provides a very valuable service, and I use it's RBL as one of two RBL's for my spam filtering solution. Sorry if that came out wrong! Link to comment Share on other sites More sharing options...
comcarind Posted March 15, 2005 Author Share Posted March 15, 2005 On a side note, you will probably find that if you siphon off the circling double-bounces by establishing (for example) a Mailer-Daemon<at>gwmail.comcar.com account or alias, your system will run faster. We had to do that (at another domain, of course) in order to bring a system back from its comatose state (from the outside - the inside was too busy processing double-bounces to do anything productive). A few thousand siphoned double-bounces later, it was happy again. Good tip. I already have created a mailer-deamon account today, of course, that was in effort to create a rule of sometype to prevent messages with that account name from leaving my network heh. Link to comment Share on other sites More sharing options...
Jeff G. Posted March 15, 2005 Share Posted March 15, 2005 Of course, it doesn't work unless it's spelled "Mailer-Daemon" exactly. Link to comment Share on other sites More sharing options...
comcarind Posted March 15, 2005 Author Share Posted March 15, 2005 heh, that would explain why it wasn't working. Another strange note. now that I have blocked bounce messages, I am still getting one from the 5.2 system as I said. However, the message I recieved is not user not found, it is access denied. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.