ScottKnauss Posted November 20, 2006 Posted November 20, 2006 The topic is the main point. Our firewall is the address that gets listed. It is listed every few weeks, and the gets automatically removed. The last few times it has happened, it was removed before we had any complaints so I don't even know why spam Cop is listing us. There are more than 20 Exchange servers behind our firewall (Sidewinder G2). The firewall only allows 4 machines to send mail outbound. 3 of them are SuSE10.0 Hardened DNS and Mail servers. The 4th is an Exchange server. The 4th is my primary suspect, but I have no idea how to prove it. It is setup as a bridgehead (I'm the Unix/Linux guy, so I've never really understood the bridgehead and have threatened to turn it off on numerous occasions because of problems it has caused.) The rest of the exchange servers in the network pass mail first to Symantec Virus Scanners (Also set to do heuristics for spam) that relay to the 3 Linux DNS & Mail servers. The biggest problem is that all of those exchange servers are administered by different people. Any help on figuring out were this is originating, or ideas on how to find the culprit would be appeciated. Thank you, Server Info: 138.180.190.67
Derek T Posted November 20, 2006 Posted November 20, 2006 The only two old reports that I (as a paying user) can see are two post-facto 'bounces' with 'undelverable' in the subject line. It seems that one of your receiving servers is sending 'undeliverable' messages to the spoofed 'From' envelope in spam AFTER the SMTP transaction. If you must bounce please do it with a 5xx error DURING the SMTP process. There is faq here about 'backscatter' and why it such a bad idea.
A_Friend Posted November 22, 2006 Posted November 22, 2006 Any help on figuring out were this is originating, or ideas on how to find the culprit would be appeciated. Server Info: 138.180.190.67 Hi Scott, it seems like your bridgehead server is accepting any mail that comes his way: telnet 138.180.190.67 25 Trying 138.180.190.67... Connected to g2ha.naples.navy.mil (138.180.190.67). Escape character is '^]'. 220 g2a.naples.navy.mil ESMTP Wed, 22 Nov 2006 11:29:28 +0100 (CET) helo my_domain.xxx 250 g2a.naples.navy.mil Hello mi1.al-systems.com [195.243.162.146], pleased to meet you mail from:me[at]my_domain.xxx 250 2.1.0 me[at]my_domain.xxx... Sender ok rcpt to:derimdwicmewocnwod_rismwujcs.wufnmewop18950302[at]navy.mil 250 2.1.5 derimdwicmewocnwod_rismwujcs.wufnmewop18950302[at]navy.mil... Recipient ok data 354 Enter mail, end with "." on a line by itself Test . 250 2.0.0 kAMATSWD024658 Message accepted for delivery quit 221 2.0.0 g2a.naples.navy.mil closing connection Connection closed by foreign host. Hmm, I don't believe you have a user named derimdwicmewocnwod_rismwujcs.wufnmewop18950302[at]navy.mil ;-) So this mail gets relayed to other mail servers until finally one server has the guts to say: "Hey, there is no such user!" Depending on the config of this machine this might result in a non-delivery message being sent back to the alleged sender. However, since spammers regularly fake the from-address, it's more likely the bounce will end up at some innocent bystander. More about bounces (aka blow-back, aka backscatter) here: http://www.spamcop.net/fom-serve/cache/329.html There are three ways to solve this problem: 1. The Good Way Your bridgehead server should know what addresses exist on the other servers. This way you can directly reject any message to a non-existing recipient without generating a bounce. However, this would imply you have access to a complete directory of all users, either via AD or LDAP. If this is not feasible, you can try... 2. The Not-So-Good-But-Acceptable Way Ask all administrators to disable NDRs on their mail servers. For E2K3, you launch the Exchange System Manager, then go to Global Settings -> Internet Message Format. Select the Advanced tab. Uncheck Allow non-delivery reports. For E2K, you need to download a patch from Microsoft. If your colleagues won't cooperate, you still have... 3. The Hard-But-Hey-It-Works Way Discard outgoing NDRs on your bridgehead server. This isn't very nice, I know, but it should solve the problem. There might be other solutions, but that's all I can come up with on short term... Good luck, A. Friend
Recommended Posts
Archived
This topic is now archived and is closed to further replies.