Disable Backscatter & Sender Callouts

[fisher318]

Hey, was recently added to the backscatterer.org spam list for one of my IP's, allegedly for backscatter and/or sender callouts. Anyone have any idea how I can fix this? I read somewhere to require "validate sender" or something like that, but do not see any idea how to get this done in the Cpanel WHM server manager.

And I have no idea what sender callouts are or how to stop those as well. Any help would be GREATLY appreciated.

[mattboston]

Did you ever get a response for this? I'm interested in the answer as well. I am listed in backscatter.org too.

[cpanelchrish]

You can enable/disable this under
Main >> Service Configuration >> Exim Configuration Editor

The option is under the "Mail" heading, and is labeled "Sender Verification Callouts"

Essentially the way it works is as such:

-external host connects to exim
-external host sends HELO, MAIL, RCPT
-before acknowledging the RCPT command, exim connects to the MX record for the domain sent in the MAIL command, sends a HELO, a MAIL command (using a null reverse path), and then for the address in RCPT, exim uses whatever the external connecting host originally sent in its MAIL command
-if exim gets a 5xx in response to the RCPT command it sends to that MX, then it will respond to the original connecting external host with a 5xx
-if exim gets a 2xx in response to the RCPT command it sends to that MX, then it will respond to the original connecting host with a 2xx, indicating the RCPT command was accepted.

A typical session would look as such; for our purposes here, "RX:" designates something Exim receives from a connecting host, and "TX:" represents a reply Exim sends to the connecting host

==remote host connecting to Exim==

Code:

RX: EHLO mail.external.tld.
TX: 250 Howdy mail.external.tld, I am ready
RX: MAIL FROM:<someuser@external.tld>
TX: 250 Ok
RX: RCPT TO:<localuser@yourdomain.tld>

Before responding to the RCPT command issued by the remote host, Exim will attempt to confirm the address used in MAIL is valid by looking up the MX record.

Exim puts its response to the RCPT command on hold until it has a chance to do the following:

==your Exim connecting to the MX for 'external.tld'==

Code:

TX: EHLO mail.yourdomain.tld
RX: 250 Hello noble cPanel server, I am ready
TX: MAIL FROM:<>
RX: 250 Ok
TX: RCPT TO:<someuser@external.tld>
RX: $foo
TX: QUIT
RX: 220 Service closing transmission channel

-if $foo is a 2xx response

==remote host still connected inbound to Exim==

Code:

TX: 250 Ok
RX: DATA
TX: 354 Go Ahead, end in <CRLF>.<CRLF>
RX: Subject: blah\r\nTo: you\r\nFrom: me\r\n\r\n
RX: And now this is the body, next line is the data termination sequence
RX: \r\n.\r\n
TX: 250 Message Accepted

-if $foo is a 5xx response

==remote host still connected inbound to Exim==

Code:

TX: 550 Sender Verify Failed
RX: QUIT
TX: 220 Adieu mon ami

With regards to why this is a BAD thing, the fella here makes a number of very valid points:

Backscatterer.org powered by UCEPROTECT

we allow you to do it because Exim allows you to do it. Opinions on it are varied, and though I haven't a clue what the official stance is, having seen it from another perspective, I'm of the opinion it's a greedy method of filtering forged spam.

I've advised people against its use in the past, and as of yet have seen no convincing argument that shows the positives outweighing the negatives. Indeed I remember a few years back a huge debacle with a fairly large Australian ISP landing themselves blacklisted on SpamCop for doing this, and frankly I can't say I disagree with the listing.

Now..it does work as advertised. It *does* have its merits, and it will likely reduce the amount of spam you accept from forged addresses - it's just too greedy and easily abused to make it feasible from where I sit.

At any rate, cutting off my pontification on the topic here - if you encounter issues with it, you can access the configuration portion of it using the menu described at the beginning of this post. Disable this, then request delisting with whichever providers have you blacklisted, and you should be good to go.

Hope that helps and is at least a somewhat clear explanation.

[erick_paper]

Thanks for a very clear explanation.

My recommendation is to just disable that feature in WHM. (Uncheck it). Otherwise backscatter will add your IP at some point.

[webmatrixau]

Great response cpanelchrish, thanks.

I've found one of our IPs is listed now, however the "** Sender Verification Callouts " was already off when I went to check it, so this may not be the only cause?

[DomineauX]

Great response cpanelchrish, thanks.

I've found one of our IPs is listed now, however the "** Sender Verification Callouts " was already off when I went to check it, so this may not be the only cause?

Backscatter will black list even for something as simple as a user setting up a vacation responder so it is quite possible to still be listed.

[Jtellup]

So maybe I don't understand here.

If a spammer is able to send me 300,000 emails from bogus@thisdomain.net and my sender callouts are trying to verify the existence and validity of this email address, if the server at thisdomain.net is properly configured this bogus email should not get out n the first place? Isn't that what the SPF records are for? So if this email is getting out and we are being blacklisted by backscatter for sender callouts why are we being punished for protecting ourselves?

Again, perhaps I don't understand but how could someone use a domain to send out a spam if they are setup properly? I would think the liability is with the domain that is permitting the original email that is causing the callout to begin with, and if this is the case is backscatter protecting the spammers? it sure looks that way to me, if my domain gets used to send out 300,000 bogus emails, and I get that many callouts you can bet after the sudo dos attack I'm going to be looking at my email settings and putting a stop to the abuse on my end.

[Jtellup]

With regards to why this is a BAD thing, the fella here makes a number of very valid points:

Backscatterer.org powered by UCEPROTECT

Well I just read this page, and this is without a doubt the most unprofessional bunch of high ramble I have ever read. I am to assume that I am selfish for wanting to protect my users? The whole tone of this is bizarre to say the least,

This is like saying that if a murderer breaks into my house in the middle of the night and I grab a gun I'm being selfish, but again perhaps I don't understand but I am going to have a major problem with the domain that permits someone to fake an email and send me 30 million spoofed emails.

I hope someone sees my point here, there is a reason exmin put the send callouts in there in the first place, but as usual the spammers will use poorly setup servers to get their garbage out there and we pay the price.

Again, maybe I don't fully understand the issue here but I personally would like to ability to verify mail coming in without having to worry about some blacklist out of Florida putting me on the list, or, maybe being on this blacklist could be a badge of honor, you know, Yeah we're blacklisted to, we verify senders!

[sparek-3]

Again, maybe I don't fully understand the issue here but I personally would like to ability to verify mail coming in without having to worry about some blacklist out of Florida putting me on the list, or, maybe being on this blacklist could be a badge of honor, you know, Yeah we're blacklisted to, we verify senders!

One thing to keep in mind here is that if you use sender callouts, you may be blocking some legitimate mails.

We had sender callouts enable for a period of time on our servers. I don't remember who it was, Visa or American Express, a major credit card company none-the-less, was sending an e-mail to one of our users (a legitimate message, not a spam message) using an envelope-sender address of something like noreply@visa.com. Granted they didn't want you to reply to the message, they wanted you to use their contact method from their website. However, the visa.com mail server would not accept messages to noreply@visa.com thus the sender callout would fail, thus our user never received the message from Visa.

We tried to contact Visa to let them know that their e-mailing practice was not correct. If they are sending messages out from an address, then their mail server needs to at least accept messages to that same address. It can immediately delete those messages if it so desires, but it needs to accept the messages. We never heard back from them.

This was just one example of this type of activity, and I'm sure there are other companies out there that use the same practice.

So if you are using sender callouts, you may be missing some legitimate mail. Even though the fault for this is pointing back to the sender.

[Jtellup]

One thing to keep in mind here is that if you use sender callouts, you may be blocking some legitimate mails.

I hear ya, and that's concern of mine too, so I have gone in and disabled them, I don't want to be a problem, but I have to be honest when I went to that link and read that guys rant on backscatter the first thought that went through my mind was he was a spammer, then I did a whois on him and was really convinced, I still am, he wants to punish those of us who try to protect ourselves by protecting those who don't care enough to.

But I understand what you saying about not getting the legitimate, wait, what do we call it when a company sends out 45 million offers for a service and uses a bogus email address? I thought that was spam? Do we understand then, that it is only spam if it offends us? but if the same practice is used and we like it, it is not spam? Help me out here.

[webmatrixau]

Backscatter will black list even for something as simple as a user setting up a vacation responder so it is quite possible to still be listed.

If that's the case, BACKSCATTER will be blacklisting every SMTP server on the planet?

I've just been re-listed...

cPanel staff: how do I get off this list?

[Toqomy]

Old but some more info for anyone needing it...

About backscatterer.org:
Not really the best of lists, they setup spam traps trying to catch both spammers and servers who could 'possibly' be used for DDOS attacks. DDOS attacks are basically overloading a server so it can't function correctly or optimally. In this case, if your server were to accept mail, then later send a bounce message like "unknown user", you could potentially send a bounce message to an address that was initially faked.

Let's say I send an e-mail and spoof the address bill@microsoft.com (probably in history the most used). I send this e-mail to hgeruhg@yoursite.tld and your server first accepts it, later rejecting it because "hgeruhg not found" but sends a bounce message to bill@microsoft.com

Let's say this spammer does this to a few 1000 servers always using bill@microsoft.com as the sender, getting to a total of a few million e-mails and all done quickly with the help of a script. Now poor bill will get EVERY one of those bounce messages from servers that handle mail in this fashion which bogs the server possibly killing real email delivery until this attack is finished.

Now what backscatterer is saying is to reject at the time the mail is sent. Even a spammer has to use SOME type of mail server on their end and when they send it, it first hits their mail server and that server communicates with the TO: mail server. If the mail is first accepted and then rejected, it is possibly rejected to the wrong destination (the fake e-mail) in a form of a bounced message. If your server rejects DURING the SMTP transfer (before accepting the message), it would be immediately returned to the attackers machine with an error as an SMTP message NOT an e-mail.

I feel backscatterer.org has some good points, but most spammers are making a ton of money and can easily afford the 50 euros to remove themselves. In fact, I don't think of backscatterer.org as a legitimate blacklist as it seldom lists spammers, it lists host that aren't setup they way they feel you should (even gmail refuses to use backscatterer as it usually just hurts email delivery from small hosts).

So in essence backscatterer.org is a type of blackmail to get small hosts to pay 50 euros or wait out the blacklist (4 weeks).

How to fix this so the blackscatterer bully will stop this abuse? (yes I feel they abuse the blacklist system) It's hard to be perfect but this is what I've done.

In WHM (if you only have cpanel access, ask your host):
under the section "Mail"
uncheck
"Sender Verification Callouts"
IF you have multiple IPs you can also check
"Send outgoing mail from the ip that matches the domain name in /etc/mailips"*

*This would basically limit the domains/IPs that get blacklisted since blacklists work on IPs so if one user (who has his/her own IP) was identified as a spammer, only their IP would be listed and the others on your server are still clean. Also helps as backscatterer.org just hits random people (I've been listed twice in the last 4 years) so if on IP was randomly caught, the others, again, are still clean. (just note sometimes backscatterer will list IP ranges in an attempt to get more money.

Remember, this isn't a full solution as you can still send bounce messages, I'm trying to fix this now and will post when I find the easiest way with cpanel.


The biggest issue with all of this is that spammers are getting unknowing hosts blacklisted for the spammers abuse, not the hosts.

backscatterer.org needs to pull their head out and make temporary listed sites only last a week as 99% of them are not spammers just people who don't know any better and are using the industry standard mail settings (as we would all expect when we haven't hit this issue).

In essence, backscatterer has figured out a way to make money off of servers that spammers are abusing with e-mail spoofing (probably the worst blacklist available).

On top of that blackscatterer doesn't give you enough info to really check logs, they tell you the last instance +/- a minute which for some smtp servers would be impossible to trackdown unless they tell you where the bounce was sent. This makes me feel that backscatterer is sending out spoofed e-mails with an address they know is their spam trap hoping to get a response as most spammers would use a real domain they know isn't a spam trap. (this would be a new way to profit from spam)

If you find a domain that uses backscatterer.org, you should contact them and tell them that the list is going against a FREQUENTLY used part of the SMTP protocol and while there is some merit, SMTP would need a rewrite itself to really fix the problem. Backscatterer is profitting off of this because they "say" it's helpful when it really isn't, I don't have the money, plenty do and this is what they are hoping for. I would almost guarantee if you paid and didn't fix the issue they'd try you out the next day to relist you as they warn you all over the site, would be their perfect defense.

[Bdzzld]

None of our servers have the "Sender Verification Callouts" option enabled but most of the servers still got listed on that list.

In WHM's Exim Configuration Editor all items under "Mail" are set to cPanel's default.

The amount of mail sent within a minute's timespan is also too large to figure out the exact reason a server was blacklisted at all.

Any advise would by appreciated.

[cPanelTristan]

What is the exact message you have for the listing with backscatterer.org site?

[Bdzzld]

Hi cPanelTristan,
Thanks for responding.
I'm not sure what you mean though. Can you please elaborate?