reject joe job email where Return-Path does not = from:

[boatdesign]

Today I got 3000 joe-job bounce emails which were sent with one of my email addresses as the return-path but with a different from: and reply-to: address.

Return-Path: <[email protected]>
Received: from Mailrelay15.libero.it (172.31.0.167) by smtp-in2.libero.it (7.3.120)
id 4628E49E18DB4454; Sun, 20 Apr 2008 19:41:00 +0200
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av//AM4cC0i+QZAyPGdsb2JhbACRGB4YAQEBFBw
X-cp3a: YES
X-IronPort-AV: E=Sophos;i="4.25,686,1199660400";
d="scan'208";a="304107310"
Received: from unknown (HELO 212.52.84.83) ([190.65.144.50])
by Mailrelay15.libero.it with SMTP; 20 Apr 2008 19:40:48 +0200
X-Originating-IP: 252.188.245.5 by smtp.190.65.144.50; Sun, 20 Apr 2008 13:40:47 -0500
Message-ID: <[email protected]>
From: "Somebody Shelton" <[email protected]>
Reply-To: "Somebody Shelton" <[email protected]>
To: [email protected]
Subject: Inexpensive Louis Vuitton bags
Date: Sun, 20 Apr 2008 13:40:47 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit

Return-path: <[email protected]>
Received: from adsl190-28-162-133.epm.net.co ([190.28.162.133])
by server5.cts-gmbh.net with smtp (Exim 4.63)
(envelope-from <[email protected]>)
id 1Jnd3s-0006Gl-SS
for [email protected]; Sun, 20 Apr 2008 19:10:45 +0200
X-Originating-IP: 252.10.206.208 by smtp.190.28.162.133; Sun, 20 Apr 2008 13:19:20 -0500
Message-ID: <[email protected]>
From: "somebodyelse Beard" <[email protected]>
Reply-To: "somebodyelse Beard" <[email protected]>
To: [email protected]
Subject: Inexpensive Louis Vuitton bags
Date: Sun, 20 Apr 2008 13:19:20 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit

Return-Path: <[email protected]>
Received: (qmail 44112 invoked by uid 3179); 19 Apr 2008 05:31:08 -0000
Delivered-To: chrismd-westminsterspeed:[email protected]
Received: (qmail 44109 invoked from network); 19 Apr 2008 05:31:08 -0000
Received: from mailwash40.pair.com (66.39.2.40)
by ulawun.pair.com with SMTP; 19 Apr 2008 05:31:08 -0000
Received: from localhost (localhost [127.0.0.1])
by mailwash40.pair.com (Postfix) with SMTP id E8F542BD3A;
Sat, 19 Apr 2008 01:31:07 -0400 (EDT)
Received: from host-201-151-139-226.block.alestra.net.mx (unknown [201.151.139.226])
by mailwash40.pair.com (Postfix) with SMTP id 21B342BCF0;
Sat, 19 Apr 2008 01:30:53 -0400 (EDT)
X-Originating-IP: 76.48.166.153 by smtp.201.151.139.226; Sat, 19 Apr 2008 01:30:47 -0500
Message-ID: <[email protected]>
From: "somebodyelse Ricks" <[email protected]>
Reply-To: "somebodyelse Ricks" <[email protected]>
To: [email protected]
Subject: Replica watch is a perfect gift
Date: Sat, 19 Apr 2008 01:30:47 -0500
Content-Type: text/plain;
Content-Transfer-Encoding: 7Bit

I can see no legitimate reason for my mailserver to accept bounces or any email where the return-path is different than the from address. Further no one on the server uses a separate reply-to header so I can see no legitimate reason to accept email where the reply-to header is different than the from header.

Unfortunately when the victim of such a joe-job the mailer daemon returns are all different formats -- doesn't seem there is much of a standard there. When they often include the original message, the headers clearly show the insanity of bouncing to the return-path when it doesn't match the from or reply to address, so possibly I could scan based on this...

Enabling domain keys and SPF help prevent some of the spammers email from getting through, but you still get the bounces it seems from these mail servers that still bounce instead of fail

Any ideas for an easy solution?

 

[nickp666]

mailscanner watermarks all outgoing messages and when bounces come through if they dont contain a watermark it spams them out, works well for us

 

[kemis]

The problem I've found with MailScanner's watermarking is that other legit e-mails (like out of office replies) will get spammed for some strange reason, too.

I've had to disable watermarking until there's a way to enable/disable it per-domain. Right now it's an all or nothing approach, unfortunately.

If I'm wrong, then PLEASE correct me!

Matt

UPDATE: I was wrong! You CAN specify a ruleset for several different watermarking settings. Therefore, you can enable or disable watermarking behavior per domain. Sorry for any confusion - Go get MailScanner from ConfigServer!