The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

reject joe job email where Return-Path does not = from:

Discussion in 'E-mail Discussions' started by boatdesign, Apr 24, 2008.

  1. boatdesign

    boatdesign Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    158
    Likes Received:
    0
    Trophy Points:
    16
    Today I got 3000 joe-job bounce emails which were sent with one of my email addresses as the return-path but with a different from: and reply-to: address.

    Code:
    Return-Path: <me@mydomain.com>
    Received: from Mailrelay15.libero.it (172.31.0.167) by smtp-in2.libero.it (7.3.120)
    id 4628E49E18DB4454; Sun, 20 Apr 2008 19:41:00 +0200
    X-IronPort-Anti-Spam-Filtered: true
    X-IronPort-Anti-Spam-Result: Av//AM4cC0i+QZAyPGdsb2JhbACRGB4YAQEBFBw
    X-cp3a: YES
    X-IronPort-AV: E=Sophos;i="4.25,686,1199660400";
    d="scan'208";a="304107310"
    Received: from unknown (HELO 212.52.84.83) ([190.65.144.50])
    by Mailrelay15.libero.it with SMTP; 20 Apr 2008 19:40:48 +0200
    X-Originating-IP: 252.188.245.5 by smtp.190.65.144.50; Sun, 20 Apr 2008 13:40:47 -0500
    Message-ID: <upzpnzWFJXSRdoel68@libero.it>
    From: "Somebody Shelton" <somebody@libero.it>
    Reply-To: "Somebody Shelton" <somebody@libero.it>
    To: somebody@libero.it
    Subject: Inexpensive Louis Vuitton bags
    Date: Sun, 20 Apr 2008 13:40:47 -0500
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7Bit
    
    Return-path: <me@mydomain.com>
    Received: from adsl190-28-162-133.epm.net.co ([190.28.162.133])
    by server5.cts-gmbh.net with smtp (Exim 4.63)
    (envelope-from <me@mydomain.com>)
    id 1Jnd3s-0006Gl-SS
    for gastro@club-zero.tv; Sun, 20 Apr 2008 19:10:45 +0200
    X-Originating-IP: 252.10.206.208 by smtp.190.28.162.133; Sun, 20 Apr 2008 13:19:20 -0500
    Message-ID: <vopptcrDNZILSgastro@club-zero.tv>
    From: "somebodyelse Beard" <somebodyelse@club-zero.tv>
    Reply-To: "somebodyelse Beard" <somebodyelse@club-zero.tv>
    To: somebodyelse@club-zero.tv
    Subject: Inexpensive Louis Vuitton bags
    Date: Sun, 20 Apr 2008 13:19:20 -0500
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7Bit
    
    Return-Path: <me@mydomain.com>
    Received: (qmail 44112 invoked by uid 3179); 19 Apr 2008 05:31:08 -0000
    Delivered-To: chrismd-westminsterspeed:com-fred@westminsterspeed.com
    Received: (qmail 44109 invoked from network); 19 Apr 2008 05:31:08 -0000
    Received: from mailwash40.pair.com (66.39.2.40)
    by ulawun.pair.com with SMTP; 19 Apr 2008 05:31:08 -0000
    Received: from localhost (localhost [127.0.0.1])
    by mailwash40.pair.com (Postfix) with SMTP id E8F542BD3A;
    Sat, 19 Apr 2008 01:31:07 -0400 (EDT)
    Received: from host-201-151-139-226.block.alestra.net.mx (unknown [201.151.139.226])
    by mailwash40.pair.com (Postfix) with SMTP id 21B342BCF0;
    Sat, 19 Apr 2008 01:30:53 -0400 (EDT)
    X-Originating-IP: 76.48.166.153 by smtp.201.151.139.226; Sat, 19 Apr 2008 01:30:47 -0500
    Message-ID: <rjdfhlJCJQXdunn@westminsterspeed.com>
    From: "somebodyelse Ricks" <somebodyelse@westminsterspeed.com>
    Reply-To: "somebodyelse Ricks" <somebodyelse@westminsterspeed.com>
    To: somebodyelse@westminsterspeed.com
    Subject: Replica watch is a perfect gift
    Date: Sat, 19 Apr 2008 01:30:47 -0500
    Content-Type: text/plain;
    Content-Transfer-Encoding: 7Bit
    I can see no legitimate reason for my mailserver to accept bounces or any email where the return-path is different than the from address. Further no one on the server uses a separate reply-to header so I can see no legitimate reason to accept email where the reply-to header is different than the from header.

    Unfortunately when the victim of such a joe-job the mailer daemon returns are all different formats -- doesn't seem there is much of a standard there. When they often include the original message, the headers clearly show the insanity of bouncing to the return-path when it doesn't match the from or reply to address, so possibly I could scan based on this...

    Enabling domain keys and SPF help prevent some of the spammers email from getting through, but you still get the bounces it seems from these mail servers that still bounce instead of fail :(

    Any ideas for an easy solution?
     
    #1 boatdesign, Apr 24, 2008
    Last edited: Apr 24, 2008
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    mailscanner watermarks all outgoing messages and when bounces come through if they dont contain a watermark it spams them out, works well for us
     
  3. kemis

    kemis Well-Known Member

    Joined:
    Feb 17, 2005
    Messages:
    104
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Georgetown, TX
    The problem I've found with MailScanner's watermarking is that other legit e-mails (like out of office replies) will get spammed for some strange reason, too.

    I've had to disable watermarking until there's a way to enable/disable it per-domain. Right now it's an all or nothing approach, unfortunately.

    If I'm wrong, then PLEASE correct me!

    Matt

    UPDATE: I was wrong! You CAN specify a ruleset for several different watermarking settings. Therefore, you can enable or disable watermarking behavior per domain. Sorry for any confusion - Go get MailScanner from ConfigServer!
     
    #3 kemis, May 10, 2008
    Last edited: May 10, 2008
Loading...

Share This Page