spam bounce back prevention

[wzd]

Hi All,

I'm seeing a TON of email in the mail watch log which shows what i call a bounce back attack. Basically someone is emailing from [email protected] to other people, this is then bouncing back to us.

some of the emails are even showing FROM mailboxes at our clients domain that don't even exist (eg. [email protected])

I'm interested in preventing this (besides:fail - Would a sender policy framework help and/or could someone point me to a url to understand SPF better?
**EDIT** I understand that this is a common issue referred to as Dictionary Attacks but does implementing a sender policy framework do anything to decrease this?

Additionally Mailscanner is recently tagging all mail that does not have a FROM header automatically as low scoring spam. The problem with this is READ receipts or delivery failures all come without headers so none of our domains are receiving read receipts for email.

Any advice / flaming / urls on the above appreciated.
Wzd

 

[brianoz]

Actually this is not a dictionary attack at all; it's in fact called backscatter (or, a "joe-job"). Unfortunate that it's not a Dictionary Attack as they're relatively easy to defend against - see www.configserver.com.

I've heard that cPanel support the inclusion of a signature in outgoing email so backscatter can be rejected if it is not genuine; I'm not sure what the status of that is at this point.

SPF helps a little, but not a lot. The real solution is the signature.

 

[sawbuck]

Regarding MS and Read receipts.

http://www.configserver.com/blog/index.php?itemid=231

 

[grindlay]

Spf

SPF would mitigate the attack for the recipient mail systems that pay attention to it.
You can have WHM add SPF records automatically to all new accounts using the DNS template.

http://www.openspf.org/

 

[CaMer0n]

Does anyone have additional information on preventing this kind of spam?
I already have SPF, but it doesn't help much.

Thanks

 

[rgpayne]

SPF would mitigate the attack for the recipient mail systems that pay attention to it.
You can have WHM add SPF records automatically to all new accounts using the DNS template.

http://www.openspf.org/

ok How would you do that if you host say 100 domains and want SPF on all of them
say my helo statemnet is rg.rgpayne.com

 

[mtindor]

ok How would you do that if you host say 100 domains and want SPF on all of them
say my helo statemnet is rg.rgpayne.com

I'll let somebody else address how you should easily add an SPF record to 100 existing domains.

Also, check your PM for specific SPF (with your server info).

On a Cpanel machine, exim by default is going to send all email out using the main IP address of the machine. So for a better resultant SPF record you'll want to know that IP address as well.

http://spf.pobox.com - You should check it out thoroughly.

In domain.com DNS zone file:

domain.com. IN TXT "v=spf1 ip4:###.###.###.### a mx ?all"

where ###.###.###.### = the main IP address of the server.

or

domain.com. IN TXT "v=spf1 a mx a:server.domain.com ?all"

where 'server.domain.com' = the main server hostname (which will be sending the mail).


You can substitute ?all with ~all if you wish
?all - says that the SPF record does NOT include ALL hosts that can legitimately send your mail
~all - says that the SPF record contains ALL hosts that can legitimately send your mail but that you are basically still determining your SPF values (in transition)
-all - says that the SPF record contains ALL hosts that can legitimately send mail

If, for instance, you host mail for a domain that predominantly sends mail from mail.domain.com BUT sometimes the person sends mail from random SMTP servers (such as when they travel and somehow dont have access to mail.domain.com for SMTP sending), then you don't want to use a -all. It's better to use ~all, or even better ?all.

If you know that the ONLY time mail is sent out is when it is sent out through one of the servers listed in the SPF record, then set -all.

I'm sure others will have different opinions.

Mike


Mike

 

[grindlay]

Adding SPF records retrospectively

ok How would you do that if you host say 100 domains and want SPF on all of them

There must be a script out there somewhere that will go through all files in:
/var/named/*.db looking for an SPF record and adding one if not present.
G.

 

[mtindor]

Also, so that new accounts automatically have an SPF record included, do the following:

1. Log into WHM
2. Select Edit Zone Templates (under DNS Functions)
3. Select the 'standard' template
4. add a line similar to this:

%domain%. IN TXT "v=spf1 ip4:###.###.###.### a mx ?all"

where ###.###.###.### = the main IP address of the server

OR

%domain%. IN TXT "v=spf1 a mx a:xxxxx.xxxxxx.xxx ?all"

where xxxxxx.xxxxxx.xxx = the main hostname of the server

5. Save

Again, check out http://spf.pobox.com and determine for yourself what values are good for you.

Somebody better with PERL scripting could easily tell you how to check for the existence of a TXT record in each of the 100 domains and add one for each domain that doesn't have one - but I'm not that person. For now you might just want to add them manually. Yes, a little tedious. But realistically I could probably do this via SSH at a rate of 6 per minute. If you're a fast typer and used to working from a shell prompt, then you may be able to do the same.

Mike