The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

spam bounce back prevention

Discussion in 'General Discussion' started by wzd, Sep 20, 2007.

  1. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    Hi All,

    I'm seeing a TON of email in the mail watch log which shows what i call a bounce back attack. Basically someone is emailing from xxxxxx@clientsdomain.com to other people, this is then bouncing back to us.

    some of the emails are even showing FROM mailboxes at our clients domain that don't even exist (eg. postmaster@clientsdomain.com)

    I'm interested in preventing this (besides:fail:) - Would a sender policy framework help and/or could someone point me to a url to understand SPF better?
    **EDIT** I understand that this is a common issue referred to as Dictionary Attacks but does implementing a sender policy framework do anything to decrease this?

    Additionally Mailscanner is recently tagging all mail that does not have a FROM header automatically as low scoring spam. The problem with this is READ receipts or delivery failures all come without headers so none of our domains are receiving read receipts for email.

    Any advice / flaming / urls on the above appreciated.
    Wzd
     
    #1 wzd, Sep 20, 2007
    Last edited: Sep 20, 2007
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Actually this is not a dictionary attack at all; it's in fact called backscatter (or, a "joe-job"). Unfortunate that it's not a Dictionary Attack as they're relatively easy to defend against - see www.configserver.com.

    I've heard that cPanel support the inclusion of a signature in outgoing email so backscatter can be rejected if it is not genuine; I'm not sure what the status of that is at this point.

    SPF helps a little, but not a lot. The real solution is the signature.
     
  3. sawbuck

    sawbuck Well-Known Member

    Joined:
    Jan 18, 2004
    Messages:
    1,367
    Likes Received:
    5
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  4. grindlay

    grindlay Active Member

    Joined:
    Dec 8, 2004
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Edinburgh, Scotland
    cPanel Access Level:
    Root Administrator
    Spf

    SPF would mitigate the attack for the recipient mail systems that pay attention to it.
    You can have WHM add SPF records automatically to all new accounts using the DNS template.

    http://www.openspf.org/
     
    #4 grindlay, Sep 21, 2007
    Last edited: Sep 21, 2007
  5. CaMer0n

    CaMer0n Well-Known Member

    Joined:
    Nov 8, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Does anyone have additional information on preventing this kind of spam?
    I already have SPF, but it doesn't help much.

    Thanks
     
  6. rgpayne

    rgpayne Well-Known Member

    Joined:
    Feb 25, 2003
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Texas
    ok How would you do that if you host say 100 domains and want SPF on all of them
    say my helo statemnet is rg.rgpayne.com
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    I'll let somebody else address how you should easily add an SPF record to 100 existing domains.

    Also, check your PM for specific SPF (with your server info).

    On a Cpanel machine, exim by default is going to send all email out using the main IP address of the machine. So for a better resultant SPF record you'll want to know that IP address as well.

    http://spf.pobox.com - You should check it out thoroughly.

    In domain.com DNS zone file:

    domain.com. IN TXT "v=spf1 ip4:###.###.###.### a mx ?all"

    where ###.###.###.### = the main IP address of the server.

    or

    domain.com. IN TXT "v=spf1 a mx a:server.domain.com ?all"

    where 'server.domain.com' = the main server hostname (which will be sending the mail).


    You can substitute ?all with ~all if you wish
    ?all - says that the SPF record does NOT include ALL hosts that can legitimately send your mail
    ~all - says that the SPF record contains ALL hosts that can legitimately send your mail but that you are basically still determining your SPF values (in transition)
    -all - says that the SPF record contains ALL hosts that can legitimately send mail

    If, for instance, you host mail for a domain that predominantly sends mail from mail.domain.com BUT sometimes the person sends mail from random SMTP servers (such as when they travel and somehow dont have access to mail.domain.com for SMTP sending), then you don't want to use a -all. It's better to use ~all, or even better ?all.

    If you know that the ONLY time mail is sent out is when it is sent out through one of the servers listed in the SPF record, then set -all.

    I'm sure others will have different opinions.

    Mike


    Mike
     
  8. grindlay

    grindlay Active Member

    Joined:
    Dec 8, 2004
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Edinburgh, Scotland
    cPanel Access Level:
    Root Administrator
    Adding SPF records retrospectively

    There must be a script out there somewhere that will go through all files in:
    /var/named/*.db looking for an SPF record and adding one if not present.
    G.
     
  9. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Also, so that new accounts automatically have an SPF record included, do the following:

    1. Log into WHM
    2. Select Edit Zone Templates (under DNS Functions)
    3. Select the 'standard' template
    4. add a line similar to this:

    %domain%. IN TXT "v=spf1 ip4:###.###.###.### a mx ?all"

    where ###.###.###.### = the main IP address of the server

    OR

    %domain%. IN TXT "v=spf1 a mx a:xxxxx.xxxxxx.xxx ?all"

    where xxxxxx.xxxxxx.xxx = the main hostname of the server

    5. Save

    Again, check out http://spf.pobox.com and determine for yourself what values are good for you.

    Somebody better with PERL scripting could easily tell you how to check for the existence of a TXT record in each of the 100 domains and add one for each domain that doesn't have one - but I'm not that person. For now you might just want to add them manually. Yes, a little tedious. But realistically I could probably do this via SSH at a rate of 6 per minute. If you're a fast typer and used to working from a shell prompt, then you may be able to do the same.

    Mike
     
Loading...

Share This Page