spam bounce back prevention

wzd

Well-Known Member
Dec 16, 2005
120
1
168
South Africa
cPanel Access Level
Root Administrator
Hi All,

I'm seeing a TON of email in the mail watch log which shows what i call a bounce back attack. Basically someone is emailing from [email protected] to other people, this is then bouncing back to us.

some of the emails are even showing FROM mailboxes at our clients domain that don't even exist (eg. [email protected])

I'm interested in preventing this (besides:fail:) - Would a sender policy framework help and/or could someone point me to a url to understand SPF better?
**EDIT** I understand that this is a common issue referred to as Dictionary Attacks but does implementing a sender policy framework do anything to decrease this?

Additionally Mailscanner is recently tagging all mail that does not have a FROM header automatically as low scoring spam. The problem with this is READ receipts or delivery failures all come without headers so none of our domains are receiving read receipts for email.

Any advice / flaming / urls on the above appreciated.
Wzd
 
Last edited:

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Actually this is not a dictionary attack at all; it's in fact called backscatter (or, a "joe-job"). Unfortunate that it's not a Dictionary Attack as they're relatively easy to defend against - see www.configserver.com.

I've heard that cPanel support the inclusion of a signature in outgoing email so backscatter can be rejected if it is not genuine; I'm not sure what the status of that is at this point.

SPF helps a little, but not a lot. The real solution is the signature.
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
ok How would you do that if you host say 100 domains and want SPF on all of them
say my helo statemnet is rg.rgpayne.com
I'll let somebody else address how you should easily add an SPF record to 100 existing domains.

Also, check your PM for specific SPF (with your server info).

On a Cpanel machine, exim by default is going to send all email out using the main IP address of the machine. So for a better resultant SPF record you'll want to know that IP address as well.

http://spf.pobox.com - You should check it out thoroughly.

In domain.com DNS zone file:

domain.com. IN TXT "v=spf1 ip4:###.###.###.### a mx ?all"

where ###.###.###.### = the main IP address of the server.

or

domain.com. IN TXT "v=spf1 a mx a:server.domain.com ?all"

where 'server.domain.com' = the main server hostname (which will be sending the mail).


You can substitute ?all with ~all if you wish
?all - says that the SPF record does NOT include ALL hosts that can legitimately send your mail
~all - says that the SPF record contains ALL hosts that can legitimately send your mail but that you are basically still determining your SPF values (in transition)
-all - says that the SPF record contains ALL hosts that can legitimately send mail

If, for instance, you host mail for a domain that predominantly sends mail from mail.domain.com BUT sometimes the person sends mail from random SMTP servers (such as when they travel and somehow dont have access to mail.domain.com for SMTP sending), then you don't want to use a -all. It's better to use ~all, or even better ?all.

If you know that the ONLY time mail is sent out is when it is sent out through one of the servers listed in the SPF record, then set -all.

I'm sure others will have different opinions.

Mike


Mike
 

grindlay

Active Member
Dec 8, 2004
39
0
156
Edinburgh, Scotland
cPanel Access Level
Root Administrator
Adding SPF records retrospectively

ok How would you do that if you host say 100 domains and want SPF on all of them
There must be a script out there somewhere that will go through all files in:
/var/named/*.db looking for an SPF record and adding one if not present.
G.
 

mtindor

Well-Known Member
Sep 14, 2004
1,363
65
178
inside a catfish
cPanel Access Level
Root Administrator
Also, so that new accounts automatically have an SPF record included, do the following:

1. Log into WHM
2. Select Edit Zone Templates (under DNS Functions)
3. Select the 'standard' template
4. add a line similar to this:

%domain%. IN TXT "v=spf1 ip4:###.###.###.### a mx ?all"

where ###.###.###.### = the main IP address of the server

OR

%domain%. IN TXT "v=spf1 a mx a:xxxxx.xxxxxx.xxx ?all"

where xxxxxx.xxxxxx.xxx = the main hostname of the server

5. Save

Again, check out http://spf.pobox.com and determine for yourself what values are good for you.

Somebody better with PERL scripting could easily tell you how to check for the existence of a TXT record in each of the 100 domains and add one for each domain that doesn't have one - but I'm not that person. For now you might just want to add them manually. Yes, a little tedious. But realistically I could probably do this via SSH at a rate of 6 per minute. If you're a fast typer and used to working from a shell prompt, then you may be able to do the same.

Mike