Stop forged headers?

[kris1351]

We have some smartass spammer out there that thought it would be cute to spoof [email protected] as the sender of emails. Though these don't actually touch our system the bounce backs are coming to our sales address. Is there anything that can be done about this? Please please make it legal to track spammers down and beat them with a stick.

cPanel.net Support Ticket Number:

 

[ciphervendor]

setup a filter to discard the bounced emails.

cPanel.net Support Ticket Number:

 

[Snowman30]

I know this is an old discussion but there doesnt seem to be much diiscussion about spoofing on the forums and i have a site that is getting hammered with bounce backs because someone is spoofing all sorts of non-existent email usernames at one of my domains.

Ive setup over 100 filters to try and deal with it but the problem is im getting hit with over 20,000 bounces a day.

I dropped the MX record of the domain to 0.0.0.0. for 2 weeks hoping that this would dry things up but alas that has failed.

is there anything else i can do to prevent this sort of thing happening?

All the bounces are coming thru to my catchall account, however i cant :blackhole: this account as i have a Hivemail service setup on it.

Im also concerned by the loads its been putting on exim as well.

Is there a way to filter out these bounces before they hit the mail queue?

any advice would be greatly appreciated.

TIA

 

[Snowman30]

I should also metion the emails appear to be coming from China

heres the source from one of my bounces :

Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Sun, 30 May 2004 02:52:05 -0500
Received: from snowzone by perisher.myserverdns.net with local-bsmtp (Exim 4.34)
id 1BUL6x-00048R-OK
for [email protected]; Sun, 30 May 2004 02:52:04 -0500
Received: from [212.97.32.23] (helo=smtp02.kpnqwest.it)
by perisher.myserverdns.net with esmtp (Exim 4.34)
id 1BUL6w-00048E-25
for [email protected]; Sun, 30 May 2004 02:52:03 -0500
Received: by smtp02.kpnqwest.it (Postfix)
id 9CA0010E2B6; Tue, 25 May 2004 18:39:05 +0200 (CEST)
Date: Tue, 25 May 2004 18:39:05 +0200 (CEST)
From: [email protected] (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: [email protected]
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="BCC5010CFBE.1085503145/smtp02.kpnqwest.it"
Message-Id: <[email protected]>
X-MailScanner: Found to be clean, Found to be clean
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
perisher.myserverdns.net
X-Spam-Level: **
X-Spam-Status: No, hits=2.0 required=5.0 tests=BIZ_TLD,DATE_IN_PAST_96_XX
autolearn=no version=2.63
X-MailScanner-Information: Please contact the ISP for more information


This is a MIME-encapsulated message.

--BCC5010CFBE.1085503145/smtp02.kpnqwest.it
Content-Description: Notification
Content-Type: text/plain

This is the Postfix program at host smtp02.kpnqwest.it.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

The Postfix program

<[email protected]>: host 212.97.32.9[212.97.32.9] said: 550 5.1.1
<[email protected]>... User unknown (in reply to RCPT TO command)

<[email protected]>: host 212.97.32.9[212.97.32.9] said: 550 5.1.1
<[email protected]>... User unknown (in reply to RCPT TO command)

<[email protected]>: host 212.97.32.9[212.97.32.9] said: 550 5.1.1
<[email protected]>... User unknown (in reply to RCPT TO command)

<[email protected]>: host 212.97.32.9[212.97.32.9] said: 550 5.1.1
<[email protected]>... User unknown (in reply to RCPT TO command)

<[email protected]>: host 212.97.32.9[212.97.32.9] said: 550 5.1.1
<[email protected]>... User unknown (in reply to RCPT TO command)

<[email protected]>: host 212.97.32.9[212.97.32.9] said: 550 5.1.1
<[email protected]>... User unknown (in reply to RCPT TO command)

--BCC5010CFBE.1085503145/smtp02.kpnqwest.it
Content-Description: Delivery error report
Content-Type: message/delivery-status

Reporting-MTA: dns; smtp02.kpnqwest.it
Arrival-Date: Tue, 25 May 2004 18:36:27 +0200 (CEST)

Final-Recipient: rfc822; [email protected]
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host 212.97.32.9[212.97.32.9] said: 550 5.1.1
<[email protected]>... User unknown (in reply to RCPT TO command)

Final-Recipient: rfc822; [email protected]
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host 212.97.32.9[212.97.32.9] said: 550 5.1.1
<[email protected]>... User unknown (in reply to RCPT TO command)

Final-Recipient: rfc822; [email protected]
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host 212.97.32.9[212.97.32.9] said: 550 5.1.1
<[email protected]>... User unknown (in reply to RCPT TO command)

Final-Recipient: rfc822; [email protected]
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host 212.97.32.9[212.97.32.9] said: 550 5.1.1
<[email protected]>... User unknown (in reply to RCPT TO command)

Final-Recipient: rfc822; [email protected]
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host 212.97.32.9[212.97.32.9] said: 550 5.1.1
<[email protected]>... User unknown (in reply to RCPT TO command)

Final-Recipient: rfc822; [email protected]
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host 212.97.32.9[212.97.32.9] said: 550 5.1.1
<[email protected]>... User unknown (in reply to RCPT TO command)

--BCC5010CFBE.1085503145/smtp02.kpnqwest.it
Content-Description: Undelivered Message
Content-Type: message/rfc822

Received: from localhost (localhost [127.0.0.1])
by smtp02.kpnqwest.it (Postfix) with ESMTP
id BCC5010CFBE; Tue, 25 May 2004 18:36:27 +0200 (CEST)
Received: from smtp02.kpnqwest.it ([127.0.0.1])
by localhost (smtp02.kpnqwest.it [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 29927-21; Tue, 25 May 2004 18:36:27 +0200 (CEST)
Received: from snowzone.net.au (unknown [220.170.44.74])
by smtp02.kpnqwest.it (Postfix) with SMTP
id 59C13107B87; Tue, 25 May 2004 18:36:09 +0200 (CEST)
Message-ID: <[email protected]>
Date: Tue, 25 May 2004 13:01:04 -0600
From: "spencer delacuesta" <[email protected]>
User-Agent: Genesis Email Client 5.50.4233.2400
X-Accept-Language: en-us
MIME-Version: 1.0
To: "lincoln wieckowski" <[email protected]>
Cc: "numbers malit" <[email protected]>,
"quentin salcido" <[email protected]>,
"eliseo lashmet" <[email protected]>,
"royal beverly" <[email protected]>,
"dudley lucero" <[email protected]>
Subject: Vk Stop the pain, here's how
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

gutenberg-tm com-inc po-box


Our online shop is your source for locating many prescription drugs without
a prior prescription in comp1iance with FDA regulations.

Order these pills: ; ^ So+m+a > P/n/termin < V/a/lium . [email protected] & V1C0`DIN

Will ship worldwide.

V C http://b.info.infocounty.biz/abc/ok/


di`scon ava1iable at our we^bpage

One day a boy came to his teacher and said:" Teacher, pa wants to know if
you like roast pig.""I certainly do," said the teacher, "and you tell your
father he is very kind to think of me."Days passed, and nothing more was
said about the roast pig.Finally the teacher said to the boy:"I thought your
father was going to send me over some roast pig.""Yes," said the boy, "he
did intend to, but the pig sot well."
In Newcastle, England, recently a cat called Ziggy was found to have stolen
things worth more than 1,000 pounds from houses in the neighborhood of its
owner. At first, people reported to the police that they had many things
stolen and Helen Lucarelli, Ziggy's owner, kept finding new things in her
kitchen,. The things were not hers and they included jewelry, underwear,
toys, napkins from a restaurant, watches, rubber gloves, soap, and a hat,.
Ziggy even got back police tape that had been important in a case. Helen had
no idea where these things had come from, so she gave them to local charity
shops. When the whole thing was fond out, Helen said to her friends. "It was
awfully embarrassing when I found so much strange underwear in my kitchen."
gekitsui3motocyou02ouzyu,ikikake ranposho.


--BCC5010CFBE.1085503145/smtp02.kpnqwest.it--

 

[casey]

Originally posted by Snowman30
I should also metion the emails appear to be coming from China

heres the source from one of my bounces :

If you don't have any Chinese customers and don't plan on selling hosting to anyone who does, just ban all Chinese IPs.

 

[matt621]

I too have been battling with this same problem. it's totally out of control.

You can't just bann all Chinese IPs because the bounces don't come from chinese IPs. The orignal spam does, but what happens is the spam bounces to the original receipt. and then the spammer uses forges a bogus return address which happens to be on his (or my or your) servers. That's the problem.

I have the same problem with SpamAssassin. SA detects spam and then bounces the email. Which either bounces back or it comes from another server using SpamAssassin in which case it bounces to the admin of the site, which is me.

I can't figure out why more people are not up and arms about this problem in that it's totally out of control.

 

[casey]

Originally posted by matt621
You can't just bann all Chinese IPs because the bounces don't come from chinese IPs.

You're right. I wasn't thinking. In that case the only thing I can think of is what ciphervendor mentioned, i.e. to create a filter to discard the e-mails.

I believe the only way to truly defend yourself is to delete all accounts that have been registered by spammers and set your default account to :fail:. That is what I have had to do.

 

[chirpy]

I agree with casey - there is very little indeed that you can do. You should disable catchall accounts whereever you can. The only other solution is what you've already done, which is to use filters to ditch bounces.

It's a particularly nasty part of the whole spam issue, and one that is usally forgotten about.

 

[Snowman30]

The unfortunate thing about bounces is that when you get over 20,000 an hour to all sorts of random obscure email adresses @yourdomain.com it becomes very hard to filter them...

especially in my case when im running a hivemail system on the catchall ive been affected on the most

 

[chirpy]

I know from personal experience what an issue that can be with web-based email products (we produce our own) that use the catchall alias.

At what point are you filtering out the emails? Are you matching on the header/body content and just quietly ignoring those emails?

I wonder if there is a more efficient way to filter them out using ACL's in Exim. I'll pop over to their site to see, though posting on the Exim list might be a good idea.

 

[chirpy]

It would appear that the best way to filter the mail would be to look into system filters:
http://www.exim.org/exim-html-4.30/doc/html/spec_40.html#CHAP40

I believe that this is what /etc/antivirus.exim is, so modifying that file with anti-bounce filters to just queitly drop the files could be more efficient than doing it outside of Exim.

 

[Snowman30]

Thanks for the advice

Exim filters are all jibberish to me

i dont suppose someone could post an example of a filter to block bounces as an example so that i can work about creating more for each thing i want to block...

 

[Snowman30]

i need to block the following from hitting the server for this particular domain:


Heres what my vfilters file for the particular domain has in it:

if error_message then finish endif

if
$header_subject: contains "Delivery Status Notification (Failure)"
or $header_subject: contains "Delivery Status Notification"
or $header_subject: contains "Delivery failure"
or $header_subject: contains "Mail Delivery Failure"
or $header_subject: contains "Mail System Error - Returned Mail"
or $header_subject: contains "Mail delivery failed: returning message to sender"
or $header_subject: contains "Message status - undeliverable"
or $header_subject: contains "Returned mail: User unknown"
or $header_subject: contains "Undeliverable Mail"
or $header_subject: contains "Undelivered Mail Returned to Sender"
or $header_subject: contains "Undelivered mail"
or $header_subject: contains "failure notice"
then
save "/dev/null" 660
endif

unfortunately it loads up exim and doesnt seem to /dev/null the emails.

can anyone suggest how i can stop these before they get to exim?

or as an alternative is there any way of stopping the F^$(&)#r who is sending out thousands opf spam emails with my domain as the return addrress???

i also have the following type of filter in CPanel setup as well:

[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
ma[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: :blackhole:
[email protected]: [email protected]
[email protected]: :blackhole:

my guess is the email addys are being created randomly and i cant keep up with blocking them

 

[Snowman30]

can anyone offer any further advice on how to stop this?

I cant take the domain down and cant afford the downtime for my mail accoutn users...

currently i have all mail to this domain going to 0.0.0.0

maybe i should bounce all mail for the domain back at these ^%#$%^#^%$ in China???

My big issue is that its cflaring my exim loads up and down like a yoyo and cpu usage is often jumoing to 99% which in turn is spiking up the loads on the server way over 20 on occassions.

surely there must be a way to filter these out before they hit exim?

can anyone offer any further advice?

 

[matt621]

I know I'll catch all sorts of hell for this, but I blame the people who originated this system of sending mail. Why forged headers are even possible is beyond logic to me. If it says it's from xyzdomain.com and it's not coming from xyzdomain.com, it should be dropped immediately by anyone that comes in contact with it.

If this problem of forged headers was solved, 99% of the spam email out there I think would disappear.

So why isn't someone doing something about that, instead of putting the burden on the millions of system admins who are the ones suffering thru this mess?

 

[chirpy]

People are working on solutions. The problem,as you're probably aware, is completely historic. The SMTP protocols were written long before the concept of "spam" and deceit were envisioned - their responsibility was to ensure correct flow of information with eash stage adhering to the proscribed protocol.

Unfortunately, changing that to account for current requirements is exceedingly difficult. As an example, just have a look at the snail-pace of IPv6 as a replacement for IPv4.

Changing the SMTP protocol is going to require en-masse changes with all MTA's and all servers. That's no easy task and would require backwards compatability with the current system for a long long time. So, even if a solution were found today, it's stll not going to resolve the situation for many years.

This is why the onus is on us system administrators having to deal with a protocol that was written for a different era and bolt on tools around it.

 

[Snowman30]

My wonderfull spammer is again hammering the crap out of this domain.

anyone have any new solutions to stop these bounce messages murdering exim?

My valias file now looks like:

# Exim filter

if error_message then finish endif

if
 $header_subject: contains "Delivery Status Notification (Failure)"
 or $header_subject: contains "Delivery Status Notification"
 or $header_subject: contains "Delivery failure"
 or $header_subject: contains "Mail Delivery Failure"
 or $header_subject: contains "Mail System Error - Returned Mail"
 or $header_subject: contains "Mail delivery failed: returning message to sender"
 or $header_subject: contains "Message status - undeliverable"
 or $header_subject: contains "Returned mail: User unknown"
 or $header_subject: contains "Undeliverable Mail"
 or $header_subject: contains "Undelivered Mail Returned to Sender"
 or $header_subject: contains "Undelivered mail"
 or $header_subject: contains "failure notice"
 or $header_subject: contains "Mail System Error - Returned Mail"  
 or $header_subject: contains "Mail delivery failed: returning message to sender"  
 or $header_subject: contains "Message status - undeliverable"  
 or $header_subject: contains "Returned mail: User unknown"  
 or $header_subject: contains "Undeliverable Mail"  
 or $header_subject: contains "Undelivered Mail Returned to Sender"  
 or $header_subject: contains "Undelivered mail"  
 or $header_subject: contains "failure notice"    
 or $header_subject: contains "Returned mail: see transcript for details"  
 or $header_subject: contains "[No Subject]"  
 or $header_subject: contains "Unable to deliver your message"  
 or $header_subject: contains "Mail delivery: reception refused"  
 or $header_subject: contains "failure delivery"
 or $header_subject: contains "Mail Delivery Failure" 
 or $header_subject: contains "Your Message Could Not Be Delivered"  
 or $header_subject: contains "Delivery Notification: Delivery has failed"  
 or $header_subject: contains "Returned Mail: Sending Fail"
 or $header_subject: contains "Returned mail: see transcript for details"    
 or $header_subject: contains "Delivery Notification"
 or $header_subject: contains "Undeliverable:"
 or $header_subject: contains "Mail delivery failed: returning message to sender"
 or $header_subject: contains "Message rejected by system" 
 or $header_subject: contains "Notification d'état de la distribution"  
 or $header_subject: contains "Service de distribution du courrier" 
 or $header_subject: contains "Notification d'état de la distribution"  
 or $header_subject: contains "Undeliverable: Your account has been charged successfully"  
 or $header_subject: contains "Re: Your Account #5 has been charged"  
 or $header_subject: contains "Returned Mail: Error During Delivery"  
 or $header_subject: contains "Returned mail - nameserver error report"  
 or $header_subject: contains "Returned mail"  
 or $header_subject: contains "Delivery Status Notification (Failure)"  
 or $header_subject: contains "Returned Mail: Error During Delivery"  
 or $header_subject: contains "Returned mail: see transcript for details"  
 or $header_subject: contains "failure notice"   
 or $header_subject: contains "Undelivered Mail Returned to Sender"
 or $header_subject: contains "Returned mail: Service unavailable" 
 or $header_subject: contains "{Virus?}" 
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
 or $header_to: is "[email protected]"
then
 save "/dev/null" 660
endif

none of these filters seem to be applied for some reason and the account is getting over 10,000 bounce emails an hour....

 

[hostultra]

You need to remove this line or put it below your bouce filter:
if error_message then finish endif

Thats whats causing your filters to be ignored.
Because its not filtering error messages.

 

[slinky]

This is a very old thread but I'm encountering this problem as well. Can anyone point me to a solution? Unfortunately setting up the filters locally in cpanel for the affected email address or an account level for the entire domain do not seem to be working. Would appreciate steps on what people do to keep the addresses working (I've disabled catchall) and keep it working.

 

[mdelacruz]

Forged Email

This is a very old thread but I'm encountering this problem as well. Can anyone point me to a solution? Unfortunately setting up the filters locally in cpanel for the affected email address or an account level for the entire domain do not seem to be working. Would appreciate steps on what people do to keep the addresses working (I've disabled catchall) and keep it working.

Any solution after a long time dealing with this issue? I have searched all over the web and didn't find a solution yet, please any little or big tip would be appreciated.