Re: faked bouncebacks. what the? - SpamAssassin

This is a discussion on Re: faked bouncebacks. what the? - SpamAssassin ; ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Re: faked bouncebacks. what the?

  1. Re: faked bouncebacks. what the?


  2. Re: faked bouncebacks. what the?


  3. Re: faked bouncebacks. what the?

    On Tuesday 13 May 2008 15:17:29 Matus UHLAR - fantomas wrote:
    > On 12.05.08 21:49, Arvid Ephraim Picciani wrote:
    > > http://rafb.net/p/q3eZwd93.html
    > >
    > > anyone can see any sense in it? it uses my hostname to fake a bounceback
    > > that claims i sent a message to another faked address, while all doing
    > > that from a dialup. what's the point of that? testing spambots?

    >
    > from the SA FAQ
    > (http://wiki.apache.org/spamassassin/...kedQuestions):
    >
    > # I'm getting a lot of "backscatter" / bounce messages / undeliverable
    > email notices / etc. regarding mail I didn't send. How can I block them?
    >
    > http://wiki.apache.org/spamassassin/VBounceRuleset



    It's not backscatter. Please see read the message again, you'll see that it
    actually _pretends_ to be backscatter.
    I'm just asking here becouse i wondered why somone would do that.


    --
    best regards
    Arvid Ephraim Picciani


  4. Re: faked bouncebacks. what the?

    On 12.05.08 21:49, Arvid Ephraim Picciani wrote:
    > http://rafb.net/p/q3eZwd93.html
    >
    > anyone can see any sense in it? it uses my hostname to fake a bounceback
    > that claims i sent a message to another faked address, while all doing
    > that from a dialup. what's the point of that? testing spambots?


    from the SA FAQ
    (http://wiki.apache.org/spamassassin/...kedQuestions):

    # I'm getting a lot of "backscatter" / bounce messages / undeliverable email
    notices / etc. regarding mail I didn't send. How can I block them?

    http://wiki.apache.org/spamassassin/VBounceRuleset
    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    I don't have lysdexia. The Dog wouldn't allow that.


  5. Re: faked bouncebacks. what the?

    > On Tuesday 13 May 2008 15:17:29 Matus UHLAR - fantomas wrote:
    > > On 12.05.08 21:49, Arvid Ephraim Picciani wrote:
    > > > http://rafb.net/p/q3eZwd93.html
    > > >
    > > > anyone can see any sense in it? it uses my hostname to fake a bounceback
    > > > that claims i sent a message to another faked address, while all doing
    > > > that from a dialup. what's the point of that? testing spambots?

    > >
    > > from the SA FAQ
    > > (http://wiki.apache.org/spamassassin/...kedQuestions):
    > >
    > > # I'm getting a lot of "backscatter" / bounce messages / undeliverable
    > > email notices / etc. regarding mail I didn't send. How can I block them?
    > >
    > > http://wiki.apache.org/spamassassin/VBounceRuleset


    On 13.05.08 15:17, Arvid Ephraim Picciani wrote:
    > It's not backscatter. Please see read the message again, you'll see that it
    > actually _pretends_ to be backscatter.
    > I'm just asking here becouse i wondered why somone would do that.


    I've looked at it and I've (probably) missed it (again). Why do you think
    that it pretends to look like backscatter, and why do you think it is not?
    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    - Have you got anything without Spam in it?
    - Well, there's Spam egg sausage and Spam, that's not got much Spam in it.


  6. Re: faked bouncebacks. what the?

    On Tue, 13 May 2008, Matus UHLAR - fantomas wrote:

    >> On Tuesday 13 May 2008 15:17:29 Matus UHLAR - fantomas wrote:
    >>> On 12.05.08 21:49, Arvid Ephraim Picciani wrote:
    >>>> http://rafb.net/p/q3eZwd93.html
    >>>>
    >>>> anyone can see any sense in it? it uses my hostname to fake a bounceback
    >>>> that claims i sent a message to another faked address, while all doing
    >>>> that from a dialup. what's the point of that? testing spambots?
    >>>
    >>> from the SA FAQ
    >>> (http://wiki.apache.org/spamassassin/...kedQuestions):
    >>>
    >>> # I'm getting a lot of "backscatter" / bounce messages / undeliverable
    >>> email notices / etc. regarding mail I didn't send. How can I block them?
    >>>
    >>> http://wiki.apache.org/spamassassin/VBounceRuleset

    >
    > On 13.05.08 15:17, Arvid Ephraim Picciani wrote:
    >> It's not backscatter. Please see read the message again, you'll see that it
    >> actually _pretends_ to be backscatter.
    >> I'm just asking here becouse i wondered why somone would do that.

    >
    > I've looked at it and I've (probably) missed it (again). Why do you think
    > that it pretends to look like backscatter, and why do you think it is not?


    Not to put words in anyone else's mouth, but I think what sets the
    recent incidents apart from backscatter is one of intention.

    Backscatter is the unintended blowback of spams sent out with forged
    From addresses where the intention is to deliver spam directly to a
    victim.

    This new phenomenon, which I've been referring to as bounce spam (or
    maybe bounced spam) reverses the intentionality. That is, bounce spam
    is intentionally sent to "misconfigured" servers that are known to
    bounce rather than reject, in which the forged From address is the
    intended victim. The fact that it's a bounce is just another way of
    eluding spam filters.

    In other words, backscatter is a by-product of spamming, while bounced
    spam is the product itself.

    --
    Public key #7BBC68D9 at | Shane Williams
    http://pgp.mit.edu/ | System Admin - UT iSchool
    =----------------------------------+-------------------------------
    All syllogisms contain three lines | shanew@shanew.net
    Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew


  7. Re: faked bouncebacks. what the?

    On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote:

    > I've looked at it and I've (probably) missed it (again). Why do you think
    > that it pretends to look like backscatter, and why do you think it is not?


    backscatter is what happens if mail systems automaticly reply to forged From:
    headers.
    In this case the mail was never sent over any third party. It claims to be
    bounceback from my own MTA, while in fact it never went through any MTA
    (directly sent from dialup).
    I'm worried that this might be a new form of joe jobbing. Ie somone sends out
    mails that look like bounceback from your machines.


    --
    best regards/Mit freundlichen Grüßen
    Arvid Ephraim Picciani


  8. Re: faked bouncebacks. what the?

    On Tue, 13 May 2008, Arvid Ephraim Picciani wrote:

    > On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote:
    >
    > > I've looked at it and I've (probably) missed it (again). Why do you think
    > > that it pretends to look like backscatter, and why do you think it is not?

    >
    > backscatter is what happens if mail systems automaticly reply to forged From:
    > headers.
    > In this case the mail was never sent over any third party. It claims to be
    > bounceback from my own MTA, while in fact it never went through any MTA
    > (directly sent from dialup).


    Maybe some kind of probe to see if your MTA will take direct-from-dialup
    connections? (that IP is on 3 different RBLs, easily detected and blocked)

    Maybe some kind of broken virus/spambot that failed to correctly generate
    the payload. I've seen a new kind of virus-spam that looks like backscatter
    but the actual payload (a virus attachment or viral web page link) is in
    the "returned message" targeted at the purported sender.

    > I'm worried that this might be a new form of joe jobbing. Ie somone sends out
    > mails that look like bounceback from your machines.


    Quiet, don't give the scumbags more ideas. ;(

    Dave

    --
    Dave Funk University of Iowa
    College of Engineering
    319/335-5751 FAX: 319/384-0549 1256 Seamans Center
    Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
    #include
    Better is not better, 'standard' is better. B{


  9. Re: faked bouncebacks. what the?

    > >On 13.05.08 15:17, Arvid Ephraim Picciani wrote:
    > >>It's not backscatter. Please see read the message again, you'll see that
    > >>it actually _pretends_ to be backscatter. I'm just asking here becouse i
    > >>wondered why somone would do that.


    > >I've looked at it and I've (probably) missed it (again). Why do you think
    > >that it pretends to look like backscatter, and why do you think it is not?


    On 13.05.08 12:01, Shane Williams wrote:
    > Not to put words in anyone else's mouth, but I think what sets the
    > recent incidents apart from backscatter is one of intention.


    Intentional or not, the VBounce ruleset is specially designed to catch all
    bounces that were sent in reply to mail that the user did not send.
    It's imho completely useless to speculate why did the spammer forge user's
    address and if he wanted to spam the invalid address, or the bounce
    recipient.

    > Backscatter is the unintended blowback of spams sent out with forged
    > >From addresses where the intention is to deliver spam directly to a

    > victim.


    I don't see any reason why we should not call those bounces a backscatter,
    even if this was true.

    > This new phenomenon, which I've been referring to as bounce spam (or
    > maybe bounced spam) reverses the intentionality. That is, bounce spam
    > is intentionally sent to "misconfigured" servers that are known to
    > bounce rather than reject, in which the forged From address is the
    > intended victim. The fact that it's a bounce is just another way of
    > eluding spam filters.


    > In other words, backscatter is a by-product of spamming, while bounced
    > spam is the product itself.


    I don't think it's intended. I will better guess that spammers are wanting
    either one side to get it.

    Since two addresses I receive mail for got joe-jobbed in the past, I don't
    think the reason was to deliver mail to us - what's the point of delivering
    tons of spam to _one_ forged address, when someone wants to spam? Spammers
    want (not being a spammer I'm just guessing) their spam to be received by as
    much people as possible.

    Can you explain to me, why would spammer want all of his spam to be received
    by the same user?

    If we would even differ between getting random spam bounces and intended
    bounces, there's no need for different reaction - we do not want them. We
    want to block them all.

    To summarize, the original message was a bounce, and it was a backscatter.
    I really see no point of speculating who did the spammer want to spam, it
    would change nothing.
    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    Linux - It's now safe to turn on your computer.
    Linux - Teraz mozete pocitac bez obav zapnut.


  10. Re: faked bouncebacks. what the?

    > On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote:
    >
    > > I've looked at it and I've (probably) missed it (again). Why do you think
    > > that it pretends to look like backscatter, and why do you think it is not?


    On 13.05.08 19:09, Arvid Ephraim Picciani wrote:
    > backscatter is what happens if mail systems automaticly reply to forged
    > From: headers.


    > In this case the mail was never sent over any third party. It claims to
    > be bounceback from my own MTA, while in fact it never went through any MTA
    > (directly sent from dialup).


    since the message expired, I only can guess from what I remember:

    your mailserver re-wrote the from: and mail from address, but the mail was
    sent by remote mailserver...

    > I'm worried that this might be a new form of joe jobbing. Ie somone sends
    > out mails that look like bounceback from your machines.


    I didn't have the feeling when looking at the message. Maybe you could put
    it somewhere it won't expire that fast?
    --
    Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
    Warning: I wish NOT to receive e-mail advertising to this address.
    Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
    We are but packets in the Internet of life (userfriendly.org)


  11. Re: faked bouncebacks. what the?

    On Tuesday 13 May 2008 22:45:43 mouss wrote:


    > That said, one possibility is this: Some soho have an MSA on a dsl line.
    > a ratwared box inside (or a web service running on the MSA box) sends
    > mail to an invalid recipient. the MSA gets rejected and then sends you
    > an NDR. the MSA is borked enough to helo with the recipient domain, and
    > generates an incomplet NDR.


    interesting. and broken enough to use my hostname as From, in the body, helo
    and message id? double backscatter? kindof weird, but if that works it would
    at least just be some coincidence rather then intention.


    > PS. The link you posted is no more valid... (I mean
    > http://rafb.net/p/q3eZwd93.html)


    sorry. i replaced the hostname with example.com and will keep it permanently
    here.
    http://exys.org/stuff/fakebounce.txt


    On Tuesday 13 May 2008 22:58:52 Matus UHLAR - fantomas wrote:
    > To summarize, the original message was a bounce, and it was a backscatter.


    are you saying that the definition of "bounceback" is: everything that
    contains the subject line "Undelivered mail", or are you claming that my
    server actually does backscatter.
    If you read closely again you will see that the message body claims to be
    generated from me:
    "Reporting-MTA: dns; mx1.example.com"

    and the from is forged:
    From: MAILER-DAEMON@example.com (Mail Delivery Subsystem)

    and the helo:

    Received: from pool-151-204-219-7.pskn.east.verizon.net ([151.204.219.7]
    helo=example.com)

    it's not a bounceback. It's 100% fake. Not containing any extra content. The
    entire purpose of the message is to look like backscatter.

    > I really see no point of speculating who did the spammer want to spam, it
    > would change nothing.


    oh i do, becouse of exactly my above point. people WILL start claming that
    this is real backscatter and block or score the IP or hostname.

    --
    best regards/Mit freundlichen Grüßen
    Arvid Ephraim Picciani


  12. Re: faked bouncebacks. what the?


    mouss writes:
    > Arvid Ephraim Picciani wrote:
    > > On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote:
    > >
    > >
    > >> I've looked at it and I've (probably) missed it (again). Why do you think
    > >> that it pretends to look like backscatter, and why do you think it is not?
    > >>

    > >
    > > backscatter is what happens if mail systems automaticly reply to forged From:
    > > headers.
    > > In this case the mail was never sent over any third party. It claims to be
    > > bounceback from my own MTA, while in fact it never went through any MTA
    > > (directly sent from dialup).
    > > I'm worried that this might be a new form of joe jobbing. Ie somone sends out
    > > mails that look like bounceback from your machines.

    >
    > Fake NDRs have been discussed few years ago. for example, sophos "spam
    > and the non-delivery report.." dates back to March 2004.


    Sophos are just wrong though. They are assuming that backscatter
    is being sent by a spammer, which in almost all cases makes no
    sense and is (in my opinion) certainly not the case.

    > That said, one possibility is this: Some soho have an MSA on a dsl line.
    > a ratwared box inside (or a web service running on the MSA box) sends
    > mail to an invalid recipient. the MSA gets rejected and then sends you
    > an NDR. the MSA is borked enough to helo with the recipient domain, and
    > generates an incomplet NDR.


    I think this may be it; some MTAs will qualify a MAIL FROM:
    into an envelope sender address of .

    certainly an odd case, but I don't see any benefit for a spammer to send
    that mail.

    --j.


+ Reply to Thread