postmaster replies for spam using forged email addresses - VMS

This is a discussion on postmaster replies for spam using forged email addresses - VMS ; Gentlemen, We have been receiving thousands of failed mail messages, "you are sending me spam messages", etc. which result from spam being sent using email addresses from our email domain. Some of our users and, alas, several senior managers feel ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: postmaster replies for spam using forged email addresses

  1. postmaster replies for spam using forged email addresses

    Gentlemen,

    We have been receiving thousands of failed mail messages, "you are sending
    me spam messages", etc. which result from spam being sent using email
    addresses from our email domain. Some of our users and, alas, several
    senior managers feel put upon by being singled out for this treatment.

    Are there any reasonable and sensible ways to cut down the number of replies
    that come in from forged spam messages?

    My resonse was, "live with it" but I was told that was not a reasonable
    answer and ordered to send this message.

    --
    Richard Loken VE6BSV, Unix System Administrator : "Anybody can be a father
    Athabasca University : but you have to earn
    Athabasca, Alberta Canada : the title of 'daddy'"
    ** richardlo@admin.athabascau.ca ** : - Lynn Johnston


  2. Re: postmaster replies for spam using forged email addresses

    > >Are there any reasonable and sensible ways to cut down the number of replies
    > >that come in from forged spam messages?


    > Tricky. If the responses include the Recieved headers from the message
    > which pretended to be from your site, you could in theory attempt to check
    > them for references to your site. I don't think this would be easy to do.
    > (Step 1: locate the headers from the fake message!)


    > If the responses are auto-generated you might have better luck.


    I've been playing with different ideas for use with PMAS, but don't
    yet have anything worth trying to share. The main problem is that
    these are (usually) legitimate bounces---they just happen to be for
    mail that the user didn't actually send. It's usually very tough (in
    an automated way) to distinguish between a real bounce that the user
    should see and one of these bounces resulting from a faked message.
    It's made even harder by the wide variety of bounce message formats in
    use out there.

    Hunter
    ------
    Hunter Goatley, Process Software, http://www.process.com/
    goathunter@GOATLEY.COM http://www.goatley.com/hunter/

  3. Re: postmaster replies for spam using forged email addresses

    > We have been receiving thousands of failed mail messages, "you are sending
    > me spam messages", etc. which result from spam being sent using email
    > addresses from our email domain. Some of our users and, alas, several
    > senior managers feel put upon by being singled out for this treatment.


    > Are there any reasonable and sensible ways to cut down the number of replies
    > that come in from forged spam messages?


    It depends on the nature of those replies. If they are manual replies along
    the lines of "please stop sending me this crap", then you are, for all intents
    and purposes, screwed. These are legitimate messages by any definition and
    anything that tries to block them is going to have a totally unacceptable
    false positive rate.

    If, OTOH, you're talking about delivery status notifications, there are some
    options. IMO none of them are what I'd call "great" and most aren't even
    "good", but they exist.

    The obvious one is to somehow classify these bounces as spam. This isn't
    something you can implement yourself - your spam filter has to do it. (Perhaps
    there's some kind of option on the filter you use to enable this, but in most
    cases there won't be.) AFAICT most spam filter already do this to some extent -
    if they see a nondelivery notification they will dig inside it and see if the
    returned message content looks like spam. BUt the chances of this working
    diminish the less of the original spam is included in the notification, and
    unfortunately rather than fix their setups to either reject spam at the SMTP
    level or just silently discard it, some have dealt with the blowback problem by
    including as little content in the notification as possible so they won't be
    responsible for speading live viruses.

    Another option is SPF. This is easy to do: Put SPF records for your domain
    that say "mail from my domain has to come from these systems, otherwisse
    it should be seen as forged". You don't need SPF support in your mail
    software for this - this is depending on SPF support being present on
    remote systems.

    There are many problems with this, however. For one, it only works to the
    extent that others run SPF software - and SPF hasn't caught on all that well.
    But the big problem is that this prevents some legitimate uses of your domain -
    your travelling users (which probably overlaps the ones who are upset about
    blowback) won't be able to send mail directly using their normal address
    without it being seen by SPF-supporting systems as a forgery. And there are
    issues with autoforwarders.

    Yet another option is to use BATV:

    http://mipassoc.org/batv/

    The idea is basically to timestamp and "sign" (a keyed hash is all that's
    needed) the envelope from addresses on outgoing mail. Then, when bounces arrive
    (identified as such by the lack of an envelope from address), only accept the
    mail if it has one of these special addresses and the signature is valid.

    But there are problems with this as well. For one thing, BATV interacts poorly
    with maiiing lists which validate senders based on envelope from addresses -
    like this problem probably does. And it assumes that all messages with empty
    envelope from fields are bounces, or perhaps more to the point such messages
    will only be sent to an address that previously appeared in an envelope from.
    This is one of those "mostly but not completely" true sorts of things.

    I'm fairly sure BATV can be hacked in to PMDF using the FORWARD, REVERSE, and
    SEND_ACCESS mappings. (It's pretty tricky because the FORWARD mapping cannot
    reject mail and the SEND_ACCESS mapping cannot modify address. So what you'd
    have to do is use the FORWARD mapping to check for BATV encoding and if found
    remove it, but routing to one channel if the encoding was OK and another if it
    wasn't. Then you'd use the SEND_ACCESS mapping to check for an empty envelope
    from, a non-BATV address, and the "wrong" destination channel, and block if
    there's a match. Of course the REVERSE mapping is where the BATV stuff is added
    to the envelope from address. And the mapping machinery is not up to the task
    of doing BATV so you'd have to write some plugins for that.)

    Finally, there's the approach of correlating notifications with the messages
    that caused them to be sent. A notification that doesn't match up is simply
    discarded. But once again there are problems: This depends critically on there
    being a single choke point through which all outgoing mail passes. If your
    users send mail while travelling without connecting back to your servers the
    only place such a choke point can be implemented is on the client itself. But
    if you do it on the client the same client has to be used for all mail. And
    this depends on notifications being in a recognizable format, which they may
    not be. And finally, good luck on finding a client that actually implements
    this - AFAIK there isn't one.

    > My resonse was, "live with it" but I was told that was not a reasonable
    > answer and ordered to send this message.


    Whether or not something is reasonable is dictated by the realities of how
    things are, not wishful thinking about how things ought to be. Your response
    may not have been politic but given the current state of affairs it was
    completely reasonable.

    Ned

  4. Re: postmaster replies for spam using forged email addresses

    "Richard Loken" wrote in message news:Pine.PMDF.4.44L.0806031610130.1079-100000@local.admin.athabascau.ca....
    > Gentlemen,
    >
    > We have been receiving thousands of failed mail messages, "you are sending
    > me spam messages", etc. which result from spam being sent using email
    > addresses from our email domain. Some of our users and, alas, several
    > senior managers feel put upon by being singled out for this treatment.
    >
    > Are there any reasonable and sensible ways to cut down the number of replies
    > that come in from forged spam messages?
    >
    > My resonse was, "live with it" but I was told that was not a reasonable
    > answer and ordered to send this message.
    >
    > --
    > Richard Loken VE6BSV, Unix System Administrator : "Anybody can be a father
    > Athabasca University : but you have to earn
    > Athabasca, Alberta Canada : the title of 'daddy'"
    > ** richardlo@admin.athabascau.ca ** : - Lynn Johnston


    As others said, there is little you can do against these messages.
    One thing you can do is to make it easier to recognize spam with email addresses
    from your domain. If these messages are easier to filter out, the number of
    (misdirected) complaints will also reduce.
    One way of doing so is using SPF records, in which you publically state that mail
    from your domain should only come from your servers.
    This needs some education for your traveling users. They should send their mail
    using your server as SMTP host via authenticated SMTP.

+ Reply to Thread