You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Steve Martin <st...@planomartins.com> on 2005/08/11 18:43:29 UTC

Weird spam bounce back

I'm trying to figure out the route this took to get to me....

My guess is...

Some trojan/whetever sent an email to a nonexistent address  
(david@ryzor.cz)
The return address was spoofed as one of my addresses (xxxx@yyyy.com)
Their brain-dead mailer daemon then sent the failure back to me.

I've gotten a few of these today from "mailhub.intercaf.ru", one was  
even a bounce of an attempt to deliver an email to my domain that was  
blocked by an RBL lookup in postfix.  Nothing like blocking something  
only to have it bounce back to me.

Any suggestions on the best way to block this or have it detected as  
spam?

---

Return-Path: <MA...@mailhub.intercaf.ru>
X-Original-To: xxxx@yyyy.com  <---- one of my local addresses
Received: by cheezmo.com (Postfix, from userid 88)
     id 590A4E0C48; Thu, 11 Aug 2005 11:24:03 -0500 (CDT)
Received: from mailhub.intercaf.ru (mailhub.intercaf.ru [83.102.221.67])
     by cheezmo.com (Postfix) with ESMTP id B3859E0C39
     for <xx...@yyyy.com>; Thu, 11 Aug 2005 11:23:57 -0500 (CDT)
Received: from localhost (localhost)
     by mailhub.intercaf.ru (8.12.10/8.12.10) id j7BGMat1040225;
     Thu, 11 Aug 2005 20:22:36 +0400 (MSD)
     (envelope-from MAILER-DAEMON)
Date: Thu, 11 Aug 2005 20:22:36 +0400 (MSD)
From: Mail Delivery Subsystem <MA...@mailhub.intercaf.ru>
Message-Id: <20...@mailhub.intercaf.ru>
To: <xx...@yyyy.com>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
     boundary="j7BGMat1040225.1123777356/mailhub.intercaf.ru"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
X-Spam-Flag: NO
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on closet.local
X-Spam-Level:
X-Spam-Hammy: 0.001-2--98h-0s--4d--512, 0.001-1--60h-0s--9d--Host,
     0.013-1--4h-0s--15d--5.1.2, 0.017-10--916h-1s--0d--UD:yyyy.com
X-Spam-Status: No, score=-0.4 required=5.0 tests=AWL,BAYES_60  
autolearn=ham
     version=3.0.4
X-Spam-Spammy: 0.994-302--9h-107s--0d--H*Ad:D*yyyy.com,
     0.980-14--1h-5s--0d--D*ru, 0.976-11--1h-4s--0d--H*r:sk:mailhub,
     0.976-11--1h-4s--0d--H*MI:intercaf
X-Spam-Tokens: Tokens: new, 20; hammy, 29; neutral, 100; spammy, 65.
X-Spam-Report:
     *  1.0 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
     *      [score: 0.7756]
     * -1.4 AWL AWL: From: address is in the auto white-list
Status:

This is a MIME-encapsulated message

--j7BGMat1040225.1123777356/mailhub.intercaf.ru

The original message was received at Thu, 11 Aug 2005 20:22:35 +0400  
(MSD)
from 172.18.6.44.intercaf.ru [172.18.6.44] (may be forged)

    ----- The following addresses had permanent fatal errors -----
<da...@razyr.cz>
     (reason: 550 Host unknown)

    ----- Transcript of session follows -----
550 5.1.2 <da...@razyr.cz>... Host unknown (Name server: razyr.cz:  
host not found)

--j7BGMat1040225.1123777356/mailhub.intercaf.ru
Content-Type: message/delivery-status

Reporting-MTA: dns; mailhub.intercaf.ru
Received-From-MTA: DNS; 172.18.6.44.intercaf.ru
Arrival-Date: Thu, 11 Aug 2005 20:22:35 +0400 (MSD)

Final-Recipient: RFC822; david@razyr.cz
Action: failed
Status: 5.1.2
Remote-MTA: DNS; razyr.cz
Diagnostic-Code: SMTP; 550 Host unknown
Last-Attempt-Date: Thu, 11 Aug 2005 20:22:36 +0400 (MSD)

--j7BGMat1040225.1123777356/mailhub.intercaf.ru
Content-Type: text/rfc822-headers

Return-Path: <xx...@yyyy.com>
Received: from yyyy.com (172.18.6.44.intercaf.ru [172.18.6.44] (may  
be forged))
     by mailhub.intercaf.ru (8.12.10/8.12.10) with ESMTP id  
j7BGMZt1040223
     for <da...@razyr.cz>; Thu, 11 Aug 2005 20:22:35 +0400 (MSD)
     (envelope-from xxxx@yyyy.com)
Message-Id: <20...@mailhub.intercaf.ru>
From: xxxx@yyyy.com
To: david@razyr.cz
Subject: test
Date: Thu, 11 Aug 2005 20:23:25 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
     boundary="----=_NextPart_000_0003_AFA03F19.4131F551"
X-Priority: 3
X-MSMail-Priority: Normal
X-Greylist: Sender IP whitelisted, not delayed by milter- 
greylist-1.5.6 (mailhub.intercaf.ru [83.102.221.67]); Thu, 11 Aug  
2005 20:22:36 +0400 (MSD)

--j7BGMat1040225.1123777356/mailhub.intercaf.ru--


--
Steve Martin                              http://www.cheezmo.com/
Smart Calibration, LLC           http://www.smartcalibration.com/
The Widescreen Movie Center            http://www.widemovies.com/
Letterboxed Movie TV Schedule  http://www.widemovies.com/lbx.html

Re: Weird spam bounce back

Posted by Matt Kettler <mk...@evi-inc.com>.

Kelson wrote:

> 
> 
> The ones I hate are the viruses that forge addresses like
> postmaster@mydomain, then try to send to user@mydomain.  We reject
> incoming mail claiming to be from postmaster@mydomain and similar
> addresses with a "Forgery detected!" error, since we know we'll only
> ever send that mail from inside our network.
> 
> So what happens?  The relay reads our error and generates a bounce,
> sending it to postmaster@mydomain, complete with the "Forgery detected"
> error we gave them!
> 
> The worst part is, I can't convince myself that they *shouldn't*
> generate the bounce.  It's just really annoying!
> 

Yes they should. Although, if they took the second approach I suggested and
checked the validity of the return path before accepting mail from the local
machine, they wouldn't have that problem.

(i.e.: instead of relaying mail from all internal hosts, you relay mail from all
internal hosts only if the return-path is one of your domains.)

Since more and more viruses/backdoors are using the local mail relay instead of
direct delivery, this is going to be more important to check for. Otherwise
postmaster's box is going to get filled up by double-bounces if one of your
machines is infected.

Re: Weird spam bounce back

Posted by Kelson <ke...@speed.net>.

Matt Kettler wrote:
> Steve Martin wrote:
>>Some trojan/whetever sent an email to a nonexistent address 
>>(david@ryzor.cz)
>>The return address was spoofed as one of my addresses (xxxx@yyyy.com)
>>Their brain-dead mailer daemon then sent the failure back to me.
> 
> 
> That's not really all that brain-dead.
> 
> Of course, they'd be smarter to check the recipient domain at delivery time,
> instead of queuing then bouncing later, but VERY few mailservers check this kind
> of thing.

The ones I hate are the viruses that forge addresses like 
postmaster@mydomain, then try to send to user@mydomain.  We reject 
incoming mail claiming to be from postmaster@mydomain and similar 
addresses with a "Forgery detected!" error, since we know we'll only 
ever send that mail from inside our network.

So what happens?  The relay reads our error and generates a bounce, 
sending it to postmaster@mydomain, complete with the "Forgery detected" 
error we gave them!

The worst part is, I can't convince myself that they *shouldn't* 
generate the bounce.  It's just really annoying!

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>

Re: Weird spam bounce back

Posted by Steve Martin <st...@planomartins.com>.

Sounds like a good plan, although I doubt I'll remember to stop  
blocking it after 24 hours ;-)

On Aug 11, 2005, at 12:01 PM, Matt Kettler wrote:

> Tell postfix to refuse mail from 83.102.221.67?
>
> That's generally what I do with joe-job bounces. I block the  
> affected server for
> 24 hours with a 550 explaining they've got an infected local user.  
> This way the
> messages double-bounce and ends up in their postmaster box.
>

--
Steve Martin                              http://www.cheezmo.com/
Smart Calibration, LLC           http://www.smartcalibration.com/
The Widescreen Movie Center            http://www.widemovies.com/
Letterboxed Movie TV Schedule  http://www.widemovies.com/lbx.html

Re: Weird spam bounce back

Posted by Matt Kettler <mk...@evi-inc.com>.

Steve Martin wrote:
> I'm trying to figure out the route this took to get to me....
> 
> My guess is...
> 
> Some trojan/whetever sent an email to a nonexistent address 
> (david@ryzor.cz)
> The return address was spoofed as one of my addresses (xxxx@yyyy.com)
> Their brain-dead mailer daemon then sent the failure back to me.

That's not really all that brain-dead.

Of course, they'd be smarter to check the recipient domain at delivery time,
instead of queuing then bouncing later, but VERY few mailservers check this kind
of thing.

The other thing they could do would be to check the return-path at delivery time
and refuse to relay mail that doesn't have a return-path for their local domain.
(in addition to checking that the source host is allowed to relay, not instead of).

However, very few sites check this when then source is a local machine. Most
will relay anything sent by their own users, regardless of return path.

> 
> I've gotten a few of these today from "mailhub.intercaf.ru", one was 
> even a bounce of an attempt to deliver an email to my domain that was 
> blocked by an RBL lookup in postfix.  Nothing like blocking something 
> only to have it bounce back to me.
> 
> Any suggestions on the best way to block this or have it detected as  spam?

Tell postfix to refuse mail from 83.102.221.67?

That's generally what I do with joe-job bounces. I block the affected server for
24 hours with a 550 explaining they've got an infected local user. This way the
messages double-bounce and ends up in their postmaster box.