You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Arvid Ephraim Picciani <ae...@ibcsolutions.de> on 2008/05/12 21:49:41 UTC
faked bouncebacks. what the?
I've got those:
http://rafb.net/p/q3eZwd93.html
anyone can see any sense in it? it uses my hostname to fake a bounceback that
claims i sent a message to another faked address, while all doing that from a
dialup. what's the point of that? testing spambots?
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
Re: faked bouncebacks. what the?
Posted by mouss <mo...@netoyen.net>.
Arvid Ephraim Picciani wrote:
> On Tuesday 13 May 2008 22:45:43 mouss wrote:
>
>
>
>> That said, one possibility is this: Some soho have an MSA on a dsl line.
>> a ratwared box inside (or a web service running on the MSA box) sends
>> mail to an invalid recipient. the MSA gets rejected and then sends you
>> an NDR. the MSA is borked enough to helo with the recipient domain, and
>> generates an incomplet NDR.
>>
>
> interesting. and broken enough to use my hostname as From, in the body, helo
> and message id? double backscatter? kindof weird, but if that works it would
> at least just be some coincidence rather then intention.
>
- message-id was most probably generated by your own MTA because remote
ratware didn't include one
- the domain part of the From: header may also have been added by your
MTA because remote system uses a non fqdn address.
so that leaves us with helo and "Reporting-MTA". considering that old
mozilla stuff used to use the recipient domain in its helo, it is no
surprise that many ratware does so. I would say the same for the
Reporting-MTA.
at least, this is the most "logical" explanation I can see. As you, I
don't think a spammer intentionally wanted to send you a mostly empty
NDR...
>
>
>> PS. The link you posted is no more valid... (I mean
>> http://rafb.net/p/q3eZwd93.html)
>>
>
> sorry. i replaced the hostname with example.com and will keep it permanently
> here.
> http://exys.org/stuff/fakebounce.txt
>
>
> On Tuesday 13 May 2008 22:58:52 Matus UHLAR - fantomas wrote:
>
>> To summarize, the original message was a bounce, and it was a backscatter.
>>
>
> are you saying that the definition of "bounceback" is: everything that
> contains the subject line "Undelivered mail",
no. it's any DSN sent to a forged sender. in general, sender is empty,
but this is not always true.
not sure if "bounceback" is better than "bounce out". because there is
no "back" here... so outscatter is probably a better name.
> or are you claming that my
> server actually does backscatter.
>
if pool-151-204-219-7.pskn.east.verizon.net is one of your machines,
then the problem is in your system. but this IP is in the US and your
server in .de, so this doesn't look probable...
> If you read closely again you will see that the message body claims to be
> generated from me:
> "Reporting-MTA: dns; mx1.example.com"
>
> and the from is forged:
> From: MAILER-DAEMON@example.com (Mail Delivery Subsystem)
>
as said above, this proves nothing as it may have been "fixed" by your
MTA. you can test this by sending a message with a non fqdn From:
address and see if your MTA will append your domain.
> and the helo:
>
> Received: from pool-151-204-219-7.pskn.east.verizon.net ([151.204.219.7]
> helo=example.com)
>
the helo is obviously fake. now, something weired here:
$ host pool-151-204-219-7.pskn.east.verizon.net
Host pool-151-204-219-7.pskn.east.verizon.net not found: 3(NXDOMAIN)
so your exim is "logging" an unverified rDNS. (no, I won't debate
received header formats...).
> it's not a bounceback. It's 100% fake.
you can't tell. as I said, it may be a bounce from ratware. you can't
argue in a fictitious world...
> Not containing any extra content. The
> entire purpose of the message is to look like backscatter.
>
I think it is backscatter. I have many of these without forgery (I mean
with the right helo and reporting-mta). so I am tempted to believe that
a silly developper wrote a bogus mailer and couldn't get a domain name
(oh, that's hard, isn't it?) so used the final recipient domain...
>
>> I really see no point of speculating who did the spammer want to spam, it
>> would change nothing.
>>
>
> oh i do, becouse of exactly my above point. people WILL start claming that
> this is real backscatter and block or score the IP or hostname.
>
I don't know what you want to do with that IP. it gets blocked here:
$ host 151.204.219.7
7.219.204.151.in-addr.arpa domain name pointer
pool-151-204-219-7.pskn.east.verizon.net.
$ host pool-151-204-219-7.pskn.east.verizon.net
Host pool-151-204-219-7.pskn.east.verizon.net not found: 3(NXDOMAIN)
that's generic rDNS + doesn't resolve back.
gets a
450 4.7.1 Client host rejected: cannot find your hostname
here because of (postfix) reject_unknown_client applied in case of
generic rDNS.
but for this particular transaction, a forged helo gets rejected with no
mercy...
Re: faked bouncebacks. what the?
Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.
On Tuesday 13 May 2008 22:45:43 mouss wrote:
> That said, one possibility is this: Some soho have an MSA on a dsl line.
> a ratwared box inside (or a web service running on the MSA box) sends
> mail to an invalid recipient. the MSA gets rejected and then sends you
> an NDR. the MSA is borked enough to helo with the recipient domain, and
> generates an incomplet NDR.
interesting. and broken enough to use my hostname as From, in the body, helo
and message id? double backscatter? kindof weird, but if that works it would
at least just be some coincidence rather then intention.
> PS. The link you posted is no more valid... (I mean
> http://rafb.net/p/q3eZwd93.html)
sorry. i replaced the hostname with example.com and will keep it permanently
here.
http://exys.org/stuff/fakebounce.txt
On Tuesday 13 May 2008 22:58:52 Matus UHLAR - fantomas wrote:
> To summarize, the original message was a bounce, and it was a backscatter.
are you saying that the definition of "bounceback" is: everything that
contains the subject line "Undelivered mail", or are you claming that my
server actually does backscatter.
If you read closely again you will see that the message body claims to be
generated from me:
"Reporting-MTA: dns; mx1.example.com"
and the from is forged:
From: MAILER-DAEMON@example.com (Mail Delivery Subsystem)
and the helo:
Received: from pool-151-204-219-7.pskn.east.verizon.net ([151.204.219.7]
helo=example.com)
it's not a bounceback. It's 100% fake. Not containing any extra content. The
entire purpose of the message is to look like backscatter.
> I really see no point of speculating who did the spammer want to spam, it
> would change nothing.
oh i do, becouse of exactly my above point. people WILL start claming that
this is real backscatter and block or score the IP or hostname.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
Re: faked bouncebacks. what the?
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Tue, 13 May 2008, Arvid Ephraim Picciani wrote:
> On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote:
>
> > I've looked at it and I've (probably) missed it (again). Why do you think
> > that it pretends to look like backscatter, and why do you think it is not?
>
> backscatter is what happens if mail systems automaticly reply to forged From:
> headers.
> In this case the mail was never sent over any third party. It claims to be
> bounceback from my own MTA, while in fact it never went through any MTA
> (directly sent from dialup).
Maybe some kind of probe to see if your MTA will take direct-from-dialup
connections? (that IP is on 3 different RBLs, easily detected and blocked)
Maybe some kind of broken virus/spambot that failed to correctly generate
the payload. I've seen a new kind of virus-spam that looks like backscatter
but the actual payload (a virus attachment or viral web page link) is in
the "returned message" targeted at the purported sender.
> I'm worried that this might be a new form of joe jobbing. Ie somone sends out
> mails that look like bounceback from your machines.
Quiet, don't give the scumbags more ideas. ;(
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: faked bouncebacks. what the?
Posted by mouss <mo...@netoyen.net>.
Arvid Ephraim Picciani wrote:
> On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote:
>
>
>> I've looked at it and I've (probably) missed it (again). Why do you think
>> that it pretends to look like backscatter, and why do you think it is not?
>>
>
> backscatter is what happens if mail systems automaticly reply to forged From:
> headers.
> In this case the mail was never sent over any third party. It claims to be
> bounceback from my own MTA, while in fact it never went through any MTA
> (directly sent from dialup).
> I'm worried that this might be a new form of joe jobbing. Ie somone sends out
> mails that look like bounceback from your machines.
>
>
>
Fake NDRs have been discussed few years ago. for example, sophos "spam
and the non-delivery report.." dates back to March 2004.
That said, one possibility is this: Some soho have an MSA on a dsl line.
a ratwared box inside (or a web service running on the MSA box) sends
mail to an invalid recipient. the MSA gets rejected and then sends you
an NDR. the MSA is borked enough to helo with the recipient domain, and
generates an incomplet NDR.
anyway, you can safely reject mail from systems that helo with your own
domain... (or is this mail to a trap?).
PS. The link you posted is no more valid... (I mean
http://rafb.net/p/q3eZwd93.html)
Re: faked bouncebacks. what the?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote:
>
> > I've looked at it and I've (probably) missed it (again). Why do you think
> > that it pretends to look like backscatter, and why do you think it is not?
On 13.05.08 19:09, Arvid Ephraim Picciani wrote:
> backscatter is what happens if mail systems automaticly reply to forged
> From: headers.
> In this case the mail was never sent over any third party. It claims to
> be bounceback from my own MTA, while in fact it never went through any MTA
> (directly sent from dialup).
since the message expired, I only can guess from what I remember:
your mailserver re-wrote the from: and mail from address, but the mail was
sent by remote mailserver...
> I'm worried that this might be a new form of joe jobbing. Ie somone sends
> out mails that look like bounceback from your machines.
I didn't have the feeling when looking at the message. Maybe you could put
it somewhere it won't expire that fast?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
Re: faked bouncebacks. what the?
Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.
On Tuesday 13 May 2008 16:51:50 Matus UHLAR - fantomas wrote:
> I've looked at it and I've (probably) missed it (again). Why do you think
> that it pretends to look like backscatter, and why do you think it is not?
backscatter is what happens if mail systems automaticly reply to forged From:
headers.
In this case the mail was never sent over any third party. It claims to be
bounceback from my own MTA, while in fact it never went through any MTA
(directly sent from dialup).
I'm worried that this might be a new form of joe jobbing. Ie somone sends out
mails that look like bounceback from your machines.
--
best regards/Mit freundlichen Grüßen
Arvid Ephraim Picciani
Re: faked bouncebacks. what the?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> >On 13.05.08 15:17, Arvid Ephraim Picciani wrote:
> >>It's not backscatter. Please see read the message again, you'll see that
> >>it actually _pretends_ to be backscatter. I'm just asking here becouse i
> >>wondered why somone would do that.
> >I've looked at it and I've (probably) missed it (again). Why do you think
> >that it pretends to look like backscatter, and why do you think it is not?
On 13.05.08 12:01, Shane Williams wrote:
> Not to put words in anyone else's mouth, but I think what sets the
> recent incidents apart from backscatter is one of intention.
Intentional or not, the VBounce ruleset is specially designed to catch all
bounces that were sent in reply to mail that the user did not send.
It's imho completely useless to speculate why did the spammer forge user's
address and if he wanted to spam the invalid address, or the bounce
recipient.
> Backscatter is the unintended blowback of spams sent out with forged
> >From addresses where the intention is to deliver spam directly to a
> victim.
I don't see any reason why we should not call those bounces a backscatter,
even if this was true.
> This new phenomenon, which I've been referring to as bounce spam (or
> maybe bounced spam) reverses the intentionality. That is, bounce spam
> is intentionally sent to "misconfigured" servers that are known to
> bounce rather than reject, in which the forged From address is the
> intended victim. The fact that it's a bounce is just another way of
> eluding spam filters.
> In other words, backscatter is a by-product of spamming, while bounced
> spam is the product itself.
I don't think it's intended. I will better guess that spammers are wanting
either one side to get it.
Since two addresses I receive mail for got joe-jobbed in the past, I don't
think the reason was to deliver mail to us - what's the point of delivering
tons of spam to _one_ forged address, when someone wants to spam? Spammers
want (not being a spammer I'm just guessing) their spam to be received by as
much people as possible.
Can you explain to me, why would spammer want all of his spam to be received
by the same user?
If we would even differ between getting random spam bounces and intended
bounces, there's no need for different reaction - we do not want them. We
want to block them all.
To summarize, the original message was a bounce, and it was a backscatter.
I really see no point of speculating who did the spammer want to spam, it
would change nothing.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
Re: faked bouncebacks. what the?
Posted by Shane Williams <sh...@shanew.net>.
On Tue, 13 May 2008, Matus UHLAR - fantomas wrote:
>> On Tuesday 13 May 2008 15:17:29 Matus UHLAR - fantomas wrote:
>>> On 12.05.08 21:49, Arvid Ephraim Picciani wrote:
>>>> http://rafb.net/p/q3eZwd93.html
>>>>
>>>> anyone can see any sense in it? it uses my hostname to fake a bounceback
>>>> that claims i sent a message to another faked address, while all doing
>>>> that from a dialup. what's the point of that? testing spambots?
>>>
>>> from the SA FAQ
>>> (http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions):
>>>
>>> # I'm getting a lot of "backscatter" / bounce messages / undeliverable
>>> email notices / etc. regarding mail I didn't send. How can I block them?
>>>
>>> http://wiki.apache.org/spamassassin/VBounceRuleset
>
> On 13.05.08 15:17, Arvid Ephraim Picciani wrote:
>> It's not backscatter. Please see read the message again, you'll see that it
>> actually _pretends_ to be backscatter.
>> I'm just asking here becouse i wondered why somone would do that.
>
> I've looked at it and I've (probably) missed it (again). Why do you think
> that it pretends to look like backscatter, and why do you think it is not?
Not to put words in anyone else's mouth, but I think what sets the
recent incidents apart from backscatter is one of intention.
Backscatter is the unintended blowback of spams sent out with forged
>From addresses where the intention is to deliver spam directly to a
victim.
This new phenomenon, which I've been referring to as bounce spam (or
maybe bounced spam) reverses the intentionality. That is, bounce spam
is intentionally sent to "misconfigured" servers that are known to
bounce rather than reject, in which the forged From address is the
intended victim. The fact that it's a bounce is just another way of
eluding spam filters.
In other words, backscatter is a by-product of spamming, while bounced
spam is the product itself.
--
Public key #7BBC68D9 at | Shane Williams
http://pgp.mit.edu/ | System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines | shanew@shanew.net
Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew
Re: faked bouncebacks. what the?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
> On Tuesday 13 May 2008 15:17:29 Matus UHLAR - fantomas wrote:
> > On 12.05.08 21:49, Arvid Ephraim Picciani wrote:
> > > http://rafb.net/p/q3eZwd93.html
> > >
> > > anyone can see any sense in it? it uses my hostname to fake a bounceback
> > > that claims i sent a message to another faked address, while all doing
> > > that from a dialup. what's the point of that? testing spambots?
> >
> > from the SA FAQ
> > (http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions):
> >
> > # I'm getting a lot of "backscatter" / bounce messages / undeliverable
> > email notices / etc. regarding mail I didn't send. How can I block them?
> >
> > http://wiki.apache.org/spamassassin/VBounceRuleset
On 13.05.08 15:17, Arvid Ephraim Picciani wrote:
> It's not backscatter. Please see read the message again, you'll see that it
> actually _pretends_ to be backscatter.
> I'm just asking here becouse i wondered why somone would do that.
I've looked at it and I've (probably) missed it (again). Why do you think
that it pretends to look like backscatter, and why do you think it is not?
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
Re: faked bouncebacks. what the?
Posted by Arvid Ephraim Picciani <ae...@ibcsolutions.de>.
On Tuesday 13 May 2008 15:17:29 Matus UHLAR - fantomas wrote:
> On 12.05.08 21:49, Arvid Ephraim Picciani wrote:
> > http://rafb.net/p/q3eZwd93.html
> >
> > anyone can see any sense in it? it uses my hostname to fake a bounceback
> > that claims i sent a message to another faked address, while all doing
> > that from a dialup. what's the point of that? testing spambots?
>
> from the SA FAQ
> (http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions):
>
> # I'm getting a lot of "backscatter" / bounce messages / undeliverable
> email notices / etc. regarding mail I didn't send. How can I block them?
>
> http://wiki.apache.org/spamassassin/VBounceRuleset
It's not backscatter. Please see read the message again, you'll see that it
actually _pretends_ to be backscatter.
I'm just asking here becouse i wondered why somone would do that.
--
best regards
Arvid Ephraim Picciani
Re: faked bouncebacks. what the?
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 12.05.08 21:49, Arvid Ephraim Picciani wrote:
> http://rafb.net/p/q3eZwd93.html
>
> anyone can see any sense in it? it uses my hostname to fake a bounceback
> that claims i sent a message to another faked address, while all doing
> that from a dialup. what's the point of that? testing spambots?
from the SA FAQ
(http://wiki.apache.org/spamassassin/FrequentlyAskedQuestions):
# I'm getting a lot of "backscatter" / bounce messages / undeliverable email
notices / etc. regarding mail I didn't send. How can I block them?
http://wiki.apache.org/spamassassin/VBounceRuleset
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I don't have lysdexia. The Dog wouldn't allow that.