Bounce notification

[dvesely <dv...@webprecision.com>]

I have setup bounce notification for my spamassasin mail server but my server
manager has reccomended that I do not use it. He wrote:

We can't configure Bouncing the SPAM message at Server level, but we can do
this at domain level.
 
If we configured to bounce at Domain level, it will affect the server's
performance, because the Server DS109 is blocking around 12,500 SPAM
messages per day. If you want to bounce those entire messages then your mail
server will comes to halt.

The most of the SPAM message will have forged FROM address, So the server
has to deals with returned bounce messages also. This is a processor and
Memory hungry task. 

===========================

This is not acceptable to me because people have to be notified because
there are always false positives.
 
Is he correct? Will this kill my server?
 
What's the best way to setup bounce notification?

Thanks to anyone who can help!
 
Dan
-- 
View this message in context: http://www.nabble.com/Bounce-notification-tp14432035p14432035.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Bounce notification

[Graham Murray <gr...@gmurray.org.uk>]

dvesely <dv...@webprecision.com> writes:

> What's the best way to setup bounce notification?

The best way is to not bounce at all but reject with a 5xx code during
the SMPT conversation. Though be careful to only do this at 'border'
MTAs (those listed in the MX records for the destination domain) not on
internal servers.

Re: Bounce notification

[Joseph Brennan <br...@columbia.edu>]

dvesely <dv...@webprecision.com> wrote:

> I have setup bounce notification for my spamassasin mail server but my
> server manager has reccomended that I do not use it. He wrote:
>
> We can't configure Bouncing the SPAM message at Server level, but we can
> do this at domain level.
>
> If we configured to bounce at Domain level, it will affect the server's
> performance, because the Server DS109 is blocking around 12,500 SPAM
> messages per day. If you want to bounce those entire messages then your
> mail server will comes to halt.
>
> The most of the SPAM message will have forged FROM address, So the server
> has to deals with returned bounce messages also. This is a processor and
> Memory hungry task.


I don't know what "level" means.  Mail for webprecision.com goes to
smtp-in.webprecision.com.  That host should either refuse spam during
the SMTP transaction (like "550 This looks like spam"), or accept and
keep.  It should never accept and then mail back a bounce.  Most of
the senders are not deliverable, and most of the rest are deliverable
to innocent people whose addresses were faked by the spammer.

I agree with your desire to notify senders because of false positives.
This is accomplished by having smtp-in.webprecision.com refuse.  Legit
servers that get a 550 will notify the sender.

If you mean that smtp-in.webprecision.com accepts everything, and
re-sends to another host that runs Spamassassin, then all you can do
is score and tag, and the recipient will have to notice the fp's.

Joseph Brennan
Columbia University Information Technology

Re: Bounce notification

[AxisInternet <ax...@gmail.com>]

dvesely wrote:
> My server manager tells me that my Windows version of SpamAssasin cannot
> reject email at the SMTP level. This is only possibble in the Unix version.
> True or False?
> 
> If false, can you give me a link to instructions on enabling this feature or
> any known workaround please?

SpamAssassin, in an of itself, cannot reject messages at any level. You can
'wrap' it with other scripts or applications that can reject messages based
on their SA scores though - such as with MailScanner - www.mailscanner.info



Chris

Re: Bounce notification

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 21.12.07 13:01, dvesely wrote:
> I am running a windows server with Smartermail and SpamAssasin. While I
> understand what you are telling me below I would really appreciate a
> suggestion or reccomendation on how to setup a system that will control spam
> and notify users who's email is blocked in error.

notify who about what? If you reject at SMTP level, notifications to senders
are up to the sending SMTP servers. You even don't want to notify receivers
- if you users don't want be abused by the spam, they surely don't want to
be abused by the notifications about each spam blocked.

Just configure rejection with score high enough (I use 10) and you won't
have to take care about notifications.

(scores above 7 may appear in some "hams", sent by lame mailer from users
who don't know about that)

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

Re: Bounce notification

[dvesely <dv...@webprecision.com>]

I am running a windows server with Smartermail and SpamAssasin. While I
understand what you are telling me below I would really appreciate a
suggestion or reccomendation on how to setup a system that will control spam
and notify users who's email is blocked in error.
 
Any suggestions or examples you can give would be appreciated.
 
Dan


Bob Proulx wrote:
> 
> dvesely wrote:
>> My server manager tells me that my Windows version of SpamAssasin cannot
>> reject email at the SMTP level. This is only possibble in the Unix
>> version.
>> True or False?
> 
> False but for a different reason.  False because the Unix version of
> SpamAssassin can't reject at the SMTP level either.  SpamAssassin is
> not an MTA and does not transfer mail with SMTP.  An MTA (mail
> transfer agent) such as the classic old Sendmail or the newer Postfix
> and Exim programs use SMTP to transfer mail from host to host.  These
> could be MS-Windows but are usually Unix or GNU server machines.
> Usually on MS-Windows the MS-Exchange program is used.  Only those
> programs can reject at the SMTP level.
> 
> If the address is to an invalid address then the MTA has the
> capability to know immediately if the message should be rejected.  It
> can't deliver it and therefore it should not accept the message.  This
> has nothing to do with spam.  This only has to do with valid addresses
> and being able to successfully deliver the message.  If the message
> can't be delivered then it needs to be rejected.
> 
> In the old days (and sadly today on some large organization site)
> border machines would receive the message and route the mail through
> multiple hops to a final destination machine.  At the final
> destination it might be undeliverable.  In that case a bounce message
> is generated and returned to the specified from address.  This has
> been used by spammers in the past to bounce their spam to their
> victims.  They create a known invalid address as the recipient at a
> site known to create bounce messages after having accepted them.  They
> forge a victim address as the from address.  The message can't be
> delivered and the bounce message then carries the spam payload message
> as a bounce reply to the forged victim from address as backscatter.
> Also known as a joe-job.
> 
> As an additional (newish) capability people want to be able to reject
> spam immediately at SMTP time too.  In order to do that many people
> have added plugins to the MTA (aka milters [mail filter]) to examine
> the message at the time of transfer and make an immediate decision
> before the SMTP accept as to whether the message is to be accepted or
> rejected.  If the message is classified as spam by the plugin then the
> MTA can reject the message at that time.  Using virus scanners and
> SpamAssassin as a plugin to the MTA to do this is quite popular.
> 
> But SpamAssassin itself is not doing any of the bouncing.  It is
> solely the responsibility of the MTA, perhaps based upon input from
> these plugins.  If you don't have control over your MTA then you do
> not have the option of doing this.  In which case you should only
> silently quarantine or silently discard messages classified as spam.
> 
> Bob
> 
> 

-- 
View this message in context: http://www.nabble.com/Bounce-notification-tp14432035p14462333.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Bounce notification

[Rick Mallett <rm...@ccs.carleton.ca>]

On Fri, 21 Dec 2007, Bob Proulx wrote:

> dvesely wrote:
>> My server manager tells me that my Windows version of SpamAssasin cannot
>> reject email at the SMTP level. This is only possibble in the Unix version.
>> True or False?
>
> False but for a different reason.  False because the Unix version of
> SpamAssassin can't reject at the SMTP level either.  SpamAssassin is
[deleted]

>
> In the old days (and sadly today on some large organization site)
> border machines would receive the message and route the mail through
> multiple hops to a final destination machine.  At the final
> destination it might be undeliverable.  In that case a bounce message
> is generated and returned to the specified from address.  This has
> been used by spammers in the past to bounce their spam to their
> victims.  They create a known invalid address as the recipient at a
> site known to create bounce messages after having accepted them.  They
> forge a victim address as the from address.  The message can't be
> delivered and the bounce message then carries the spam payload message
> as a bounce reply to the forged victim from address as backscatter.
> Also known as a joe-job.
>

This is a bit off topic, but I've noticed that a lot of backscatter
arriving at my site has email addresses that are obviously forged to
be incorrect, as in john_doe_qq@carleton.ca, where the same address
without the "_qq" is a valid email address.

Its not a dictionary attack because the addresses are all different,
but each is a slight modification of a valid address, and I've always
assumed that the spammers using this technique don't want the bounced
messages delivered in order to cover their tracks.

However, that doesn't make much sense since any messages that did get
delivered (i.e. didn't get bounced) would have the same routing info
so why not use a valid bounce address to improve the odds that the
spam will get delivered somewhere.

Has anyone else encountered forged from addresses that are obviously
meant to be incorrect, and does anyone have any idea why a spammer might
choose to do that, rather than forge a correct address and double the odds
that the spam will get through.

- rick

Re: Bounce notification

[Bob Proulx <bo...@proulx.com>]

dvesely wrote:
> My server manager tells me that my Windows version of SpamAssasin cannot
> reject email at the SMTP level. This is only possibble in the Unix version.
> True or False?

False but for a different reason.  False because the Unix version of
SpamAssassin can't reject at the SMTP level either.  SpamAssassin is
not an MTA and does not transfer mail with SMTP.  An MTA (mail
transfer agent) such as the classic old Sendmail or the newer Postfix
and Exim programs use SMTP to transfer mail from host to host.  These
could be MS-Windows but are usually Unix or GNU server machines.
Usually on MS-Windows the MS-Exchange program is used.  Only those
programs can reject at the SMTP level.

If the address is to an invalid address then the MTA has the
capability to know immediately if the message should be rejected.  It
can't deliver it and therefore it should not accept the message.  This
has nothing to do with spam.  This only has to do with valid addresses
and being able to successfully deliver the message.  If the message
can't be delivered then it needs to be rejected.

In the old days (and sadly today on some large organization site)
border machines would receive the message and route the mail through
multiple hops to a final destination machine.  At the final
destination it might be undeliverable.  In that case a bounce message
is generated and returned to the specified from address.  This has
been used by spammers in the past to bounce their spam to their
victims.  They create a known invalid address as the recipient at a
site known to create bounce messages after having accepted them.  They
forge a victim address as the from address.  The message can't be
delivered and the bounce message then carries the spam payload message
as a bounce reply to the forged victim from address as backscatter.
Also known as a joe-job.

As an additional (newish) capability people want to be able to reject
spam immediately at SMTP time too.  In order to do that many people
have added plugins to the MTA (aka milters [mail filter]) to examine
the message at the time of transfer and make an immediate decision
before the SMTP accept as to whether the message is to be accepted or
rejected.  If the message is classified as spam by the plugin then the
MTA can reject the message at that time.  Using virus scanners and
SpamAssassin as a plugin to the MTA to do this is quite popular.

But SpamAssassin itself is not doing any of the bouncing.  It is
solely the responsibility of the MTA, perhaps based upon input from
these plugins.  If you don't have control over your MTA then you do
not have the option of doing this.  In which case you should only
silently quarantine or silently discard messages classified as spam.

Bob

Re: Bounce notification

[dvesely <dv...@webprecision.com>]

My server manager tells me that my Windows version of SpamAssasin cannot
reject email at the SMTP level. This is only possibble in the Unix version.
True or False?

If false, can you give me a link to instructions on enabling this feature or
any known workaround please?

Thanks,
 
Dan


Bob Proulx wrote:
> 
> dvesely wrote:
>> I have setup bounce notification for my spamassasin mail server but my
>> server
>> manager has reccomended that I do not use it. He wrote:
> 
> Right.  Best not to generate bounces to spam after you have received
> it because if you do you become a source of spam yourself.
> 
>> The most of the SPAM message will have forged FROM address, So the server
>> has to deals with returned bounce messages also. This is a processor and
>> Memory hungry task. 
> 
> The problem isn't that your server would become overloaded.  The
> problem is that your server would become a source of backscatter spam
> because of the bounced messages to forged from addresses.  *I* for one
> would blacklist your server because of this.
> 
> Search the web for backscatter spam and read about the problems that
> it causes before attempting to set up a server that bounces spam
> messages.  Rejecting at the SMTP level is the better way to go.
> 
> Bob
> 
> 

-- 
View this message in context: http://www.nabble.com/Bounce-notification-tp14432035p14450828.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Bounce notification

[Bob Proulx <bo...@proulx.com>]

Dan Vesely wrote:
> If you reject at the smtp level how are users notified?
>
> There has to be a way to notify users if they are rejected so that they can
> contact the sender to be put on the white list.

The user would get a normal bounce return.  As far as the person
receiving the bounce message there is no difference between bouncing
messages at SMTP time and bouncing them later after having received
them.  They see the same message.  The critical difference is that
rejecting at smtp time avoids many of the problems with forged
addresses.

Example of a valid bounce case:

Alice sends Bob an email message.  The MTA on Alice's server contacts
the MTA on Bob's server using SMTP.  But unfortunately the address is
mistyped and can't be delivered.  At SMTP time the MTA on Bob's
machine rejects the message with the reason being no such user.  The
MTA on Alice's machine gets the rejection at SMTP time.  The MTA
delivers the bounce message to Alice.

Example of Backscatter:

Mallory sends Bob an spam email message.  Mallory wants to fool Bob
into thinking the message came from Alice.  Mallory forges Alice's
address on the message.  The MTA on Mallory's server contacts the MTA
on Bob's server.  Bob has miss-configured his server to accept all
messages and bounce undeliverable messages later.  The MTA on Bob's
server accepts the message.  After accepting the message, possibly
after forwarding to other internal servers such as is common on many
large networks, the system determines that the message is spam.  Bob
has miss-configured the system to send a reject message.  The MTA on
Bob's server sends a bounce message to Alice.  Alice gets a message
from Bob's server.  They payload of the message is the spam body from
Mallory.  Mallory repeats this with thousands of other servers.  Alice
is overloaded with "joe-job" backscatter spam.

Specifically in the case of spam it is now best practice to silently
discard messages without generating a rejection message to avoid being
a source of backscatter spam.

The same result of backscatter is possible if the message is not spam
but is undeliverable due to an invalid address.

Example of a Potential Backscatter Avoided:

Mallory sends Bob an spam email message.  Mallory wants to fool Bob
into thinking the message came from Alice.  Mallory forges Alice's
address on the message.  The MTA on Mallory's server contacts the MTA
on Bob's server.  Bob has properly configured his server to reject
undeliverable messages as early as possible at SMTP time.  The MTA on
Mallory's server finds the message rejected during the SMTP handshake.
Bob's server does not send a rejection notice to Alice and Alice
avoids any backscatter from Bob's system.

Bob


Dan Vesely wrote:
> If you reject at the smtp level how are users notified?
>  
> There has to be a way to notify users if they are rejected so that they can
> contact the sender to be put on the white list.
>  
> Your help is appreciated.
>  
> Thanks,
>  
> Dan
> 
> -----Original Message-----
> From: Bob Proulx [mailto:bob@proulx.com] 
> Sent: Thursday, December 20, 2007 9:27 AM
> To: dvesely
> Cc: users@spamassassin.apache.org
> Subject: Re: Bounce notification
> 
> dvesely wrote:
> > I have setup bounce notification for my spamassasin mail server but my
> server
> > manager has reccomended that I do not use it. He wrote:
> 
> Right.  Best not to generate bounces to spam after you have received
> it because if you do you become a source of spam yourself.
> 
> > The most of the SPAM message will have forged FROM address, So the server
> > has to deals with returned bounce messages also. This is a processor and
> > Memory hungry task. 
> 
> The problem isn't that your server would become overloaded.  The
> problem is that your server would become a source of backscatter spam
> because of the bounced messages to forged from addresses.  *I* for one
> would blacklist your server because of this.
> 
> Search the web for backscatter spam and read about the problems that
> it causes before attempting to set up a server that bounces spam
> messages.  Rejecting at the SMTP level is the better way to go.
> 
> Bob

Re: Bounce notification

[Bob Proulx <bo...@proulx.com>]

dvesely wrote:
> I have setup bounce notification for my spamassasin mail server but my server
> manager has reccomended that I do not use it. He wrote:

Right.  Best not to generate bounces to spam after you have received
it because if you do you become a source of spam yourself.

> The most of the SPAM message will have forged FROM address, So the server
> has to deals with returned bounce messages also. This is a processor and
> Memory hungry task. 

The problem isn't that your server would become overloaded.  The
problem is that your server would become a source of backscatter spam
because of the bounced messages to forged from addresses.  *I* for one
would blacklist your server because of this.

Search the web for backscatter spam and read about the problems that
it causes before attempting to set up a server that bounces spam
messages.  Rejecting at the SMTP level is the better way to go.

Bob