Proper Ways to Dispose of Spam?

An anonymous reader asks: "My domain name is being stolen by spammers; they forge outgoing mail using my poor innocent domain name. First, I'd like to plead with mail server administrators out there: please REJECT spam and undeliverable mail. If you reject instead of bouncing then legitimate mail senders will still know there is a problem. Second, do you have any tips for dealing with a flood of spam bounces? Exim is pitching the bounces pretty quickly, but my server is still getting overwhelmed." In the case of stolen sender addresses, SPF attempts to address this problem but has it been effective?

The toilet

[antifoidulus]

regardless of whether it comes out the back port or the front(both are equally likely).

Re:The toilet

[kfg]

You have already failed the first rule of disposing of Spam:

1. For goodness sake, whatever you do, don't eat the stuff!

KFG

SPF!

[Alphager]

Two of my domain-names are in several spammer-tools and i was inundated by spam-bounces (and auto-replies). With SPF, i am down to one bounce every now and then.

Re:SPF!

[crow]

I found SPF to be nearly useless. I would think that spammers would automatically avoid domains with SPF records to increase their hit rate, but apparently not.

Re:SPF!

[stg]

That was the same in my case. I still get about the same number of bounces from spammers after adding SPF.
The only thing that did solve it was killing all addresses I don't use and adding filters for the most common bounces.

Re:SPF!

[Alphager]

We are talking about spam-bounces, not the spam itself. Of course using SPF as sole spamfilter is useless (spammers quite frequently kite domains and set up an SPF-record allowing everybody to send mail for that domain). But most spam-filters know that a false-positive with SPF is not possible (if you ignore email-forwarding, of course) and won't bounce the mail to the innocent domain.

Re:SPF!

[silas_moeckel]

If you just care about outbound SPF assuming your hosting provider also runes your DNS severs they can add it in easily.

Re:SPF!

[qbwiz]

Right, but that post was saying that he thought that spammers would avoid forging a domain with SPF on it, because it would be more likely that their mail would be rejected. Therefore, if you add SPF to your domain, you shouldn't get as many bounces, as spammers won't want to forge that as the sender.

Re:SPF!

[poot_rootbeer]

I would think that spammers would automatically avoid domains with SPF records to increase their hit rate, but apparently not.

Spammers don't care about hit rates and neither do the folks that employ them. Who cares if it's 10 people out of 100 that fall for the bait or 10 people out of 100,000 -- it's still 10 sales that they can credit to spamming.

Re:SPF!

[Medieval_Gnome]

My domain (and email) is hosted with godaddy, and it was trivial to set up SPF.

Go into your hosting account, then open the control panel for the domain you want to set up SPF for.

On the page that opens up, select DNS Manager.

Scroll down to the bottom of that page, and there should be a button saying something like "Add SPF Record."

Assuming you use smtpout.secureserver.net to send your email, the defaults should work splendidly, and it should be good to go.

anyone have a domain where this DIDN'T happen?

[Subgenius]

Welcome to my hell. I've had this happen to 8 of my domains over the last couple of years, typical spam runs of 30k at a time, based on all of the 'bounce back' messages that tell me 'my' mail is spam, or worse "go F** yourself, spammer" crud. SPF might fix this, but only if it was mandatory and ALL ISPs blocked non-commercial email servers (DO NOT WANT the latter to occur).

Good Luck.

Re:anyone have a domain where this DIDN'T happen?

[Southpaw018]

Ahhh, I had one of those -yesterday-. We have SPF implemented, and it still doesn't work very well, alas.

I got a call from a sysadmin somewhere in nowheresville USA. The minute I picked up the phone, the guy started berating me, since I was destroying his domain, and it was all my fault, because I'm running Exchange and obviously I was infecting him with Winblows.

After I finally got things sorted out, I walked him through exactly how and why it wasn't our domain a'tall, which would have been obvious had he looked at the headers of any one of the thousands of emails he claimed he recieved. If he knows how to read any of them. When he realized he was wrong, he slammed the phone down midsentence.

Point of the story: SPF is great, proper mail server administration is great, but there will always be jerks who think they know what they're doing when they don't, and they're the bane of the whole system, more like a wolf in sheep's clothing than a known enemy.

SPF somewhat effective

[asc4]

SPF is only somewhat effective as unfortunately only some have adopted it. Still, it takes all of a few seconds to add an SPF record for your domain. It can't hurt. Also, try reporting the servers hitting you with backscatter to Spamcop. Again, it might not help much, but it can't hurt.

Re:SPF somewhat effective

[Albanach]

The DNS system is heavily loaded worldwide now

I'm not sure what you mean by this - surely with a properly caching nameserver, you add almost no additional load to the root nameservers by performing SPF lookups as the query never goes near them? Your own DNS servers might be heavily loaded - in which case you should can additional ones or pay for someone else to provide DNS service. DNS scales easily so that shouldn't be an issue.

A DNS request is tiny compared to bouncing about bits of mail - if you can reject the message before even processing the body thanks to SPF you significantly reduce bandwidth consumption, much more than that spent on a DNS lookup, especially now there are so many image based spams floating about.

SPF is effective... sort of

[XenoPhage]

SPF is only effective if everyone uses it. It's pretty much that simple. Problems with forwards and mailing lists aside, SPF seems to work pretty well. I've been using it for a while now and I like it.

As for what to do... It's a tough call. You're being affected by a "Joe Job" [http://en.wikipedia.org/wiki/Joe_job] .. Defending against this is not the easiest thing in the world. Filtering is probably the only route you can go right now. you should be able to filter based on the subject and To: address, looking for MAILER-DAEMON messages to the users being affected. That's how I would deal with it to begin ... Then perhaps limiting SMTP from the outside world, prioritizing local user traffic. That should calm the server down a little.

For the record, every mail server I've worked on has been set up to reject. I learned a long time about that bounces and double bounces can easily kill a server. Great idea in theory, but the low-lifes on the net make good ideas regretful..

SPF is Marginally Effective

[prothid]

I am having this same issue. I have SPF set up with '-all' on the end of it. This still lands me with a lot of bounces every day. I am using Gmail for my mail and I have about 10 to 20 bounces that didn't get caught by their spam filter sitting in my inbox every morning.

Here is the SPF line I am using with Gmail (with an irrelevant ip4 entry omitted):

@ IN TXT "v=spf1 mx include:aspmx.googlemail.com -all"

I figure that at worst, I am keeping myself off blacklists because the ones likely to blacklist my domain have at least implemented SPF. It is still a fairly annoying situation. It is probably worth noting that I have a catch-all alias for inbound emails. I like to give a different email address for each site I go to so that I can track who is sending me spam. The downside to this apparently being that it potentially opens your domain up to being used TO spam.

Re:SPF is Marginally Effective

[Neon+Spiral+Injector]

Spammers *love* domains with catch-all aliases and specifically target them for impersonation. I would suggest finding an easy way to add new aliases as needed (so you can create one just before you sign up on a site) and kill the catch-all.

Backup MX is to blame for some of this bouncing

[artifex2004]

It's great to set up your mail server to reject the mail up front. But many spammers know people are doing this, so they connect to backup MX, often the one with least priority. From what I've read, that's how spammers' mail blasting programs are written these days.

Are you running your own backup MX? Probably not. It's often a generic spooler your ISP lets you use for convenience. Even if you do, does your backup MX have all your rules in place, so it knows what to reject? No, I bet not. So this backup server accepts the mail without question, then passes it to the primary, and then it gets bounced.

We need to either have a way to give our backup MX our rulesets (which the people who run the backup servers understandably won't like), allow backup and primaries to just silently discard (which legitimate senders and receivers won't like), or, quite possibly, stop using backup MX entirely, and then if the primary goes down, the originating mail servers should do their normal pattern of retrying for 5 days, or whatever.

Large companies who need 100% instant availability of mail shouldn't be using backup MX anyway, (I've seen backup MX servers configured to hand off to primary hourly or even daily, not to mention those that hold until the primary asks for the mail) they should be using a ring of servers sharing primary preference. I'd expect the ruleset to be identical across the ring, thus allowing for instant rejection all the time.

Re:Backup MX is to blame for some of this bouncing

[GreggBz]

Your right. I work for a smallish ISP and notice that spam-bots usually prefer the backup MX record.

For smaller domains and people with fewer resources having one MX record is impractical. For larger systems, like say an ISP, their is typically only one MX record, which really points to a virtual server that exists in a Foundry switch or some such. This is then load balanced round-robin style to a group of identically configured servers, preferably that are geographically distributed. This is a little more straight forward then the ring of servers, but has it's own issues.

The one headache that I have with this set up is the tedious log searches that you end up doing trying to find out what happened to customer x's email, or just troubleshooting in general.

It's a pain shelling into 4 different servers and greping through each maillog. I'd like to find a solution to this.

Re:No

[Neon+Spiral+Injector]

You should not generate the bounce, a 5xx responce to an SMTP command is all your server should do. If it is a real mail server talking to yours it will generate the bounce for the user that is relaying through it (hopefully including the text of your 5xx reply).

SPF hasn't helped me much

[Slashdot+Parent]

I publish SPF records for all of my domains, and I still get a ton of blowback. Here are the options that I evaluated:

1. Don't use catch-all addresses. Normally blowback is not addressed to a valid user. This was not an option for me, but it may be for you.
   
2. Reject invalid bounce messages. Any message coming with an empty envelope sender to an address that has never sent mail on my system is considered invalid and rejected during SMTP with a message stating why. This is what I chose.
   

The reason for my choice is that it consumes minimal resources (all that's required to reject a message is one SQL query against a small, in-memory table), informs the bouncer of the problem, and eliminates 99.99% of blowback (some incorrectly-configured MTAs produce bounce messages that don't have empty envelope senders... I get like one of those per month).

And I second your pleading: Please, please, please, mail admins, please reject email during SMTP instead of producing bounce messages! Please!

Why the forging in the first place?

[mabu]

I believe the main reason why spammers are forging in the first place is to taint relay blacklists. RBLs hurt spammers more than anything else. When they forge from addresses they cause legitimate relays to be spammed by other legitimate relays and this in turn may prompt some relays to blacklist legitimate smtp servers and tarnish the effectiveness of RBLs. However, most admins are now wise to this and differentiate between the different types of traffic.

If you run any mail server for a reasonable amount of time, until the feds decide to get off their lazy asses and prosecute these criminals, you're going to run into this problem. It usually passes after a few days. If I run into it, I will sometimes change the MX record of the offending domain to 127.0.0.1 temporarily. And rule number one is avoid *@domain.com mail mappings...

Re:Why the forging in the first place?

[Robotech_Master]

In my experience, some spammers will also forge the 'from' address to be the address of the intended recipient of the spam, and then send it to an address they know will bounce (i.e. with an autoresponder) to try to get past spam filters or something.

Re:Why the forging in the first place?

[Kelson]

There's also a mundane reason for it:

1. Using your own address makes you more traceable and means you have to deal with bounces, complaints, etc.
2. Using a forged address saves you that inconvenience.
3. Completely bogus addresses will have a low throughput, because it's trivial for a receiving server to check whether a domain name exists or not.
4. Verifying a specific address at a real domain, however, is more involved.
5. Solution: Use a bogus address at a real domain name.

This solution expresses itself in both throwaway domains (where the spammer registers it for cheap, figuring they only need it for one spam run) and forged addresses using bystander's domains. Forging is cheaper, since you don't have to register a domain, and while it's illegal, enforcement is rare.

Simple, check the Received: envelope headers

You start by rejecting outright email for non-existant email addresses. That gets rid of all bounces that come from addresses the spammers have made up. Then you look at the Received headers of the email that you supposedly sent and validate that it did indeed come from your IP and the header is of the form that your MTA generates. If not, somebody was impersonating you and you reject the bounce. See Stopping Backscatter Email.

Don't use a catch-all

[Kelson]

The problem of invalid bounces drops dramatically if you set up your incoming server so that invalid addressees are rejected with a "User unknown" note at SMTP time. If you're using Sendmail with a virtual user table, this is as easy as adding the following at the end of the file

@example.com error:nouser 550 5.1.1 User unknown

It's important to do this on the server that accepts mail from the outside. If you have a setup with an antispam/virus gateway that then relays to an internal server, you need to make the gateway aware of the valid/invalid addresses.

By rejecting invalid senders in the SMTP transaction, you only get bounces from the few messages that forged an actual sender. In my experience, the addresses tend to look like ashawuiefgfyig@example.com, so most of the bounces will just disappear into the ether(net).

Postfix Backscatter HOWTO

[alanxyzzy]

Knowing that a common term for this is "backscatter" may help you search for other hints and tips.

There is a Postfix backscatter HOWTO at http://www.postfix.org/BACKSCATTER_README.html

BATV

[Patrin]

Take a look at Bounce Address Tag Validation (BATV). http://mipassoc.org/batv/index.html There even is an implementation for EXIM. This drops spam bounces like you wouldn't believe.

Envelope Sender Signature

[mossmann]

Check out the Envelope Sender Signature technique described here:

http://howtos.linux.com/howtos/Spam-Filtering-for- MX/collateral.shtml

The idea is to tag outgoing messages in such a way that legitimate DSNs are distinguishable from illegitimate backscatter (which can then be discarded).

Rejecting spam bounces

[CustomDesigned]

Speaking from 2 years experiences with rejecting 11000+ spams a day, publishing SPF records helps, but not enough folks reject mail with SPF fail for it to help a lot with spam bounces. The real solution to spam bounces is to "sign" your MAIL FROM, using SRS for example. (SRS is not just good for forwarding.) Then you just reject bounces without a proper signature. After signing, your MAIL FROM would look like this:

<SRS0=WHEtL=GU==user@example.com>

The current main benefit to SPF is that when you get an SPF PASS, you can be reasonably sure that the MAIL FROM wasn't forged. This is comforting when I get mail from online banks and vendors (that I actually use). Also, I reject not only on SPF fail, but on softfail for selected domains (e.g. ebay.com). Getting an SPF pass is a two edged sword for a spammer. I track reputation (using pygossip) for validated MAIL FROM and HELO domains. So after a few trips through the content filter, they get rejected in SMTP envelope:

2007Jan11 14:19:47 [244] Received-SPF: pass (mail.bmsi.com: domain of identity-star.com designates 209.205.201.41 as permitted sender) client_ip=209.205.201.41; envelope_from="42991_VMTA2574-alb=BMSI.COM@identit y-star.com"; helo=mx2574.identity-star.com; receiver=mail.bmsi.com; mechanism=mx; identity=mailfrom
2007Jan11 14:19:47 ham: 0, spam: 23
2007Jan11 14:19:47 ID identity-star.com:SPF reputation: -76.159416,2.209194
2007Jan11 14:19:47 [244] X-GOSSiP: 0Q1xs3S.9Tt$ySk.$6w1Mg,-76,2
2007Jan11 14:19:47 [244] rcpt to <alb@BMSI.COM> ()
2007Jan11 14:19:47 [244] REJECT: REPUTATION

Re:Rejecting spam bounces

[CustomDesigned]

I use pysrs from the pymilter project for MAIL FROM signing. It adds a macro to sendmail, and installs a pysrs daemon as a sendmail socket map. The SRS library could be used by a python script to integrate with mutt I suppose (I always do all my filtering in the MTA - so I can't offer advice). Example code (with random spaces inserted by slashdot):

>>> srs = SRS.new(secret='boo')
>>> srs.sign('user@example.com')
'SRS0=dqj5=GU==user@ example.com'
>>> srs.reverse('SRS0=dqj5=GU==user@example.com')
'us er@example.com'
>>> srs.reverse('SRS0=fake=GU==user@example.com')
Tra ceback (most recent call last):
...
AssertionError: Invalid hash

There are also C libraries like libsrs and libsrs2.

Detecting the bogus bounces in mutt is less than optimal - because you have already received the SPAM. By checking in the MTA, you reject the bounce before SMTP DATA.

Re:No

[Akatosh]

Spam is spam. I don't care if it was relayed by using the victim address in 'rcpt to:' (traditional spamming) or 'mail from:' (blowback spamming). So you stuck three lines of text above it then relayed it on to the victim. Good job, by bouncing instead of rejecting you're an open relay. You even add some additional bayesian slaying text to the top. That's how I see it.

It's really not that difficult to configure your mail systems to reject instead of accept then bounce. I see this as becoming manditory, similar to how it used to be ok to have an open relay, then over time it became a sin.