bouncebacks that were never sent

Discussion in 'OT Technology' started by Leb_CRX, Apr 24, 2007.

  1. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    two of the people here keep getting bouncebacks theys never sent, and it's really starting to annoy me, as the bouncebacks are coming from all sorts of places...all with russian headers

    I made sure there isin't anything going on their machine (viruses, any funny processes, etc), checked our (use postfix for incomin, and exchange for outgoing) exchange logs, nothing being sent from here, checked postfix logs (I only see the bouncebacks coming in) which leads me to believe that it's not coming from internally, someone's spoofing their email addresses and sending out on their behalf, they are not making it and it's coming back to us

    this is really starting to irritate me as the problem seems to be getting worst...I mean it's one thing for it to happen once a while, another to get 10-15 a day

    here's what the bounceback looks like, which really don't tell me anything:

    Code:
    Your message did not reach some or all of the intended recipients.
    
          Subject:	Re: осуществлении ВЭД расчётов
          Sent:	4/24/2007 2:42 PM
    
    The following recipient(s) cannot be reached:
    
          [email protected] on 4/24/2007 1:43 PM
                The e-mail system was unable to deliver the message, but did not report a specific reason.  Check the address and try again.  If it still fails, contact your system administrator.
                < comcast.net #5.0.0550_<[email protected]>:_Recipient_address_rejected:_User_unknown_in_local_recipient_table smtp; Permanent Failure: Other undefined Status>
    
    this one is coming back from comcast, we've gotten some from smtp32.m2.home.ad.jp , fxtel.fx-net.ro , and all other fucking mail servers

    short of iptablin the IP of their MX record, is there anything I can do to stop this shit from coming in? any other tips I can do to stop this shit? it's really starting to piss me off
     
  2. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    Someone's using their email accounts to send spam from a "zombie" computer. Change their email passwords; "password", "drowssap", "rosebud", "spike", "spot", and so on are not acceptable. Enforce passwords that contain at least three of these four character types:

    - lower-case letters
    - upper-case letters
    - numbers
    - non-alphanumeric symbols

    Then request PKI encryption certificates from your certificate provider (or www.comodo.com if you don't have one) and install them in everybody's email clients. Set their email clients to use those certificates as digital signatures, and set it to sign all emails by default.
     
  3. chrislehr

    chrislehr * from home

    Joined:
    Feb 20, 2001
    Messages:
    132,711
    Likes Received:
    164
    Location:
    ATX/IT Threads
    nothing you can really do.
     
  4. Create

    Create :free at last:

    Joined:
    Jan 4, 2006
    Messages:
    8,043
    Likes Received:
    2
    Where can I learn more about this before I implement?

    I swear, dues, I pick up two topics a week from ya'
     
  5. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    www.comodo.com

    In a nutshell, the certificate verifies that the authorized owner sent the email through their own email address from an email client installed on the same machine as the certificate. If the certificate is attached from a machine or an email address that doesn't match the certificate's encrypted header, the recipient will get a red flag (and most spam filters will block it); likewise, if the certificate is attached from a machine that it was installed on by the user who owns the certificate and who knows its password, the recipent will see a notice saying that the email is 100% authentic.

    It won't stop people from spamming through your account unless you can get your ISP to refuse any email without a certificate attached, but it helps to ensure that nobody who might get spam from your account will be fooled by a fake once they know you have a certificate.
     
    Last edited: Apr 24, 2007
  6. Create

    Create :free at last:

    Joined:
    Jan 4, 2006
    Messages:
    8,043
    Likes Received:
    2
    Ok, between there, wiki, and a bit of thought I reach the conclusion that I could use a single license at my exchange server rather than individual at each client.

    Is this correct?
     
  7. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    Thanks, I'll look into the PKI encryption

    One Q...if they are using the user's emails, they have to be going through exchange, and if they're using exchange server to spam, wouldn't they show up in the exchange logs? thats the thing, it's not, which is leading me to think it's going from externally...but from what I gather, most mail servers, should do a reverse DNS and drop the email, since it's not originating from here...

    thats what got me confused, and someone please correct me if I'm wrong here's how I see it:

    spammer (using [email protected] email spoof) connects to comcast mail server...comcast does a reverse DNS...says the IP's dont match to the FQDN...drops it...

    but from what I am seeing it's forwarding them on that user's behalf...getting that the recipient email does not exist and returning it to us...

    I did some digging and the only thing I can see happening is comcast users got pwned by some sort of spyware/virus, which installs a local SMTP server, starts sending out emails through the comcast servers from us, and since it's internal to comcast, it bypasses the reverse DNS check, and it's bouncing back to us

    am I right in assuming this, or am I totally wrong?
     
  8. Leb_CRX

    Leb_CRX OT's resident terrorist

    Joined:
    Apr 22, 2001
    Messages:
    39,994
    Likes Received:
    0
    Location:
    Ottawa, Canada
    one other thing I just realized

    if someone here is infected (I am digging through the tcpdump port 25 logs now), and has a host on their machine acting as a mail server, the FQDN would match our IP...and it does look like it's coming from our domain, and therefore it's forwarding it

    time to start sniffing packets :wtc:
     
  9. deusexaethera

    deusexaethera OT Supporter

    Joined:
    Jan 27, 2005
    Messages:
    19,712
    Likes Received:
    0
    I think you lost me. If you're saying that some anonymous Comcast user has a bot installed on their machine that's sending out spam in your name because the bot can bypass Comcast's reverse DNS lookup that way, then I'd say it's definitely possible. In that case, all you can really do to stop the madness is to notify Comcast of the problem.

    It's too bad that Comcast doesn't have the server capacity to do a reverse DNS lookup on every email it receives, internally as well as externally.
     
  10. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    probably a spoof. They never came from you, but your IP was put as the return. common spammer trick.
     
  11. Penguin Man

    Penguin Man Protect Your Digital Liberties

    Joined:
    Apr 27, 2002
    Messages:
    21,696
    Likes Received:
    0
    Location:
    Edmonton, AB
    Yep, that'd be my guess, too. We had it happen a couple months ago, got something like 3000 bounces overnight because [email protected] goes to our mailing list and the spammer was trying lots of possible account names. Shut off the catchall for a couple weeks and it died right down.
     
  12. 5Gen_Prelude

    5Gen_Prelude There might not be an "I" in the word "Team", but

    Joined:
    Mar 14, 2000
    Messages:
    14,519
    Likes Received:
    1
    Location:
    Vancouver, BC, CANADA
    Ugg - I wish people would just embrace SPF already - it would eliminate so much of this shit.
     
  13. Create

    Create :free at last:

    Joined:
    Jan 4, 2006
    Messages:
    8,043
    Likes Received:
    2
    SSL license per exchange server or per user?
     

Share This Page