Find the answer to your Linux question:
Results 1 to 6 of 6
It's recently come to my attention that we may be getting nailed with NDS Bounced messages/backscatter spam. Our site has shown up on two blacklists recently, and this is the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer
    Join Date
    Mar 2005
    Location
    Where my hat is
    Posts
    766

    Any exim experts here?


    It's recently come to my attention that we may be getting nailed with NDS Bounced messages/backscatter spam. Our site has shown up on two blacklists recently, and this is the only way I can think of that we'd be showing up.

    What I need to figure out is an easy way to configure exim to check at SMTP and deny, rather than accept the message and then bounce it. I've been pouring through countless forums and scripts, but a lot of it is fairly old (2 years or older) and at this point, I'm just plain frazzled.

    Any assistance would be appreciated. Danke!
    Registered Linux user #384279
    Vector Linux SOHO 7

  2. #2
    Linux Enthusiast scathefire's Avatar
    Join Date
    Jan 2010
    Location
    Western Kentucky
    Posts
    626
    a user at my company was the victim of a backscatter attack. it is still on going but this individual doesn't see it. we enforced watermarking, using mailscanner.

    So mailscanner is my suggestion.
    linux user # 503963

  3. #3
    Linux Engineer
    Join Date
    Mar 2005
    Location
    Where my hat is
    Posts
    766
    Quote Originally Posted by scathefire View Post
    a user at my company was the victim of a backscatter attack. it is still on going but this individual doesn't see it. we enforced watermarking, using mailscanner.

    So mailscanner is my suggestion.
    Not sure this is going to fix our issue.

    With NDS Bounce spam, the spammer targets a "bad" address on the server, but spoofs the return address with a known good address. So when the mail server accepts the message, attempts to deliver it and finds the recipient is not a valid address, it bounces the message back to the spoofed address, effectively delivering the spam for the spammer without going through the spam filters.

    What I need is a rule set for exim that checks at SMTP and rejects back to the original sender instead of accepting it and bouncing after SMTP.
    Registered Linux user #384279
    Vector Linux SOHO 7

  4. #4
    Linux Enthusiast scathefire's Avatar
    Join Date
    Jan 2010
    Location
    Western Kentucky
    Posts
    626
    pretty sure its going to accept NDR messages, per some RFC compliance. the only way we eliminated the problem was by use of watermarking. with watermarking every message that the server sends out is tagged. therefore when a bogus NDS comes back, mailscanner sees no watermark and adds 100 to the spam score.

    Spam assassin sees this, and messages labeled as high-spam are deleted on our systems.

    What SMTP server are you using?
    linux user # 503963

  5. #5
    Linux Engineer
    Join Date
    Mar 2005
    Location
    Where my hat is
    Posts
    766
    We're using exim and courier.

    Perhaps I'm not understanding the specific order of things here.

    1. Spammer sends message to bogus address on my domain. Message also has a spoofed return address which IS valid.

    2. Message hits server and is passed through for delivery. Determines that address is not a valid address and bounces a NDR to return address.

    It's my understanding that this is happening before it hits Spam Asssassain, and that Spam Assassain is the last check before it's actually delivered to the final addressee on the server.

    If this is the case, installing another "check" program isn't going to do me any good unless it checks as it hits the server. Because once it's accepted, I'm screwed as far as this type of spam is concerned.
    Registered Linux user #384279
    Vector Linux SOHO 7

  6. #6
    Linux Enthusiast scathefire's Avatar
    Join Date
    Jan 2010
    Location
    Western Kentucky
    Posts
    626
    linux user # 503963

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •