Backscatting filter?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Backscatting filter?

Geert Batsleer
Hi,

over the last couple of days I seem to get more and more spam wich looks like a bounced email with subjects like "MAILER DAEMON ... " and other variations, where the emails are bounced from mostly russian servers and where my email address has been spoofed so that I recieve the bounced mail instead of the original sender.

Any idea how I can fix this with header_checks or procmail?

Kind regards,

Geert

PS  postfix-2.2.10-1.1.el4 + spamassassin-3.2.4-1.el4.rf
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Ralf Hildebrandt
* Geert Batsleer <[hidden email]>:
> Hi,
>
> over the last couple of days I seem to get more and more spam wich
> looks like a bounced email with subjects like "MAILER DAEMON ... " and
> other variations, where the emails are bounced from mostly russian
> servers and where my email address has been spoofed so that I recieve
> the bounced mail instead of the original sender.
>
> Any idea how I can fix this with header_checks or procmail?

I use in header_checks and body_checks:

/^Received: from .*by nomail\.charite\.de/  REJECT Fake nomail.charite.de Received: Header found

if /^Received: from .*by mail(-ausfall)?\.charite\.de/
!/ \(Postfix\) with /i   REJECT Fake charite.de Received: Header found, this is a bounce for a mail our system did not send!
endif

This makes sure that a bounce which contains a fake
mail/mail-ausfall.charite.de Received: header will be rejected.

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
In German "invent-a-new-word-where-a-perfectly-good-one-already-exists" is
probably a word.
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Geert Batsleer


2008/5/7 Ralf Hildebrandt <[hidden email]>:
* Geert Batsleer <[hidden email]>:
> Hi,
>
> over the last couple of days I seem to get more and more spam wich
> looks like a bounced email with subjects like "MAILER DAEMON ... " and
> other variations, where the emails are bounced from mostly russian
> servers and where my email address has been spoofed so that I recieve
> the bounced mail instead of the original sender.
>
> Any idea how I can fix this with header_checks or procmail?

I use in header_checks and body_checks:

/^Received: from .*by nomail\.charite\.de/  REJECT Fake nomail.charite.de Received: Header found

if /^Received: from .*by mail(-ausfall)?\.charite\.de/
!/ \(Postfix\) with /i   REJECT Fake charite.de Received: Header found, this is a bounce for a mail our system did not send!
endif

This makes sure that a bounce which contains a fake
mail/mail-ausfall.charite.de Received: header will be rejected.


Thanks Ralf!

just one mre question... now I have 4 domains wich I use in conjuction with /etc/postfix/virtual, so do I need to add this seperate for all 4 domains and so not for every address in /etc/postfix/virtual ?

Kind regards,

Geert

Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Ralf Hildebrandt
* Geert Batsleer <[hidden email]>:

> just one mre question... now I have 4 domains wich I use in conjuction with
> /etc/postfix/virtual, so do I need to add this seperate for all 4 domains
> and so not for every address in /etc/postfix/virtual ?

Look at your received: headers, they contain the answer (use
[hidden email] to see the headers)

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
The black hat community is drooling over the possibility of a secure
execution environment that would allow applications to run in a secure
area which cannot be attached to via debuggers. -- Jason Spence, on Palladium aka NGCSB aka "Trusted Computing"
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Sebastian Ries
In reply to this post by Ralf Hildebrandt
Hi

> I use in header_checks and body_checks:
>
> /^Received: from .*by nomail\.charite\.de/  REJECT Fake nomail.charite.de Received: Header found
>
> if /^Received: from .*by mail(-ausfall)?\.charite\.de/
> !/ \(Postfix\) with /i   REJECT Fake charite.de Received: Header found, this is a bounce for a mail our system did not send!
> endif
>
> This makes sure that a bounce which contains a fake
> mail/mail-ausfall.charite.de Received: header will be rejected.
>

Can anyone explain what this really does?
I do not want to use check that I do not really understand...

Regards
Sebastian Ries

--
------------------------------------------------------------
DT Netsolution GmbH -  Talaeckerstr. 30 -  D-70437 Stuttgart
Tel: +49-711-849910-36               Fax: +49-711-849910-936
WEB: http://www.dtnet.de/     email: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Charles Marcus
In reply to this post by Ralf Hildebrandt
On 5/7/2008 4:06 AM, Ralf Hildebrandt wrote:
>> over the last couple of days I seem to get more and more spam wich
>> looks like a bounced email with subjects like "MAILER DAEMON ... " and
>> other variations, where the emails are bounced from mostly russian
>> servers and where my email address has been spoofed so that I recieve
>> the bounced mail instead of the original sender.
>>
>> Any idea how I can fix this with header_checks or procmail?

> I use in header_checks and body_checks:
>
> /^Received: from .*by nomail\.charite\.de/  REJECT Fake nomail.charite.de Received: Header found
>
> if /^Received: from .*by mail(-ausfall)?\.charite\.de/
> !/ \(Postfix\) with /i   REJECT Fake charite.de Received: Header found, this is a bounce for a mail our system did not send!
> endif
>
> This makes sure that a bounce which contains a fake
> mail/mail-ausfall.charite.de Received: header will be rejected.

Hmmm... interesting...

How reliable is this? If it is very reliable, then maybe it would make
sense to provide an internal postfix mechanism for dealing with this?
Maybe a way to provide a simple list of domain names to postfix (so
people like me don't have to try to wrangle regex expressions that are
easily borked - especially by someone who isn't intimately familiar with
them) that it can use to evaluate whether an NDR contains a fake header
for one of the defined domains? Maybe an option that can be set in
smtpd_client_restrictions or somewhere, something like
'reject_invalid_ndr' or something...

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Robert Schetterer
In reply to this post by Sebastian Ries
Sebastian Ries schrieb:

> Hi
>
>> I use in header_checks and body_checks:
>>
>> /^Received: from .*by nomail\.charite\.de/  REJECT Fake nomail.charite.de Received: Header found
>>
>> if /^Received: from .*by mail(-ausfall)?\.charite\.de/
>> !/ \(Postfix\) with /i   REJECT Fake charite.de Received: Header found, this is a bounce for a mail our system did not send!
>> endif
>>
>> This makes sure that a bounce which contains a fake
>> mail/mail-ausfall.charite.de Received: header will be rejected.
>>
>
> Can anyone explain what this really does?
> I do not want to use check that I do not really understand...
>
> Regards
> Sebastian Ries
>
The idea ,in very short, is to look in the (bounce) mail
which should include some info like recievied from servername and match
it to your servername, if there isnt such info or it doesnt match ,it
was not delivered out from your server so it cant be legal bounce, so
you may reject it.
You may use other marks to identifiy backscatter mails by using or
adding other signs to all mail outbound from your server ( but be aware
that they may faked too in the future by header manipulation ),
i hope this short descript is right, otherwise gurus may corect me
there is also a project wich uses more sophisticated forms to prevent
backscatter
http://babel.de/batv.html
i read some milter is there for batv too
but i didnt test it yet

--

Mit freundlichen Gruessen
Best Regards

Robert Schetterer

https://www.schetterer.org
Munich/Bavaria/Germany
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Ralf Hildebrandt
In reply to this post by Sebastian Ries
* Sebastian Ries <[hidden email]>:

> Hi
>
> > I use in header_checks and body_checks:
> >
> > /^Received: from .*by nomail\.charite\.de/  REJECT Fake nomail.charite.de Received: Header found
> >
> > if /^Received: from .*by mail(-ausfall)?\.charite\.de/
> > !/ \(Postfix\) with /i   REJECT Fake charite.de Received: Header found, this is a bounce for a mail our system did not send!
> > endif
> >
> > This makes sure that a bounce which contains a fake
> > mail/mail-ausfall.charite.de Received: header will be rejected.
> >
>
> Can anyone explain what this really does?
> I do not want to use check that I do not really understand...

WENN der Received Header mail.charite.de oder mail-ausfall.charite.de
beinhaltet DANN prüfe, ob da auch "(Postfix)" drinsteht.
Wenn nicht ist es eine Fälschung.

Pardon my German.

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
The government is CLEARLY an out of control robot that has decided the
greatest danger to America is Americans.
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Ralf Hildebrandt
In reply to this post by Charles Marcus
* Charles Marcus <[hidden email]>:

>> This makes sure that a bounce which contains a fake
>> mail/mail-ausfall.charite.de Received: header will be rejected.
>
> Hmmm... interesting...
>
> How reliable is this?

It works for me :)

> If it is very reliable, then maybe it would make sense to provide an
> internal postfix mechanism for dealing with this?  Maybe a way to
> provide a simple list of domain names to postfix (so people like me
> don't have to try to wrangle regex expressions that are easily borked -
> especially by someone who isn't intimately familiar with them) that it
> can use to evaluate whether an NDR contains a fake header for one of
> the defined domains? Maybe an option that can be set in
> smtpd_client_restrictions or somewhere, something like
> 'reject_invalid_ndr' or something...
>
> --
>
> Best regards,
>
> Charles

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
Unix is the answer, but only if you phrase the question very carefully.
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Sigmund Scheinbar-3
In reply to this post by Geert Batsleer
Geert Batsleer wrote:
> over the last couple of days I seem to get more and more spam wich looks
> like a bounced email with subjects like "MAILER DAEMON ... " and other
> variations, where the emails are bounced from mostly russian servers and
> where my email address has been spoofed so that I recieve the bounced
> mail instead of the original sender.

my config:

/etc/postfix/main.cf:
        smtpd_client_restrictions =
                ...
                check_client_access hash:/etc/postfix/maps/client_access
                ...

/etc/postfix/maps/client_access:
        ...
        <>    reject_rbl_client ips.backscatterer.org
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Henrik K
On Wed, May 07, 2008 at 01:03:52PM +0200, Sigmund Scheinbar wrote:

> Geert Batsleer wrote:
> > over the last couple of days I seem to get more and more spam wich looks
> > like a bounced email with subjects like "MAILER DAEMON ... " and other
> > variations, where the emails are bounced from mostly russian servers and
> > where my email address has been spoofed so that I recieve the bounced
> > mail instead of the original sender.
>
> my config:
>
> /etc/postfix/main.cf:
> smtpd_client_restrictions =
> ...
> check_client_access hash:/etc/postfix/maps/client_access
> ...
>
> /etc/postfix/maps/client_access:
> ...
> <>    reject_rbl_client ips.backscatterer.org

It will reject many legimate things, since <> is used by many other things
than just bounces, while ips.backscatterer.org lists a _lot_ of hosts.

Also your example is wrong, it should be recipient, not client.

Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Henrik K
On Wed, May 07, 2008 at 02:12:51PM +0300, Henrik K wrote:

> On Wed, May 07, 2008 at 01:03:52PM +0200, Sigmund Scheinbar wrote:
> > Geert Batsleer wrote:
> > > over the last couple of days I seem to get more and more spam wich looks
> > > like a bounced email with subjects like "MAILER DAEMON ... " and other
> > > variations, where the emails are bounced from mostly russian servers and
> > > where my email address has been spoofed so that I recieve the bounced
> > > mail instead of the original sender.
> >
> > my config:
> >
> > /etc/postfix/main.cf:
> > smtpd_client_restrictions =
> > ...
> > check_client_access hash:/etc/postfix/maps/client_access
> > ...
> >
> > /etc/postfix/maps/client_access:
> > ...
> > <>    reject_rbl_client ips.backscatterer.org
>
> It will reject many legimate things, since <> is used by many other things
> than just bounces, while ips.backscatterer.org lists a _lot_ of hosts.
>
> Also your example is wrong, it should be recipient, not client.

Ahem, I mean sender. Sorry for the extra noise.

Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

mouss-2
In reply to this post by Charles Marcus
Charles Marcus wrote:

> [snip]
> Hmmm... interesting...
>
> How reliable is this? If it is very reliable,
> then maybe it would make sense to provide an internal postfix
> mechanism for dealing with this? Maybe a way to provide a simple list
> of domain names to postfix (so people like me don't have to try to
> wrangle regex expressions that are easily borked - especially by
> someone who isn't intimately familiar with them) that it can use to
> evaluate whether an NDR contains a fake header for one of the defined
> domains? Maybe an option that can be set in smtpd_client_restrictions
> or somewhere, something like 'reject_invalid_ndr' or something...

It's hard to make it general, because it depends on your "practice".
suppose your domain is "example.com".

- if you always use a host part in your MTAs hostnames (your MTA
hostname is of the form *.example.com, and not just "example.com"), then a
    Received: ... by example.com ...
is fake.
- if you always use a host part in your helo, then
    Received: from example.com ...
is fake
- if you always use postfix, then
    Received: ... by *.example.com (Postfix)
is ok, but not
    Received: ... by *.example.com (foobar or whatever)
- if all systems that use a helo in your domain have an rDNS in your
domains, then
    Received: from *.example.com (foo.bar ...
is fake (where foo.bar is not in example.com, and is not "unknown").
[unknown is acceptable since the remote system may fail to resolve your
IP].
- If you never use a literal IP helo, then
    Received: from [192.0.1.2] ..
is fake (192.0.1.2 is one of your IPs - or actually any IP that never
sends mail...).

you can do variations of these using Received header formats generated
by other MTAs.


As you can see, the heuristics above will not work for people who set
their hostname to the domain name (i.e. without a "host" part), and will
be hard to implement for sites with many domain variations. In short,
they require some sort of "discipline"/conventions.

Note that these checks may also be performed in header_checks to blocked
spam with forged headers, and few of them can be used in
check_helo_access (to block forged helo).


All that said,
- some systems do not include Received headers in the body of their
bounces.  some bounces do not contains more than "message rejected:
mailbox action not taken". you have no idea what it's about...
- not all spammers forge your helo (nor message-id...).




Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Sebastian Ries
In reply to this post by Ralf Hildebrandt
Am Mittwoch, den 07.05.2008, 12:54 +0200 schrieb Ralf Hildebrandt:

> * Sebastian Ries <[hidden email]>:
> > Hi
> >
> > > I use in header_checks and body_checks:
> > >
> > > /^Received: from .*by nomail\.charite\.de/  REJECT Fake nomail.charite.de Received: Header found
> > >
> > > if /^Received: from .*by mail(-ausfall)?\.charite\.de/
> > > !/ \(Postfix\) with /i   REJECT Fake charite.de Received: Header found, this is a bounce for a mail our system did not send!
> > > endif
> > >
> > > This makes sure that a bounce which contains a fake
> > > mail/mail-ausfall.charite.de Received: header will be rejected.
> > >
> >
> > Can anyone explain what this really does?
> > I do not want to use check that I do not really understand...
>
> WENN der Received Header mail.charite.de oder mail-ausfall.charite.de
> beinhaltet DANN prüfe, ob da auch "(Postfix)" drinsteht.
> Wenn nicht ist es eine Fälschung.
>
> Pardon my German.

Thanks (and alsoThanks to Robert Schetterer)

What I still do not understand is which headers are checked...

The headers of the original message do not contain any Received entry
for my mail servers (as the mail never crossed them).
The headers of the bounce-mail should never be checked as the mail isn't
spam in the first approach...

So (as I understand) the RegEx will not catch my backscatter :-(

Does anyone have some RegEx that tag messages where my mail server does
not appear in the original message?
(I just have basic knowledge about RegEx)

Regards
Sebastian Ries

--
------------------------------------------------------------
DT Netsolution GmbH -  Talaeckerstr. 30 -  D-70437 Stuttgart
Tel: +49-711-849910-36               Fax: +49-711-849910-936
WEB: http://www.dtnet.de/     email: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

mouss-2
In reply to this post by Henrik K
Henrik K wrote:

> On Wed, May 07, 2008 at 02:12:51PM +0300, Henrik K wrote:
>  
>> On Wed, May 07, 2008 at 01:03:52PM +0200, Sigmund Scheinbar wrote:
>>    
>>> Geert Batsleer wrote:
>>>      
>>>> over the last couple of days I seem to get more and more spam wich looks
>>>> like a bounced email with subjects like "MAILER DAEMON ... " and other
>>>> variations, where the emails are bounced from mostly russian servers and
>>>> where my email address has been spoofed so that I recieve the bounced
>>>> mail instead of the original sender.
>>>>        
>>> my config:
>>>
>>> /etc/postfix/main.cf:
>>> smtpd_client_restrictions =
>>> ...
>>> check_client_access hash:/etc/postfix/maps/client_access
>>> ...
>>>
>>> /etc/postfix/maps/client_access:
>>> ...
>>> <>    reject_rbl_client ips.backscatterer.org
>>>      
>> It will reject many legimate things, since <> is used by many other things
>> than just bounces, while ips.backscatterer.org lists a _lot_ of hosts.
>>    

I find this acceptable. backscatter is causing too much problems.


>> Also your example is wrong, it should be recipient, not client.
>>    
>
> Ahem, I mean sender.

Indeed.
>  Sorry for the extra noise.
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

mouss-2
In reply to this post by Sebastian Ries
Sebastian Ries wrote:

> Am Mittwoch, den 07.05.2008, 12:54 +0200 schrieb Ralf Hildebrandt:
>  
>> * Sebastian Ries <[hidden email]>:
>>    
>>> Hi
>>>
>>>      
>>>> I use in header_checks and body_checks:
>>>>
>>>> /^Received: from .*by nomail\.charite\.de/  REJECT Fake nomail.charite.de Received: Header found
>>>>
>>>> if /^Received: from .*by mail(-ausfall)?\.charite\.de/
>>>> !/ \(Postfix\) with /i   REJECT Fake charite.de Received: Header found, this is a bounce for a mail our system did not send!
>>>> endif
>>>>
>>>> This makes sure that a bounce which contains a fake
>>>> mail/mail-ausfall.charite.de Received: header will be rejected.
>>>>
>>>>        
>>> Can anyone explain what this really does?
>>> I do not want to use check that I do not really understand...
>>>      
>> WENN der Received Header mail.charite.de oder mail-ausfall.charite.de
>> beinhaltet DANN prüfe, ob da auch "(Postfix)" drinsteht.
>> Wenn nicht ist es eine Fälschung.
>>
>> Pardon my German.
>>    
>
> Thanks (and alsoThanks to Robert Schetterer)
>
> What I still do not understand is which headers are checked...
>  

the headers inside the body of the bounce message. unfortunately, they
are not always present.

> The headers of the original message do not contain any Received entry
> for my mail servers (as the mail never crossed them).
> The headers of the bounce-mail should never be checked as the mail isn't
> spam in the first approach...
>
> So (as I understand) the RegEx will not catch my backscatter :-(
>
> Does anyone have some RegEx that tag messages where my mail server does
> not appear in the original message?
> (I just have basic knowledge about RegEx)
>  

you can't catch absence :-p  you need a content filter.




Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Charles Marcus
In reply to this post by mouss-2
On 5/7/2008, mouss ([hidden email]) wrote:
> All that said,
> - some systems do not include Received headers in the body of their
> bounces.  some bounces do not contains more than "message rejected:
> mailbox action not taken". you have no idea what it's about...
> - not all spammers forge your helo (nor message-id...).

Oh, I know this would not be a blanket fix, I was just thinking there
may be a simple check that could at least *reliably* stop *some* of it -
mainly, those with obviously forged headers...

Obviously, an admin would have to know what he was doing if they decided
to use it - but hey, thats the case with pretty much *all* of the non
default parameters/checks postfix can do, no? :)

Of course, if postfix cannot determine reliably that it is fake, it
should not block it based on a check like this alone.

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Wietse Venema
Charles Marcus:

> On 5/7/2008, mouss ([hidden email]) wrote:
> > All that said,
> > - some systems do not include Received headers in the body of their
> > bounces.  some bounces do not contains more than "message rejected:
> > mailbox action not taken". you have no idea what it's about...
> > - not all spammers forge your helo (nor message-id...).
>
> Oh, I know this would not be a blanket fix, I was just thinking there
> may be a simple check that could at least *reliably* stop *some* of it -
> mainly, those with obviously forged headers...

You can't reliably stop a portion of mail when you can't understand
what portion of mail is being stopped.

Features that make Postfix "easier to use" must not make Postfix
Postfix harder to understand.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Charles Marcus
On 5/7/2008, Wietse Venema ([hidden email]) wrote:
> You can't reliably stop a portion of mail when you can't understand
> what portion of mail is being stopped.

Ok... so, are you saying there is no reliable way to detect forged NDRs,
and that the regex Ralf is using is 'unreliable'?

Oh... or maybe just that there is no reliable way to tell an NDR from
another message with Mail From = <>?

Obviously I'm clueless, and just trying to understand...

Thanks,

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: Backscatting filter?

Wietse Venema
Charles Marcus:
> On 5/7/2008, Wietse Venema ([hidden email]) wrote:
> > You can't reliably stop a portion of mail when you can't understand
> > what portion of mail is being stopped.
>
> Ok... so, are you saying there is no reliable way to detect forged NDRs,
> and that the regex Ralf is using is 'unreliable'?

No. I was responding to YOUR text. The part that you deleted above.

If I had been responding to RALF's text, then I would have replied
to HIS email, not YOURs.

        Wietse
12