SPAM attack from bounce techniques

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

SPAM attack from bounce techniques

Rafael Azevedo-4
Hi there,

I've noticed that one of our servers is receiving a huge amount of unauthorized requests.

User connects to our server and tries to send an email to any destination. Our servers denies the message because user is not authenticated. Then, a bounce is generated to the source address, which was fake and turns to be the final destination, so at the end, the email is actually sent as a bounce, proliferating lots of spam.

Is there a way to avoid this?

Thanks in advance.

BR,

Rafael 
Reply | Threaded
Open this post in threaded view
|

AW: SPAM attack from bounce techniques

ludicree

Hi Rafael,

 

quick thoughts. Do you have

 

smtpd_recipient_restrictions = reject_unauth_destination

 

in your main.cf?

 

The request should be rejected and not be queued.

 

Greets,

Ludi

 

Von: [hidden email] <[hidden email]> Im Auftrag von Rafael Azevedo
Gesendet: Dienstag, 29. Dezember 2020 13:38
An: Postfix users <[hidden email]>
Betreff: SPAM attack from bounce techniques

 

Hi there,

 

I've noticed that one of our servers is receiving a huge amount of unauthorized requests.

 

User connects to our server and tries to send an email to any destination. Our servers denies the message because user is not authenticated. Then, a bounce is generated to the source address, which was fake and turns to be the final destination, so at the end, the email is actually sent as a bounce, proliferating lots of spam.

 

Is there a way to avoid this?

 

Thanks in advance.

 

BR,

 

Rafael 

Reply | Threaded
Open this post in threaded view
|

Re: [External] SPAM attack from bounce techniques

Kevin A. McGrail
In reply to this post by Rafael Azevedo-4
On 12/29/2020 7:37 AM, Rafael Azevedo wrote:

> Hi there,
>
> I've noticed that one of our servers is receiving a huge amount of
> unauthorized requests.
>
> User connects to our server and tries to send an email to any
> destination. Our servers denies the message because user is not
> authenticated. Then, a bounce is generated to the source address,
> which was fake and turns to be the final destination, so at the end,
> the email is actually sent as a bounce, proliferating lots of spam.
>
> Is there a way to avoid this?

Hi Rafael, This sounds like backscatter.  To avoid it, you need to
reject the email during the real-time SMTP dialog with the sender, i.e.
during the connection from the sender, if it's an invalid recipient,
reject with 5xx.  This will cause you to tell the sending server and you
don't generate a bounce.

The question is: Why are you accepting the email, then determining it's
invalid, and creating a bounce?  I would typically look at some sort of
architecture issue where you haven't done what we call promoted the
valid users to the edge of your internet connection.

Hope this helps and share more information for more guidance.


Regards,
KAM


Reply | Threaded
Open this post in threaded view
|

Re: SPAM attack from bounce techniques

Rafael Azevedo-4
In reply to this post by ludicree
Hi there,
Thanks for the reply.

Yes I do:

smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unknown_reverse_client_hostname,
  reject_unknown_client_hostname,
  reject_unknown_sender_domain,
  reject_non_fqdn_recipient,
  reject_unauth_destination,
  #reject_unauth_pipelining,
  reject_unverified_recipient,
  reject_unknown_recipient_domain,
  #reject_invalid_hostname,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client sbl-xbl.spamhaus.org,
  check_recipient_access mysql:/etc/postfix/mysql_hold.cf

Huge thanks

Em ter., 29 de dez. de 2020 às 10:28, <[hidden email]> escreveu:

Hi Rafael,

 

quick thoughts. Do you have

 

smtpd_recipient_restrictions = reject_unauth_destination

 

in your main.cf?

 

The request should be rejected and not be queued.

 

Greets,

Ludi

 

Von: [hidden email] <[hidden email]> Im Auftrag von Rafael Azevedo
Gesendet: Dienstag, 29. Dezember 2020 13:38
An: Postfix users <[hidden email]>
Betreff: SPAM attack from bounce techniques

 

Hi there,

 

I've noticed that one of our servers is receiving a huge amount of unauthorized requests.

 

User connects to our server and tries to send an email to any destination. Our servers denies the message because user is not authenticated. Then, a bounce is generated to the source address, which was fake and turns to be the final destination, so at the end, the email is actually sent as a bounce, proliferating lots of spam.

 

Is there a way to avoid this?

 

Thanks in advance.

 

BR,

 

Rafael 

Reply | Threaded
Open this post in threaded view
|

Re: [External] SPAM attack from bounce techniques

Rafael Azevedo-4
In reply to this post by Kevin A. McGrail
Hi Kevin,
I think this might be related to a customized content filter after queue that we have.
How should the content filter answer in case we don't want to accept the message neither for bounces or to the delivery queue?
Huge thanks!

Em ter., 29 de dez. de 2020 às 11:31, Kevin A. McGrail <[hidden email]> escreveu:
On 12/29/2020 7:37 AM, Rafael Azevedo wrote:
> Hi there,
>
> I've noticed that one of our servers is receiving a huge amount of
> unauthorized requests.
>
> User connects to our server and tries to send an email to any
> destination. Our servers denies the message because user is not
> authenticated. Then, a bounce is generated to the source address,
> which was fake and turns to be the final destination, so at the end,
> the email is actually sent as a bounce, proliferating lots of spam.
>
> Is there a way to avoid this?

Hi Rafael, This sounds like backscatter.  To avoid it, you need to
reject the email during the real-time SMTP dialog with the sender, i.e.
during the connection from the sender, if it's an invalid recipient,
reject with 5xx.  This will cause you to tell the sending server and you
don't generate a bounce.

The question is: Why are you accepting the email, then determining it's
invalid, and creating a bounce?  I would typically look at some sort of
architecture issue where you haven't done what we call promoted the
valid users to the edge of your internet connection.

Hope this helps and share more information for more guidance.


Regards,
KAM


Reply | Threaded
Open this post in threaded view
|

Re: [External] SPAM attack from bounce techniques

Wietse Venema
Rafael Azevedo:
> Hi Kevin,
> I think this might be related to a customized content filter after queue
> that we have.
> How should the content filter answer in case we don't want to accept the
> message neither for bounces or to the delivery queue?
> Huge thanks!

Options:

- Run it as a before-queue filter (using smtpd_proxy_filter, see
http://www.postfix.org/SMTPD_PROXY_README.html).

- Run it as a before-queue filter (using the Milter API, see
http://www.postfix.org/MILTER_README.html). There are several systems
that can be used this way (spamassassin, amavis, to name a few).

- Otherwise, quarantine, or file to spam folder (perhaps add a
"SPAM" message header and use a Sieve rule). This is not as bad as
silently discarding email.

        Wietse

> Em ter., 29 de dez. de 2020 ?s 11:31, Kevin A. McGrail <[hidden email]>
> escreveu:
>
> > On 12/29/2020 7:37 AM, Rafael Azevedo wrote:
> > > Hi there,
> > >
> > > I've noticed that one of our servers is receiving a huge amount of
> > > unauthorized requests.
> > >
> > > User connects to our server and tries to send an email to any
> > > destination. Our servers denies the message because user is not
> > > authenticated. Then, a bounce is generated to the source address,
> > > which was fake and turns to be the final destination, so at the end,
> > > the email is actually sent as a bounce, proliferating lots of spam.
> > >
> > > Is there a way to avoid this?
> >
> > Hi Rafael, This sounds like backscatter.  To avoid it, you need to
> > reject the email during the real-time SMTP dialog with the sender, i.e.
> > during the connection from the sender, if it's an invalid recipient,
> > reject with 5xx.  This will cause you to tell the sending server and you
> > don't generate a bounce.
> >
> > The question is: Why are you accepting the email, then determining it's
> > invalid, and creating a bounce?  I would typically look at some sort of
> > architecture issue where you haven't done what we call promoted the
> > valid users to the edge of your internet connection.
> >
> > Hope this helps and share more information for more guidance.
> >
> >
> > Regards,
> > KAM
> >
> >
> >
Reply | Threaded
Open this post in threaded view
|

Re: SPAM attack from bounce techniques

Rafael Azevedo-4
In reply to this post by Rafael Azevedo-4
Guys,
According to this referente [1], one of the principal operations is to discard or quarantine the message.
How should the MAIL FILTER respond to postfix so it could do such actions?

Huge thanks,

BR,
Rafael


Em ter., 29 de dez. de 2020 às 09:37, Rafael Azevedo <[hidden email]> escreveu:
Hi there,

I've noticed that one of our servers is receiving a huge amount of unauthorized requests.

User connects to our server and tries to send an email to any destination. Our servers denies the message because user is not authenticated. Then, a bounce is generated to the source address, which was fake and turns to be the final destination, so at the end, the email is actually sent as a bounce, proliferating lots of spam.

Is there a way to avoid this?

Thanks in advance.

BR,

Rafael 
Reply | Threaded
Open this post in threaded view
|

Re: [External] SPAM attack from bounce techniques

Rafael Azevedo-4
In reply to this post by Wietse Venema
Hi Wietse,
Thanks for the help !
I've just asked in another message about how to proceed in the "otherwise" option.
I'm trying to quarantine the message and don't really know how to do it.
Any help would be appreciated.

Thanks once again.
BR,
Rafael

Em ter., 29 de dez. de 2020 às 15:16, Wietse Venema <[hidden email]> escreveu:
Rafael Azevedo:
> Hi Kevin,
> I think this might be related to a customized content filter after queue
> that we have.
> How should the content filter answer in case we don't want to accept the
> message neither for bounces or to the delivery queue?
> Huge thanks!

Options:

- Run it as a before-queue filter (using smtpd_proxy_filter, see
http://www.postfix.org/SMTPD_PROXY_README.html).

- Run it as a before-queue filter (using the Milter API, see
http://www.postfix.org/MILTER_README.html). There are several systems
that can be used this way (spamassassin, amavis, to name a few).

- Otherwise, quarantine, or file to spam folder (perhaps add a
"SPAM" message header and use a Sieve rule). This is not as bad as
silently discarding email.

        Wietse

Reply | Threaded
Open this post in threaded view
|

Re: SPAM attack from bounce techniques

Wietse Venema
In reply to this post by Rafael Azevedo-4
Rafael Azevedo:
> Guys,
> According to this referente [1], one of the principal operations is to
> discard or quarantine the message.
> How should the MAIL FILTER respond to postfix so it could do such actions?

EHLO blah
250 ok
MAIL FROM:<xxx>
250 ok
RCPT TO:<xxx>
250 ok
DATA
351 blah
header
body
.
250 ok
QUIT
220 blah

But, consider the three options that I mentioned in my response.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: [External] SPAM attack from bounce techniques

Wietse Venema
In reply to this post by Rafael Azevedo-4
Rafael Azevedo:
> Hi Wietse,
> Thanks for the help !
> I've just asked in another message about how to proceed in the "otherwise"
> option.
> I'm trying to quarantine the message and don't really know how to do it.
> Any help would be appreciated.

Add a header that says this is spam, then use a mail filter rule
(sieve, procmail, whatever) to file the message to a spam folder.

        Wietse