randomnut Posted April 15, 2008 Share Posted April 15, 2008 Hi, We seem to be getting a huge amount of 'undeliverable email' spam recently. As it comes through as an undeliverable, it doesn't have anything in the 'internet headers'. I've checked the clients for mailer worms etc, where would this be coming from? Some examples below From: System Administrator Sent: 15 April 2008 04:48 To: egritishcentre@terra.cl **bear in mind this is NOT our domain*** Subject: Undeliverable: Check my new photos :)) Your message did not reach some or all of the intended recipients. Subject: Check my new photos :)) Sent: 15/04/2008 03:00 The following recipient(s) could not be reached: egritishcentre@terra.cl on 15/04/2008 04:48 The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator. < ironport4.terra.cl #5.0.0 smtp; 5.1.0 - Unknown address error 550-'RCPT TO:<egritishcentre@terra.cl> User unknown' (delivery attempts: 0)> From: MAILER-DAEMON@www.dunham-bush.com.cn[mailto:MAILER-DAEMON@www.dunham-bush.com.cn] Sent: 14 April 2008 19:54 To: *name edited* Subject: failure notice Hi. This is the qmail-send program at www.dunham-bush.com.cn. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <2chengduchengdu@dunham-bush.com.cn>: Sorry, no mailbox here by that name. vpopmail (#5.1.1) --- Below this line is a copy of the message. Return-Path: **email edited** Received: (qmail 31177 invoked from network); 15 Apr 2008 02:53:38 +0800 Received: from unknown (HELO 190-48-57-116.speedy.com.ar) (190.48.57.116) by 222.135.187.29 with SMTP; 15 Apr 2008 02:53:38 +0800 Message-ID: <000801c89e64$07b06824$65e8b799@tnuehc> From: "Julia S." name edited as it was our domain, but not 'julia s' To: <2chengduchengdu@dunham-bush.com.cn> Subject: Check my new photos :)) Date: Mon, 14 Apr 2008 17:35:17 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Hello! remember me?.. new fotos(archived) you asked :)) kiss, Julia S. What is the best way to stop these kind of emails? We are using Symantec Mail Security for SMTP v5 as our spam filter. thanks Link to comment Share on other sites More sharing options...
+BudMan MVC Posted April 15, 2008 MVC Share Posted April 15, 2008 Is this you? (HELO 190-48-57-116.speedy.com.ar) (190.48.57.116) If not then you did not send it.. Spammers do NOT use their own legit address, they make them up, they use one from a list. So if you are billy@company.com and I send a email to nobody@gmail.com and SAY its from "billy@company.com" When that message can not be delivered to nobday@gmail.com The gmails servers send it back where?? You guessed it billy@company.com so you get a kickback saying your mail could not be delivered. Its called backscatter http://www.spamresource.com/2007/02/backsc...-i-stop-it.html Backscatter: What is it? How do I stop it? Link to comment Share on other sites More sharing options...
randomnut Posted April 15, 2008 Author Share Posted April 15, 2008 Thanks very much budman, it looks like we need to enable recipient filtering in exchange. Link to comment Share on other sites More sharing options...
CreightonB Posted April 15, 2008 Share Posted April 15, 2008 Ya, its anouying as hell. I've also heard it called RDNS spam and spam bouncing. Link to comment Share on other sites More sharing options...
randomnut Posted April 15, 2008 Author Share Posted April 15, 2008 Is it also a good idea to have 'Sender ID validation" set to "Delete. The message will be accepted and deleted, no NDR will be sent back to the sender"? Would this cause any problems? Any other exchange settings that can be enabled to help alleviate this problem? thanks Link to comment Share on other sites More sharing options...
Trajik 2600 Posted April 15, 2008 Share Posted April 15, 2008 Additionally to randomnut - if you're going to enable recipient filtering, you should also enable tarpitting so that valid email addresses cannot be harvested from your mail server. A quick Google for Exchange tarpitting should help you out. @CreightonB - close - it's Reverse NDR spamming. As in "non-delivery report". HTH! Link to comment Share on other sites More sharing options...
CreightonB Posted April 15, 2008 Share Posted April 15, 2008 Oh ya! Dur, ndr =] I hadn't had to deal with it in a long time. Link to comment Share on other sites More sharing options...
randomnut Posted April 15, 2008 Author Share Posted April 15, 2008 (edited) Thanks very much for your input everyone. So the plan of action is: Enable recipient filtering Enable tarpitting reboot Anything else that will help? With those 2 it should help reduce NDR spam? thanks EDIT: Also, will tarpitting interfere with the 3rd party spam filtering we're using? Edited April 15, 2008 by randomnut Link to comment Share on other sites More sharing options...
neurotronix Posted May 2, 2008 Share Posted May 2, 2008 randomnut~ Hello. I'm new here. Did you implement those 'things,' and did they work out? I'm getting bombarded every other minute, or so and really would hate to have to change my email (as suggested by our IT guys). Link to comment Share on other sites More sharing options...
randomnut Posted May 8, 2008 Author Share Posted May 8, 2008 Hey neurotronix, Yes I implemented several things which seems to have sorted the problem out: - enabled recipient filtering in exchange - enabled tarpitting - added the zen.spamhaus.org list to exchange to help drop known spam if it gets past the spam filter - set our spam filter to have LDAP connectivity with our domain controller and not to pass any mail to people not in ADUC Now we have a lot fewer emails getting through. Hope it helps. Link to comment Share on other sites More sharing options...
Recommended Posts