|
Home > Archive > IIS and SMTP > July 2007 > Help: Tracking Down Errant SMTP Server.
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Help: Tracking Down Errant SMTP Server.
|
|
| Bluehades 2007-07-10, 7:19 am |
| Hello's
I'm living in spam Nightmare and need some help tracking down an errant SMTP
engine that is wreaking havoc on users email accounts.
From the looks of things a users email address is being used by an errant
smtp engine out there. The SMTP engine is sending out massive amounts of
emails and specifying this users account as the "Return To Address".
Most of these emails are to addresses that dont exist, OR are returned back
to the user due to the content of the Email. As such, the user's mailbox has
thousands of NDR's from remote mail servers.
This is some form of DNS as the user's email account is now un-usable. What
is the best way to track down the sender (s) of these email messages, and has
anyone else experienced this problem?
many thanks
Blue.
| |
| Sanford Whiteman 2007-07-10, 7:25 pm |
| > Hello's I'm living in spam Nightmare and need some help tracking
> down an errant SMTP engine that is wreaking havoc on users email
> accounts.
Arrant, too, I'd say. 
> From the looks of things a users email address is being used by an
> errant smtp engine out there.
It'd be wishful thinking to assume it's just one "engine" -- likely a
load of zombies.
> The SMTP engine is sending out massive amounts of emails and
> specifying this users account as the "Return To Address".
Classic 'Joe Job'. There is nothing inherent in the SMTP protocol that
prohibits what we perceive as "impersonation" of an envelope sender.
Originally, JJs were largely malicious, deliberate DoS attacks against
specific senders. Later, spammers started using large ranges of sender
addresses to ensure they'd have a legit return address and thus pass
sender address verification (SAV) checks. Typically, JJs of the spam
type calm down after several days, as each address falls out of
rotation. However, JJs *designed* for spam can malfunction -- it is
both amusing and horrifying when the botnets malfunction, spewing
e-mail without variable substitution and such -- in which case they
would be as overwhelming as a deliberate attack. It would be hard to
tell one from the other unless the victim had very recently made some
enemies, such as by starting up an anti-spam business, or really any
kind of extreme personal or corporate antagonism where the other side
is tech-savvy.
The only way to attempt to proactively prevent JJs is to publish an
SPF policy for your domain. However, SPF failures are enforced by a
small enough fraction of remote servers that this will have little
practical effect. Still, publishing SPF may have an ethical (and
perhaps legal?) benefit in that it shows that you have made a
good-faith effort to highlight impersonation by listing the servers
you authorize to send mail from your domain... thus, all others are
contravening your published policy and you can't be as responsible for
them as you would be without the public record.
> This is some form of DNS as the user's email account is now
> un-usable.
DoS.
> What is the best way to track down the sender (s) of these email
> messages, and has anyone else experienced this problem?
Many millions have experienced this problem. As I said, it should
abate if it is not a deliberate targeting of this account. You can
inspect the headers of the NDRs to get an idea of how many different
IPs generated the original messages. If by some chance it is a very
small set of IPs, you can pursue it with the ISP and also with (I
understand) law enforcement, as there is case law establishing that a
crime has been committed. But chances are, you'll see a huge range of
spam zombie IPs with no responsible party.
--Sandy
| |
| Bluehades 2007-07-10, 7:25 pm |
| Sandy,
So in short, all the users can do is wait it out? When you say "Each address
falls out of rotation" What do you mean by that? Whats to stop the spammer
from using the valid address via his/her zombies forever?
I've heard of Spam problems but did not imagine they could cause users to
switch email addresses.
"Sanford Whiteman" wrote:
>
> Arrant, too, I'd say.
>
>
> It'd be wishful thinking to assume it's just one "engine" -- likely a
> load of zombies.
>
>
> Classic 'Joe Job'. There is nothing inherent in the SMTP protocol that
> prohibits what we perceive as "impersonation" of an envelope sender.
>
> Originally, JJs were largely malicious, deliberate DoS attacks against
> specific senders. Later, spammers started using large ranges of sender
> addresses to ensure they'd have a legit return address and thus pass
> sender address verification (SAV) checks. Typically, JJs of the spam
> type calm down after several days, as each address falls out of
> rotation. However, JJs *designed* for spam can malfunction -- it is
> both amusing and horrifying when the botnets malfunction, spewing
> e-mail without variable substitution and such -- in which case they
> would be as overwhelming as a deliberate attack. It would be hard to
> tell one from the other unless the victim had very recently made some
> enemies, such as by starting up an anti-spam business, or really any
> kind of extreme personal or corporate antagonism where the other side
> is tech-savvy.
>
> The only way to attempt to proactively prevent JJs is to publish an
> SPF policy for your domain. However, SPF failures are enforced by a
> small enough fraction of remote servers that this will have little
> practical effect. Still, publishing SPF may have an ethical (and
> perhaps legal?) benefit in that it shows that you have made a
> good-faith effort to highlight impersonation by listing the servers
> you authorize to send mail from your domain... thus, all others are
> contravening your published policy and you can't be as responsible for
> them as you would be without the public record.
>
>
> DoS.
>
>
> Many millions have experienced this problem. As I said, it should
> abate if it is not a deliberate targeting of this account. You can
> inspect the headers of the NDRs to get an idea of how many different
> IPs generated the original messages. If by some chance it is a very
> small set of IPs, you can pursue it with the ISP and also with (I
> understand) law enforcement, as there is case law establishing that a
> crime has been committed. But chances are, you'll see a huge range of
> spam zombie IPs with no responsible party.
>
> --Sandy
>
| |
| Sanford Whiteman 2007-07-11, 1:21 am |
| > So in short, all the users can do is wait it out? When you say "Each
> address falls out of rotation" What do you mean by that?
"Properly" operating zombies wouldn't continue to hammer the same
address, because it helps keep a lower criminal profile -- and because
it isn't necessary.
> Whats to stop the spammer from using the valid address via his/her
> zombies forever?
Nothing, just habit.
> I've heard of Spam problems but did not imagine they could cause
> users to switch email addresses.
Yeah, welcome to the wild. More people switch addresses because of
incoming spam and insufficient spam control, but NDR floods would be
second.
--Sandy
|
|
|
|
|