Web Host Chat
Bringing Hosts & Customers together since 2001
Home QLinks Members Your Profile Register FAQ's Hosts Only Area SMS Alerts Advertising
User Information
»REGISTER NOW!

Go Back   Web Host Chat > Web Hosting Chat > Business and Technical Advice
Reload this Page backscatterer.org and NDRs
Reply
 
LinkBack Thread Tools
Old 5th April 2008   #1 (permalink)
Trusted User (494)
Platinum User
Join Date: Jun 2006
Location: UK
Age: 34
Posts: 485
LeaUK is on a distinguished road
backscatterer.org and NDRs
Hi all

Some techy comment from me which may benefit other new starters - instead of me asking questions as normal ;-)

Recently we had quite a few domains hit hard by email backscatter and wanted to add some limited protection for our clients. For those new and haven't come across backscatter, take a quick read here:

http://en.wikipedia.org/wiki/Backsca..._of_email_spam
http://spamlinks.net/prevent-secure-backscatter.htm
http://backscattervictims.blogspot.com/
http://www.spamnation.info/notes/gui...catterFAQ.html

In order to identify backscatter and keep false positives to a minimum a two prong attack was required, one that used both the DBL backscatterer.org AND to monitor email headers for various tell-tale signs of backscatter.

The reason for this is that we found using backscatterer.org alone produced too many false positives, so by adding a check for common header information relating to NDRs we successfully achieved the goal.

Info on typical header info can be found in last link above.

Hope this helps someone else too.
Lea

__________________
Registered User
Last edited by LeaUK : 5th April 2008 at 11:49 AM.
LeaUK is online now   Reply With Quote
Old 5th April 2008   #2 (permalink)
I am Staff at
8086 Limited
About My Company!

Certified Host
BurtyB's Avatar
Join Date: Apr 2004
Location: Newark, UK
Posts: 795
BurtyB is an unknown quantity at this point
I use milter-null on all servers which works very well at rejecting bounces for mail I didn't send. I've also been testing milter-ahead which is going to be used on all of my relay boxes shortly to limit the amount of backscatter sent.

I would be a bit worried at just blocking/filtering just based on subject/sender/etc as per the last link as I do like to see issues with mail I did send .

ChrisB.
__________________
Chris Burton
8086 Limited (Company No.: 06336617 VAT No.: 920 5102 75)
Ever wanted to know who uses a DNS or MX server ? with DNS History you can find out.
__________________
Web Host - Certified Member
BurtyB is offline   Reply With Quote
Old 5th April 2008   #3 (permalink)
Trusted User (494)
Platinum User
Join Date: Jun 2006
Location: UK
Age: 34
Posts: 485
LeaUK is on a distinguished road
Hi Chris

Yes agreed and that's why we came up with the combination of both backscatterer and header info.

Good MTAs shouldn't hardly ever produce backscatter, my understanding is that well configured/written MTAs only deliver NDRs etc to local accounts, hence do not product backscatter. So long as you're using something reputable I'd be surprised if you need to reduce outgoing?

Lea
__________________
Registered User
LeaUK is online now   Reply With Quote
Old 5th April 2008   #4 (permalink)
Trusted User (494)
Platinum User
Join Date: Jun 2006
Location: UK
Age: 34
Posts: 485
LeaUK is on a distinguished road
From the milter-null site

Quote:
A DSN message is automatically generated and sent to the sender of a message by a mail server in response to some error, like when the recipient address does not exist, mail box is full, message rejected, etc. When a spammer or virus sends mail often many of the recipient addresses are invalid, which often happens when guessing a large number of recipient addresses (dictionary attacks). This results in lots of useless DSN messages being generated, which is called "backscatter".
But I don't fully agree with this, an MTA shouldn't simply send DSNs. I also note that Sendmail doesn't by default (which is good)..

So I suspect you are using Sendmail for relaying?

Quote:
Your MX servers should reject email for unknown users at the SMTP initial transaction and NOT forward them to internal SMTP servers without a "user check".
This is how we configure ours, in fact some recent data I gathered:

Based on the last 24h, our figures show we drop (SMTP) 84.5%
Delete 2.98% from the spool
Deliver as identified as spam 0.67%
And deliver only 11.8% authentic email

Lea
__________________
Registered User
Last edited by LeaUK : 5th April 2008 at 03:57 PM.
LeaUK is online now   Reply With Quote
Old 5th April 2008   #5 (permalink)
Trusted User (494)
Platinum User
Join Date: Jun 2006
Location: UK
Age: 34
Posts: 485
LeaUK is on a distinguished road
Quote:
This filter sorts the legitimate DSN and MDN message from those generated as a result of backscatter. It does this by adding an X-Null-Tag: header containing a computed hash value to every message sent. When a DSN or MDN is received, it contains the original message's header information, which is used to recompute the hash value to be compared against the original. If they match, the DSN or MDN message is accepted, otherwise its rejected or discard according to policy.
My mail server doesn't do this
__________________
Registered User
LeaUK is online now   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are On
Pingbacks are On
Refbacks are On


Some great companies!


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.2.0