“We are getting spam from postmaster addresses and we don’t know why.”

This complaint has a multitude of variations but we tend to label the problem as “postmaster spam”.

Simply put, postmaster spam is any spam email that comes from a postmaster email address, whether it is the postmaster for your own domain or for someone else’s domain.

The postmaster address performs a critical role in email communication and its presence and use is prescribed in the RFCs for the SMTP protocol.

“Any system that includes an SMTP server supporting mail relaying or delivery MUST support the reserved mailbox “postmaster” as a case-insensitive local name.”

…and…

“SMTP systems are expected to make every reasonable effort to accept mail directed to Postmaster from any other system on the Internet.”

Who is the Postmaster?

The postmaster address is usually the source (or “from”) address for system generated emails such as non-delivery reports, although some email servers allow a different address to be used.

But this common usage, combined with the RFC requirements, creates a series of problems.  Spammers know that the postmaster@ email address is almost always going to be valid, and email servers often treat email from postmaster@ email addresses as more trusted.

Postmaster Forgeries

One way in which spammers try to exploit this is by forging the sender address of spam to make it appear that it is coming from a postmaster@ address for a well known domain name.  This is an effective technique because most email users have received genuine NDRs in the past and have at least some idea that a postmaster@ address is valid and trustworthy.

Because the human element of this exploit is so weak the best defence against this technique is to detect and block the spam before it reaches the intended victim.  Anti-spam techniques such as connection filtering, content filtering, and Bayesian filtering are effective in stopping this.

Backscatter Spam

Another way spammers create “postmaster spam” is by causing NDRs, also known as backscatter spam.  With this method a spammer will send email with forged sender addresses to various email systems, and when it is sent to non-existent addresses the receiving server sends back a NDR from their postmaster@ address to the forged sender address.

The person whose email address was used as the forged email address then receives the NDR, usually along with the original spam content attached or embedded.  This technique is often successful because email systems don’t want to block important non-delivery reports.

Some anti-spam products specifically include protection for this type of NDR backscatter spam through a combination of technologies.  There is also an emerging technique appearing in some products that uses a header tag for all outgoing email.  When an NDR comes back from an external source it can be checked for that tag.  If it exists and matches a known email that was sent, then the NDR can be trusted and allowed back in to the email system.  If the header tag does not exist then it is likely that the email originated elsewhere, probably from a spammer, and can be considered less trustworthy and subject to different filtering rules.

Other Postmaster Problems

The two problems that are mentioned above mostly impact end users, those who we are trying to protect from spam threats.

But another issue also exists, and that is spam addressed to the postmaster@ address itself.  Because of the importance of the postmaster as prescribed in the RFC it is common for it to be exempt from any form of filtering or protection, to ensure it receives 100% of important email addressed to it.

Fortunately although this opens the door to spammers, the postmaster@ mailbox is usually only accessed by experienced administrators who are less likely to be tricked into opening spam or clicking on a phishing link.  And in extreme cases the RFC does permit blocking of particularly bad sources of spam to the postmaster@ address.

And for our customers we are able to prescribe quality solutions to the problem of postmaster spam by implementing effective anti-spam systems on their networks.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

How to Prevent Postmaster Spam

That is a good question, and one we don’t often stop and think about.  The war against spam carries on with each side adjusting to the other’s new techniques with new ways of defeating them.  This constant shifting of the landscape makes anti-spam a very fluid, dynamic industry with rapid technology changes.  Of course to the regular person using their computer for email and internet access they are probably wondering what all of the clever people at anti-spam company are really doing about it.

Let’s take Andreas’ comment for example.

“Spam in itself is the repeated sending of (nearly) identical messages to a lot of people.”

This would be true if all spam messages were created equally.  I’m sure we’re all familiar with viagra spam, or Nigerian 419 spam, or lottery spam, but if you sat and looked at 10 viagra spam emails in your Junk email folder you won’t find two the same.  Spammers will simply use an email template with a series of variable portions, and run scripts to insert a variety of values into those fields.  A short spam email with just 10 fields, each with 10 possible values, means 10,000,000,000 unique spam emails can be produced.

“It cannot be so hard to distinguish a mail that reaches several thousand people from a mail intended for a small group or a single person.  (With the exception of newsletter postings, which you have (hopefully) opted in)”

Legitimate commercial email and newsletters contain many similar characteristics to a typical spam email such as commercial terminology, urgent tone, and a call to action (eg “click here”).

This is one of the major challenges faced by both anti-spam companies and by email marketers.  The anti-spam company doesn’t want to inconvenience businesses and email recipients by blocking legitimate marketing, and the email marketer wants to avoid being labeled a spammer and losing all of their customers because they can’t guarantee a high delivery rate.

“So if you can identify the mails and you can identify the routes these mail take, why can’t you go backwards in the routing step by step, identify the responsible server, identify the responsible admin and give him/her the choice to cooperate in the fight against spam or be excluded from mail traffic by a BAN list.”

There are two answers for this.  Firstly, not all spam originates from email servers.  A lot of spam will come from armies of compromised home and business computers called botnets.  Some of it will come from compromised or misconfigured servers such as open relays, or email servers not correctly set up to avoid backscatter.  Many of these botnets and open relays do end up on blocklists such as Spamhaus that can be used by email administrators to perform connection filtering.

“ISPs not willing to shut of spam senders will have to be shut off from the network completely. I cannot understand why a provider allowing to distribute that crap through his network is still on the internet.”

Back in November 2008 a victory against spam was won when an ISP responsible for as much as 75% of the internet’s spam was shutdown.  As effective as this was in the fight against spam unfortunately it only further highlighted the challenges of international spam fighting as the operators were able to simply set up shop elsewhere in another country and continue spamming the internet.

But for most legitimate ISPs outbound spam filtering is not something they can be very aggressive with, nor is it always going to be effective.  Firstly, an ISP does not want to disrupt their customers’ email by causing any false positives (legitimate email marked as spam).  False positives may damage their customers’ businesses and cause financial losses, which could lead to law suits against the ISP.

Secondly, most ISPs permit customers to send directly out to the internet over SMTP without having to relay through any ISP mail servers.  This is actually the preferred method for most email administrators because it makes troubleshooting email delivery much easier.

“Local law should make the ceo personally responsible for the damages.”

This is the main issue in the war on spam.  Anti-spam legislation (where it exists at all) is local, but the problem is global.  According to some reports Australia is one of the most spammed countries in the world, despite having strict anti-spam laws.  These laws are only effective at stopping Australian businesses from sending spam.  If a spammer in Russia or Korea sends me some spam then Australian authorities have no power to punish or stop them.

My answers to Andreas’ comment may make it seem like the fight against spam is hopeless, and that spammers are winning.  The reality is that while spam continues to be a problem causing nuisance and financial loss for businesses and individuals everywhere, any place that has an effective anti-spam solution in place that is from a quality vendor, is well configured, and is well maintained will be blocking most spam already.  Fighting spam is difficult and costs both time and time, but it can be done.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Why is it Really So Hard to Tackle Spam?

Spammers like to put fake information in email messages. This sneaks them past email filters. Since email spam  filters now just delete messages that come from non-existent domains, the spammers are very slick about making their messages look like they’re coming from real email addresses.   If your corporate e-mail addresses has been published anywhere on the Internet, you and your coworkers  are at risk as prime candidates for backscatter.

The spammer may peel email addresses off web sites or sometimes even guesses them.  Then the spammer places the addresses in the “from” line of fake messages.  Now these messages are sent out to hundreds of thousands of recipients. When the spam is sent to an inactive address, it can sometimes be bounced back to unsuspecting valid email inboxes . . . maybe even yours.

Spammers have figured out how to capitalize on this bouncing back of email to accomplish their scams.  The email server bounce back mechanism basically becomes a cash register to spammers.  Since backscatter comes from legitimate mail servers, it can cause special problems. In fact, some security specialists are convinced that spammers have been intentionally sending messages that will be bounced back as a way to sneak around spam filters. That’s because some mail servers bounce back the original message as part of their notice.

So a LISTSERV comes on the scene of an organization to cut spammers off at the knees, while allowing staff to send bulk email messages to many valid email addresses. The implementation of a LISTSERV usually occurs when email administrators discover corporate staff are using the the regular email system for mailings to large groups of people. This creates a quite a few issues for the regular email server(s).  Email users call the helpdesk about email not being received, which was sent to a list of a few hundred people.  This is ususally caused by the email server being blasklisted, which email addministrators find out after the fact.  So mainstream email systems like AOL, Yahoo, MSN, Gmail, Hotmail etc. reject the company email server connection when doing a DNS Blacklist look up.

Back to Our Case Study

What makes backscatter especially dangerous on a LISTSERV is there could be hundreds of mailing lists with hundreds of thousands of legitimate email subscribers stored on this particular type of server. Outside subscribers opt-in to LISTSERV lists with the thought their email address is safe and protected. The corporate staff list owners have the same mind set.  When a spammer gets past all the security level locks embedded into a LISTSERV to prevent spam, a company must scramble quickly to do reputation damage control. This is in addition to resolving the technical issues.

After analyzing the logs, and getting on the phone with L-Soft support, it was concluded that the main problem the client was experiencing was backscatter.  LISTSERVs directly connected to the Internet are sitting ducks as targets for backscatter,  since they usually block all emails except from authorized senders and have a number of different bounce back templates based on varying configurations. This tightness of security is what spammers rely on to accomplish their backscatter mission. The client was seeing around 50,000 NDRs coming in per hour. Rejecting a message will usually cause the sending mail transfer agent (MTA) to generate a bounce message or NDR to a local, authenticated user. Alternatively, if the MTA is relaying the message, it should only send such an NDN to a plausible originator as indicated in the reverse-path, e.g. where an sender policy framework (SPF) check has passed.

In order to combat backscatter on the client’s LISTSERV, the following actions were taken.

1. The MSG_POSTING_REJECT_NOTAUTH template was supressed.  This template is the one used to report that a particular user is “…not authorized to send mail to the LISTNAME list…”  This was the predominant (90+%) template being generated via backscatter.  If a legitimate user cannot post to the list, they will most likely contact the list owner or the helpdesk.  So concerns about legitimate blockages here are negligible.

2. The client is now routing all incoming email to the LISTSERV through their spam firewall.  There no longer is any direct connections from external email servers and the LISTSERV.   The spam filter was configured to only scan for viruses, and blacklisted hosts.  This method alone has resulted in over 75% of incoming messages being blocked.

The end result is that LISTSERV performance is now notably improved.  The LISTSERV web management interface is much more responsive and the LISTSERV spool and SMTP queues are virtually empty.

In addition to these methods, the client also configured individual OS logins for all individual email administrators, instead of a single administrator login ID.  In this way email admin staff needing access to the LISTSERV must use their personal credentials.  These allow for the monitoring of future mailing lists being created on the LISTSERV.  Part of the issues contributing to the backscatter were attributed to individual administrators configuring LISTSERV mailing lists incorrectly.  Since every administrator was using the same login ID, there was no way to identify who requires advance training in administering a LISTSERV.

Have you experienced similar situations with backscatter? How did you resolve the issues?

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Spammers’ Most Lethal Weapon

What is Backscatter Spam?

The term “backscatter spam” refers to a spam attack that targets non-existent email addresses and causes email “bounce” messages to be sent to innocent parties.  The “bounce” messages are known as Non-Delivery Reports (NDRs) and are sent by an email server to let the sender know that the message was not delivered.

NDRs are a normal and useful part of the SMTP protocol.  However when NDRs were first envisaged the concept of address spoofing was not considered.  Address spoofing is when a spammer forges the “From” address on a piece of spam they are sending.  This is how backscatter affects innocent parties – even though they didn’t send the spam, they receive the NDR because their email address was forged by the spammer.

Why does Backscatter Occur with Exchange Server 2007?

An Exchange Server 2007 email server will contribute to the backscatter problem simply due to this default configuration.

This check box tells the Exchange server to send NDRs back to any sending domain (note the wildcard * used as the domain name).  Because the message has already been accepted in full and the original SMTP connection from the spam source disconnected, the Exchange server performs a DNS lookup for the MX record (Mail eXchanger) and sends the NDR to that server.

If the spam forged the email address of john.smith[at]contoso.com, then John is the one who receives the NDR.  John also receives a copy of the spam message, which is included with the NDR message.  So although the spammer has not successfully reached the first intended recipient, they have reached John who is now curious as to what email he apparently sent that caused the NDR (this curiosity increases the chance that he will open the spam and maybe click on a link within it).

Preventing Backscatter from Being Sent by Your Exchange Server

The simplest and most obvious way to prevent an Exchange server sending backscatter spam is to uncheck the box for allowing NDRs to be sent to external domains.  Unfortunately this is not the best way to go about doing it.  NDRs are a valid part of the SMTP protocol and serve a genuinely useful purpose.  Imagine if a business partner incorrectly addressed a critical email and received no NDR.  A business could lose money if the mistake is not noticed straight away, which it would be if an NDR was sent back to the sender.  NDRs are necessary and should not be disabled.

The safest way to prevent backscatter from originating from your server is to block the inbound spam to begin with.  Because most spam originates from compromised home computers it therefore usually comes from untrustworthy blocks of IP addresses.  These IP addresses are included in popular RBL databases such as SpamHaus.  With Exchange Server 2007 you can make use of Connection Filtering to look up sending IP addresses in the SpamHaus database and terminate the SMTP connection.

Because the SMTP connection is terminated without accepting the message your Exchange server does not need to send an NDR to the forged sender address.  Furthermore, because the software used by spammers to send out emails from compromised computers does not bother sending NDRs it will not send one to the forged sender either.

Preventing Backscatter from Being Received by Your Exchange Server

Protecting your own Exchange server from receiving backscatter spam is a little more complicated.  Connection Filtering is not useful here, because the NDRs containing the original spam are likely to be coming from trusted IP addresses.

Content filtering is the most effective way of detecting and blocking backscatter spam that is wrapped up in NDR messages.  Exchange Server 2007 has content filtering capabilities, but they are not very effective in dealing with backscatter spam for some reason.

Fortunately the problem has been solved by third party Exchange 2007 spam filters that can block NDR spam. If NDR spam is becoming a problem for your organisation then it is time to evaluate and deploy one of these anti-spam solutions.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Protecting Yourself and Others from Backscatter Spam with Exchange Server 2007

In extreme cases this can act like a DDoS attack and cripple a server. If you maintain a server responsible for sending this backscatter, you may find your domain blacklisted, causing headaches for your users. What’s the solution? If your server is on the receiving end, turning off any catch all addresses is a smart move. On the other end? Configure your server to reject during STMP transmission. Another way to fight backscatter is with an anti-spam solution that detects spam in NDR’s and deletes them from the server. One of these is the award winning MailEssentials program by GFI. It’s the number 1 anti-spam filter on the market. To learn more, read GFI’s NDR spam white paper and make an informed decision for your business.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

NDR Spam and You

Most ISPs won’t hesitate to place a block on any IP that receives complaints of backscatter, and that can cause big headaches for innocent people. There are even reports of businesses having entire mail servers wiped out due to backscatter.

What Google should be doing is rejecting traffic to bogus users during the SMTP transaction. Several techniques can be used to do this:

• Recipient validation
• Reject senders on dynamic black lists
• Reject. email from servers senders that do not have a reverse DNS entry

Unfortunately Google is doing none of them. Slashdot also reports that emails sent to abuse@google.com and postmaster@google.com went unanswered except for a canned response that didn’t address the situation.

It’s very surprising that Google, whose Gmail program has been widely praised for its spam controls, would have such badly misconfigured mail servers. Ironically, those same spam controls have reportedly been blacklisting Google themselves. According to an article on newswireless.net, Gmail placed a user’s Google Alerts in his spam folder. Ah that wacky Google!

For more information, the website DontBounceSpam.org has an extensive list of resources and tips for server admins and end users on how to fight backscatter and reduce overall spam.

Liked this post? Get more anti-spam related news from AllSpammedUp.com!

Google Mail Servers Allowing Backscatter