Blocking delivery failures?

Talk about anything...

Moderators: FlorianB, Pascal, bourgeois, mentor

n0lqu
Posts: 55
Joined: Tue Nov 21, 2006 6:17 pm

Blocking delivery failures?

Postby n0lqu » Wed Feb 07, 2007 6:42 pm

Our users are getting a fair number of "Delivery Failure" messages that are the debris from spammers sending out E-Mails with our users' E-Mail addresses forged into the "From:" field -- those that aren't deliverable come to our users since the destination system thinks they sent them.

Does anyone know if it is technically feasible and/or if there is software out there that keeps track of all outgoing mail and only lets "Delivery Failure" messages back in that can be matched up with real mail sent? Or are there other techniques to deal this this?
User avatar
suhasingale
Posts: 298
Joined: Mon Nov 13, 2006 2:30 pm
Location: India
Contact:

Postby suhasingale » Wed Feb 07, 2007 8:17 pm

You can add some unique header information to all your outgoing mails. Then create a rule in MC Spamassassin which will check for that information in the header of returned email. If you don't find that then it's spam else genuine.

I have not implemented this but have found on net while searching for the information on this.

Let me know if this trick works for you.
Last edited by suhasingale on Thu Feb 08, 2007 8:47 am, edited 1 time in total.
Promise only what you can deliver...
n0lqu
Posts: 55
Joined: Tue Nov 21, 2006 6:17 pm

Postby n0lqu » Wed Feb 07, 2007 8:55 pm

Thanks for the suggestion -- there's probably something unique our system adds to all outgoing messages. If I could do this, it might be easier than my first idea, which would be similar to the greylisting in that it would need to keep track of sender/recipient pairs and only allow delivery failures that match recent pairs.

One question I have is if there is a standard for how delivery failure messages are formatted? From what I'm seeing, some bounces include the complete original message including all headers, some include the message body but not the headers, some just seem to have the error message without anything of the original message except hopefully at least the "intended" From: and To: E-Mail addresses, some come back in some sort of format that Lotus Notes/Domino recognizes as a delivery failure to which it can add a "Resend" button. So is there anything consistent to check for?

For those bounces that do include the original message's headers, I could probably search for something that our E-Mail system either automatically puts in outgoing messages (maybe it's own name, its IP address, etc) or I could add something, and assuming I can reliably detect which messages are delivery failures versus ordinary messages, I could set up a spam rule to add a spam score to those that are delivery failures but don't have our system's unique signature. That wouldn't catch the ones without full headers, though, or rather in might accidentally catch valid ones.

I probably need to locate and read whichever RFC talks about reporting delivery failures and see what is required in a failure message to know what I should be able to count on being able to check.

Thanks for the suggestion! I'm open to other suggestions or comments about this whole process and how it works or doesn't work!
Last edited by n0lqu on Mon Feb 12, 2007 2:57 pm, edited 1 time in total.
olivier
Posts: 1348
Joined: Thu Jan 01, 1970 1:00 am
Contact:

Postby olivier » Thu Feb 08, 2007 2:22 pm

unfortunately there is no standard for the way a bounce should be displayed.
The only point is that a bounce always has a null sender ('<>' in Exim's logs).

You have an option in MailCleaner's user interface that let you quarantine bounces messages. This is actually for cases where your address has been used by spammer and you get all these bounces messages.
This is a dangerous option has it can quarantine real bounces, so it has to be activated only temporarly. However this is very efficient because these kind of problem generaly tends to happen only for a few days.
n0lqu
Posts: 55
Joined: Tue Nov 21, 2006 6:17 pm

Postby n0lqu » Mon Feb 12, 2007 2:55 pm

Thanks -- we were/are dealing with a user who is/was the victim of a spammer having apropriated his/her e-mail address, so I may turn on the bounce quarantine for him temporarily if it's still happening.

Return to “General Discussion”

Who is online

Users browsing this forum: No registered users and 1 guest