Forged From header in bounce-o-grams??!? :-(

David Wolfskill david at catwhisker.org
Sat Sep 17 11:43:00 PDT 2005


One of the more dubious pleasures of being postmaster -- as I am certain
that many of my colleagues well understand -- is dealing with spam.

This is exacerbated by mail systems that accept mail, then later
determine that -- for whatever reason or lack thereof -- the mail in
question is not deliverable to one or more of the addressed recipients.

Among systems that commit this crime against nature, there seem to be
some that take this a rather mind-boggling step further:  they go so
far, in generating their bounce-o-grams, as to forge the From header (and
envelope-sender) in said bounce-o-gram so that it claims to be from
the domain to which the bounce-o-gram is addressed.

So (for example), some random spam-generation process performs its
intended task (generating spam) with a forged envelope-sender that
claims that it's from someone with an email address @baylisa.org,
and sends said spam to some machine operated by the Massachusetts
Higher Education Computer Network (netblock UMAP).  The MTA on the
UMAP net accepts the spam; some time later, a machine at the IP
address 134.241.224.145 tries to send the MX for baylisa.org a
bounce-o-gram addressed to some address @baylisa.org (baylisa at baylisa.org,
in this case), claiming to be from some (other) address @baylisa.org
(noreply at baylisa.org, which doesn't exist).

I'm pleased to report that in the special case of baylisa.org, where we
do not have valid mail *from* baylisa.org arriving at our MX, I believe
I have stopped the behavior.

The last mail filtering step I have configured for the SMTP conversation
runs something called milter-regex; as the name indicates, it permits
applying regular expressions for various combinations of components of
an email message; based on this, it can accept the message, (silently)
discard it, or reject it (with a custom message).

The message I use for recognition of the above condition is a simple
"5.7.1 Liar," as seen here:

Sep 17 10:17:48 www sendmail[2542]: [ID 801593 mail.info] j8HHHlvA002542: from=<noreply at baylisa.org>, size=1813, class=0, nrcpts=1, msgid=<081890bee67a$417bbaaa$e8696c96 at isvqxpj>, proto=ESMTP, daemon=MTA, relay=[134.241.224.145]
Sep 17 10:17:48 www sendmail[2542]: [ID 801593 mail.info] j8HHHlvA002542: Milter: data, reject=554 5.7.1 Liar
Sep 17 10:17:48 www sendmail[2542]: [ID 801593 mail.info] j8HHHlvA002542: to=<baylisa at baylisa.org>, delay=00:00:01, pri=31813, stat=Liar

(I have also seen cases where the bounce-o-gram is alleged to come from
postmaster at baylisa.org; the extent to which I appreciate that should be
discernable from the above, I think.)

Oh:  yes, I did send a note to postmaster at umassp.edu a couple of
days ago.  I'm not holding my breath awaiting a response.

Now:  anyone know of any plausible justification for the forgery in the
generated bounce-o-grams?  Or have a better way to deal with the
situation?  (For home, I do something similar, but arriving mail coming
from someone @catwhisker.org is a normal occurrence, so I restrict it to
the bogus "noreply at catwhisker.org" and "postmaster at catwhisker.org.")

Thanks!

Peace,
david
-- 
David H. Wolfskill				david at catwhisker.org
Prediction is difficult, especially if it involves the future. -- Niels Bohr

See http://www.catwhisker.org/~david/publickey.gpg for public key.



More information about the Baylisa mailing list