Hi,

Recently I started receiving bounces from mail purporting to having been sent from addresses in my domain. But the addresses don't exist. So I thought that someone was faking the sender header and sending spam. I added SPF and domain-key records to try to combat this. However, either hotmail and yahoo don't check these or they ignore them because I'm still getting spammed.

Does anyone know of a way I can tighten fake sender policies & prevent this from occuring again?

Thanks
-------
"No man is an island, entire of itself; every man is a piece of*the continent, a part of the main; if a clod be washed away by*the sea, the World is less, as well as if a promontory were, as*well as if a manor of thy friends or of thine own were; any*man's death diminishes me, because I am involved in mankind;*and therefore never send to know for whom the bell tolls; it*tolls for thee."
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 09.07.2012, Errol Mangwiro wrote:

> Recently I started receiving bounces from mail purporting to having
> been sent from addresses in my domain. But the addresses don't
> exist. So I thought that someone was faking the sender header and
> sending spam.

Please post the _full_ header of such a mail.

> I added SPF and domain-key records to try to combat this.
> However, either hotmail and yahoo don't check these or they
> ignore them because I'm still getting spammed.

It's trivial to fake any From: header, and there's nothing you can do
about that, unfortunately.

> Does anyone know of a way I can tighten fake sender policies & prevent this from occuring again?

You can't prevent people from faking the From: header. Any spamfilter
or network admin who tags email as spam according to From: is a moron.

The correct way is to see if all these spam-emails originate from the
same server, and send the admin an epost. To do this, a look at the
complete and original header of one of those spammails is neccessary.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On Mon, 9 Jul 2012 11:03:38 +0000
"Errol Mangwiro " <emangwiro@live.com> wrote:

> Hi,
>
> Recently I started receiving bounces from mail purporting to having been sent from addresses in my domain. But the addresses don't exist. So I thought that someone was faking the sender header and sending spam. I added SPF and domain-key records to try to combat this. However, either hotmail and yahoo don't check these or they ignore them because I'm still getting spammed.

I don't think anyone bothers with SPF any more - the only people with
valid records are usually spammers.
>
> Does anyone know of a way I can tighten fake sender policies & prevent this from occuring again?

You can't.

Alan
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Am 09.07.2012 15:47, schrieb Alan Cox:
> On Mon, 9 Jul 2012 11:03:38 +0000
> "Errol Mangwiro " <emangwiro@live.com> wrote:
>
>> Hi,
>>
>> Recently I started receiving bounces from mail purporting to having been sent from addresses in my domain. But the addresses don't exist. So I thought that someone was faking the sender header and sending spam. I added SPF and domain-key records to try to combat this. However, either hotmail and yahoo don't check these or they ignore them because I'm still getting spammed.
>
> I don't think anyone bothers with SPF any more - the only people with
> valid records are usually spammers.

says who?

SPF is used in any spam-firewall applicance these days
to give additional good or bad points to a message


[root@srv-rhsoft:~]$ dig TXT thelounge.net @8.8.8.8
;; ANSWER SECTION:
thelounge.net. 86400 IN TXT "v=spf1 ip4:91.118.73.0/24 ip4:89.207.144.27 -all"

[root@srv-rhsoft:~]$ dig SPF thelounge.net @8.8.8.8
;; ANSWER SECTION:
thelounge.net. 86400 IN SPF "v=spf1 ip4:91.118.73.0/24 ip4:89.207.144.27 -all"

________________________


even any of our customers domains without e-mail has the correct SPF

[root@srv-rhsoft:~]$ dig TXT afi.at @8.8.8.8
;; ANSWER SECTION:
afi.at. 21600 IN TXT "v=spf1 -all"



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Errol Mangwiro wrote:
> Does anyone know of a way I can tighten fake sender policies & prevent
> this from occuring again?

Heinz Diehl wrote:
> You can't prevent people from faking the From: header.

But you can detect those fakes.

Bounces should be sent to the SMTP envelope FROM address, not the
address in the header. (For example, once this message has gone through
the fedoraproject.org servers, it will have an SMTP FROM address of
users-bounces@lists.fedoraproject.org , so mailman should get any
bounces, but it will still have
From: James Wilkinson <fedora@aprilcottage.co.uk>
up there, so you lucky people can reply to me.

BATV is a technique for rewriting the SMTP FROM address to include a
cryptographic token that is unique to that email. Any bounces including
one of those tokens must at least have seen that email; any bounces to
the plain address must therefore have been sent in reply to something
that didn’t go through your servers.

BATV isn’t perfect, or at least, the rest of the Internet isn’t perfect.
It does things according to specs in ways some things don’t expect. It
also does require that all your outgoing email goes through
BATV-rewriting servers.

Alternatively, SpamAssassin has rules to detect bounces. A competent
mail filtering program should be able to filter all bounces into a
separate folder.

> Any spamfilter
> or network admin who tags email as spam according to From: is a moron.

Now that I would dispute: if the email purports to come from a known
spammer, then I don’t see why I shouldn’t gleefully reject or sort their
email accordingly!

You could compare it to an identity thief who stole the identity of
a known terrorist and flew into Washington, London or Jerusalem under
that identity.

Hope this helps,

James.

--
E-mail: james@ | [Alan] finally installed his cuckoo clock on the wall.
aprilcottage.co.uk | For some reason this involved falling over in the dark in
| the garden, but I haven't dared ask about that yet. I
| don't -think- he was trying to catch a cuckoo to put
| inside it, but you never know. -- Telsa Gwynne's Diary
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On Mon, 2012-07-09 at 20:13 +0100, James Wilkinson wrote:
> Errol Mangwiro wrote:
> > Does anyone know of a way I can tighten fake sender policies & prevent
> > this from occuring again?
>
> Heinz Diehl wrote:
> > You can't prevent people from faking the From: header.
>
> But you can detect those fakes.
>
> Bounces should be sent to the SMTP envelope FROM address, not the
> address in the header. (For example, once this message has gone through
> the fedoraproject.org servers, it will have an SMTP FROM address of
> users-bounces@lists.fedoraproject.org , so mailman should get any
> bounces, but it will still have
> From: James Wilkinson <fedora@aprilcottage.co.uk>
> up there, so you lucky people can reply to me.
>
> BATV is a technique for rewriting the SMTP FROM address to include a
> cryptographic token that is unique to that email. Any bounces including
> one of those tokens must at least have seen that email; any bounces to
> the plain address must therefore have been sent in reply to something
> that didn’t go through your servers.
>
> BATV isn’t perfect, or at least, the rest of the Internet isn’t perfect.
> It does things according to specs in ways some things don’t expect. It
> also does require that all your outgoing email goes through
> BATV-rewriting servers.
>
> Alternatively, SpamAssassin has rules to detect bounces. A competent
> mail filtering program should be able to filter all bounces into a
> separate folder.
>
> > Any spamfilter
> > or network admin who tags email as spam according to From: is a moron.
>
> Now that I would dispute: if the email purports to come from a known
> spammer, then I don’t see why I shouldn’t gleefully reject or sort their
> email accordingly!
>
> You could compare it to an identity thief who stole the identity of
> a known terrorist and flew into Washington, London or Jerusalem under
> that identity.
>
> Hope this helps,
>
> James.

I've been getting lots of spam with subjects like:
Message for postmaster
For postmaster
To postmaster
Message for root
For root
Message for uucp
For uucp
For daemon
etc., etc., etc.

Spamassassin scores them above my threshold score so they all are
rejected with smtp error 540.

Also, here's another spam pattern I see daily. This is from the log
file that my spam filter writes out:

envelope-to: mcallman@allmanpc.com
envelope-to-R: rfc822;mcallman@allmanpc.com
from: "Canadian Pharmacy" f.svcxzu@yahoo.com
envelope-from: f.svcxzu@yahoo.com
subject: Pharmacy Store : <ED Med 1> + <ED Med 2> !
received-name: p4FDDCEE6.dip.t-dialin.net
received-addr: 79.221.206.230
envelope-recd: dns; p4FDDCEE6.dip.t-dialin.net ([::ffff:79.221.206.230])

I've replaced the actual drug names with "<ED Med>" just in case anyone
else blocks anything coming in with those names. The "received-name"
and "received-addr" are the parsed values from the first "Received:"
header. I'd reject this e-mail on the contents of the "from" line only,
or due to the subject line only, or due to the fact that they say
they're a yahoo.com e-mail but the box that handed my server the e-mail
wasn't a yahoo.com server (and this isn't from a yahoo groups mailing
list -- no "list ID" header).

I've recorded in my system around 45k unique IP addresses over the past
18 months that have tried to send me spam. Spammers are always trying
something new.

Mark C. Allman, PMP, CSM
Founder, See How You Ski
Allman Professional Consulting, Inc., www.allmanpc.com
617-947-4263, Twitter: @allmanpc


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 09.07.2012, James Wilkinson wrote:

> Bounces should be sent to the SMTP envelope FROM address, not the
> address in the header.

I didn't think on bouncing spam (which I personally regard as useless
traffic), but a complaint to the servers admin where it
originates. The IP-adress in the last received-header will tell. The
human readable names are forgeable, but not the according
IP. Therefore my request of the whole header.

If a complaint doesn't help, the only sane way is to push it to
/dev/null.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Here's a sample of the spam bounces.

Also does anyone use DKIM? I heard that it complements SPF records but I haven't seen much of it in the wild accept with some Google Apps domains.
------Original Message------
From: Mail Delivery System
To: KeenanA2@cypherworld.net
Subject: Undelivered Mail Returned to Sender
Sent: Jun 29, 2012 2:30 PM

This is the mail system at host microprix.fr.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<alogue@microprix.fr>: unknown user: "alogue"

-----Embedded Message-----
Final-Recipient: rfc822; alogue@microprix.fr
Original-Recipient: rfc822;alogue@microprix.fr
Action: failed
Status: 5.1.1
Diagnostic-Code: X-Postfix; unknown user: "alogue"

-----End of Embedded Message-----
-----Embedded Message-----
From: Damien Whitehead <KeenanA2@cypherworld.net>KeenanA2@cypherworld.n et
To: alogue <alogue@microprix.fr>alogue@microprix.fr
Date: Fri, 29 Jun 2012 14:30:00
Subject: User alogue


Any lady longs for long and strong tool. http://www.naklolo.ru/

8C06A4918DBA46BBD862481AE6329FE035
D6DBDAF6530C670745B6D94A5F23CA3
34A03C673EAF73E93048F4D43E3FC6F4
3F13905C5FE64FB5B424125F01F27A9A4C4D
9887034768E388DC00580B819CD6C14E9A
D0A901BC7C29A7FE5E7CF414ACD394F2F27E213
B8DDD94FB9B0FE227C116C15543E0364E399
E817768B934D930F2962F5013B7EFC2B0
4FC5219E67EF1E08DAC1B17D39A85F02D
404D8C179534D44B66DDC94B9B0A61
6CE3EB5AFFD896C3B387E6DD6B226FB5
85E6617B36A103A2DAAEBA1592620746F50270

-----End of Embedded Message-----



-------
"No man is an island, entire of itself; every man is a piece of*the continent, a part of the main; if a clod be washed away by*the sea, the World is less, as well as if a promontory were, as*well as if a manor of thy friends or of thine own were; any*man's death diminishes me, because I am involved in mankind;*and therefore never send to know for whom the bell tolls; it*tolls for thee."
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On Mon, 2012-07-09 at 20:13 +0100, James Wilkinson wrote:
> Bounces should be sent to the SMTP envelope FROM address, not the
> address in the header.

Spam shouldn't be bounced, though. Even /that/ address will be faked,
and most likely a forgery of someone else's address, so you will be
spamming someone with the bounce.

--
[tim@localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 10.07.2012, Errol Mangwiro wrote:

> Here's a sample of the spam bounces.
[....]

All this is unuseable, because most of the header fields are missing.
See here for what the full header is:

http://www.ietf.org/rfc/rfc0822.txt

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org