Re: Mail being sent from my domain...
On Fri, Jan 05, 2007 at 07:47:56PM -0600, Rob W. wrote: > I hope I'm in the right area and someone could possibly help me with this. > > I am running FreeBSD 5.4. I installed qmail from www.qmailrocks.org > > Everything is working correctly and I do have spamassassin and clamav > installed and working. > > Lately I have been getting emails back saying that someone is sending mail > out from [EMAIL PROTECTED] If anybody can help. I do have the patch installed > so that open relay is disabled and a user needs an account on the qmail > system. I have been watching the email accounts and it has not been breached > as far as security. > > Is it possible for people to send email out from my domain name and have fake > users acting as comming from my network? If so, is there anything I can do > stop this or prevent it? Well, they don[t send it from your actual domain. But, as you suspect, they can send it from somewhere and make it look like it comes from yours - faking the address. There is nothing you can do about this if you are going to be open to sending Email to any part of the world. You could put something in your message that is sort of a code to tell people that it is a legitimate message from you. You could make up your own or use one of the signature services. But, that will not stop people from using your id and domain name to send stuff all over. Most people have learned to ignore those fake addressed messages. If you have some limited number of locations you must always send Email, you could set up some sort of VPN and have those sites only listen to that. But, I suspect that would be too limiting for most Email situations. jerry > > Thanks. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mail being sent from my domain...
On Sat, 06 Jan 2007 14:33:46 + Matthew Seaman <[EMAIL PROTECTED]> wrote: > Your reasoning is incorrect. The presence or absence of SPF records > affects how the systems that are the targets of the spam attack work, > and those are not in the control of the spammers. The ability of > a mail system to realise by analysis of SPF records that the mailer > connecting to it is an impostor that has no right to send mail from > the falsely claimed sender address means that the message can be > rejected early during the SMTP dialogue with a 5xx error (ie > permanent delivery failure) even before the body of the message has > been transmitted. > ... > Secondly, you are assuming that the software the spammers use to > inject e-mail is compliant with the various standards (RFCs 2821, > ... Delivery failures are normally generated by the sending server. If you block SPF failures at the SMTP level there are two possibilities. If the sender is a real MTA it will generate a backscatter delivery failure. If it's a spambot or spamming script then it wont, but it wouldn't have anyway, with or without SPF. SPF may help fight spam, but I don't see how it can have a major impact on backscatter when people use 5xx errors. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mail being sent from my domain...
RW wrote: > On Sat, 06 Jan 2007 14:27:21 +1100 > Colin House <[EMAIL PROTECTED]> wrote: > >> Check out http://openspf.org - implementing SPF will help prevent >> spoofed emails from being delivered and will start to cut down on the >> "backscatter" > > This often claimed, but I don't really see how it's going to help much. > > Any benefit relies on an initial MTA/MSA refusing to relay for domains > that don't set the correct SPF records, i.e. it replies on the security > of MTA's that are owned, controlled or abused by spammers. > > On the other hand setting SPF records means that more spam using the > domain will be rejected at the SMTP level. This actually leads to more > backscatter. Your reasoning is incorrect. The presence or absence of SPF records affects how the systems that are the targets of the spam attack work, and those are not in the control of the spammers. The ability of a mail system to realise by analysis of SPF records that the mailer connecting to it is an impostor that has no right to send mail from the falsely claimed sender address means that the message can be rejected early during the SMTP dialogue with a 5xx error (ie permanent delivery failure) even before the body of the message has been transmitted. At that point it is not yet the recipient's duty to send any delivery failure notification. Firstly this helps to discourage spammers from trying to forge e-mail addresses at all by lowering the rate at which they get their messages in front of their target audiences. It isn't by any means a perfect defence, but it certainly does help raise the marginal costs of the spammers and if that can be done widely enough, the spamming model will become uneconomic. Secondly, you are assuming that the software the spammers use to inject e-mail is compliant with the various standards (RFCs 2821, 2822 etc.) That is patently not the case: spammers typically use networks of compromised machines (indeed, there is actually a black market in the sale of such machines) with small, custom written, but fairly stupid software which in most cases can do little more than replay one side of an SMTP dialogue. This is why techniques such as greylisting, greeting-wait and tarpitting are so very effective. It also means that the spammers are not going to be sending bounce-o-grammes to the addresses they have forged: to do so will require them to actually write standards compliant software to install on their bot-net hosts, and that is (again) going to drive up their marginal costs. Remember: it's the real MTAs which abide by the standards that result in the backscatter, but they only do that if they are badly configured and make the mistake of accepting the message in the first place. SPF is by no means perfect. Indeed it has a quite obvious flaw: spammers can just operate by creating their own throwaway domains and publish their own SPF records for them. Not complying with SPF is pretty good evidence that a message is spam, but the converse: that an SPF compliant message is not spam; that is certainly not true. Of course, if the spammers do start using their own sacrificial domains to send spam, then the backscatter problem disappears too. Plus they open themselves to another line of attack against the registrars and DNS providers needed to pursue that strategy. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Mail being sent from my domain...
On Sat, 06 Jan 2007 14:27:21 +1100 Colin House <[EMAIL PROTECTED]> wrote: > Check out http://openspf.org - implementing SPF will help prevent > spoofed emails from being delivered and will start to cut down on the > "backscatter" This often claimed, but I don't really see how it's going to help much. Any benefit relies on an initial MTA/MSA refusing to relay for domains that don't set the correct SPF records, i.e. it replies on the security of MTA's that are owned, controlled or abused by spammers. On the other hand setting SPF records means that more spam using the domain will be rejected at the SMTP level. This actually leads to more backscatter. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mail being sent from my domain...
Lars Eighner wrote: On Fri, 5 Jan 2007, Rob W. wrote: Ok, and I suppose by chance there is no way to prevent this from happening or a way to stop it huh? No, not from your perspective. You cannot stop others from spoofing your address, but you can prevent some backscatter from clogging your mailbox. For users of Postfix: http://www.postfix.org/BACKSCATTER_README.html However, because you're using qmail, you should post your question on that mailing list. -- Sahil Tandon <[EMAIL PROTECTED]> ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mail being sent from my domain...
On Fri, 5 Jan 2007, Rob W. wrote: Is it possible for people to send email out from my domain name and have fake users acting as comming from my network? Yes, if you have defeated the security features of your mail server either accidentally or on purpose, but that is not what is happening in this case. There appears to be a recurrance (or mutation) of a virus we have seen before. The mail is not originating on your server. Your domain is being spoofed by the infected computer(s). The forged mail probably would not escape detection by a knowledgeable human, but it is good enough to fool some autoresponders and mail tossers, which is why you get the bounces. -- Lars Eighner http://www.larseighner.com/index.html 8800 N IH35 APT 1191 AUSTIN TX 78753-5266 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mail being sent from my domain...
Sahil Tandon wrote: Rob W. wrote: I hope I'm in the right area and someone could possibly help me with this. You should post this question on the qmail mailing list. You should also include the relevant logs with your question. Even if you're not an open relay, spammers can spoof your domain name to send messages that, when rejected, will come back to you in the form of "backscatter". -- Sahil Tandon <[EMAIL PROTECTED]> ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" Check out http://openspf.org - implementing SPF will help prevent spoofed emails from being delivered and will start to cut down on the "backscatter" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mail being sent from my domain...
On Fri, 5 Jan 2007, Rob W. wrote: Ok, and I suppose by chance there is no way to prevent this from happening or a way to stop it huh? No, not from your perspective. -- Lars Eighner http://www.larseighner.com/index.html 8800 N IH35 APT 1191 AUSTIN TX 78753-5266 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mail being sent from my domain...
Ok, and I suppose by chance there is no way to prevent this from happening or a way to stop it huh? - Original Message - From: "Lars Eighner" <[EMAIL PROTECTED]> To: "Rob W." <[EMAIL PROTECTED]> Cc: Sent: Friday, January 05, 2007 9:25 PM Subject: Re: Mail being sent from my domain... On Fri, 5 Jan 2007, Rob W. wrote: Is it possible for people to send email out from my domain name and have fake users acting as comming from my network? Yes, if you have defeated the security features of your mail server either accidentally or on purpose, but that is not what is happening in this case. There appears to be a recurrance (or mutation) of a virus we have seen before. The mail is not originating on your server. Your domain is being spoofed by the infected computer(s). The forged mail probably would not escape detection by a knowledgeable human, but it is good enough to fool some autoresponders and mail tossers, which is why you get the bounces. -- Lars Eighner http://www.larseighner.com/index.html 8800 N IH35 APT 1191 AUSTIN TX 78753-5266 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Mail being sent from my domain...
Rob W. wrote: I hope I'm in the right area and someone could possibly help me with this. You should post this question on the qmail mailing list. You should also include the relevant logs with your question. Even if you're not an open relay, spammers can spoof your domain name to send messages that, when rejected, will come back to you in the form of "backscatter". -- Sahil Tandon <[EMAIL PROTECTED]> ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
