Comments on: Reverse joe-jobbbing - sample to come

By: Michael Gracie

Michael Gracie — Fri, 31 Mar 2006 20:15:51 +0000

Sounds like there are a couple of interpretations of what is happening here. As soon as I personally get another, I will post it for sure.

By: David Hart

David Hart — Fri, 31 Mar 2006 19:55:30 +0000

That shouldn’t work “Instead of forging the sender’s email address (a trick that’s easily detected by anti-spam technologies) spammers are deliberately sending their messages to an invalid email address at a high profile company using a forged “From” address at a target company. The email is then bounced as an unrecognised email address and sent back to the “sender”.”

Properly configured, a server only sends NDRs to local recipients which is determined by the authenticated original sender.

Regardless of the asserted sender, a message to an unknown user should be rejected (55x) - not bounced, which creates backscatter.

By: Tomasz Andrzej Nidecki

Tomasz Andrzej Nidecki — Fri, 31 Mar 2006 18:45:41 +0000

Two solutions at mail server level that need to be forced upon all administrators to solve this simple problem:

1. Make a “default” address, which accepts all mail to inexistant addresses - no bounces are generated (eg. in qmail: /var/qmail/alias/.qmail-default with “#” as contents -> all goes to dev-null).

2. Bounce at envelope level, not after mail acceptance. This unfortunately needs to be implemented in the mail server, and cannot be simply configured in most cases. Unfortunately, many MTAs (eg. qmail) do not check for mail existence at mail envelope level, but only upon mail acceptance. Hence it’s possible to abuse such servers. If bounces are generated at envelope level, there is no actual mail sent to the envelope from address.

PS your entry is a bit unclear, because it’s not the sender address that the mail is returned to, but the envelope sender (in mail headers you see this address in Return-Path:, NOT in From:).