Reverse joe-jobbbing – sample to come

Spammers are thwarting filters by putting their target email addresses in the sender line, and pushing the emails to invalid addresses, according to The Register.

I’ve received about a half dozen bounced messages that may be related, and recollect they were coming from Postfix servers. If you see one, you will notice all the generic “this is a message from the Postfix server” bit, and the “returned” spam message will be at the very bottom.

I’ll post a sample here next time one comes my way.

PS: Yes, that title needs work.

Comments

Two solutions at mail server level that need to be forced upon all administrators to solve this simple problem:

1. Make a “default” address, which accepts all mail to inexistant addresses – no bounces are generated (eg. in qmail: /var/qmail/alias/.qmail-default with “#” as contents -> all goes to dev-null).

2. Bounce at envelope level, not after mail acceptance. This unfortunately needs to be implemented in the mail server, and cannot be simply configured in most cases. Unfortunately, many MTAs (eg. qmail) do not check for mail existence at mail envelope level, but only upon mail acceptance. Hence it’s possible to abuse such servers. If bounces are generated at envelope level, there is no actual mail sent to the envelope from address.

PS your entry is a bit unclear, because it’s not the sender address that the mail is returned to, but the envelope sender (in mail headers you see this address in Return-Path:, NOT in From:).

David Hart says:

That shouldn’t work “Instead of forging the sender’s email address (a trick that’s easily detected by anti-spam technologies) spammers are deliberately sending their messages to an invalid email address at a high profile company using a forged “From” address at a target company. The email is then bounced as an unrecognised email address and sent back to the “sender”.”

Properly configured, a server only sends NDRs to local recipients which is determined by the authenticated original sender.

Regardless of the asserted sender, a message to an unknown user should be rejected (55x) – not bounced, which creates backscatter.

Sounds like there are a couple of interpretations of what is happening here. As soon as I personally get another, I will post it for sure.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.