HPE Community
Operating System - Linux
1832595 Members
2987 Online
110043 Solutions
New Discussion

How to stop Misdirected bounces with sendmail

 
SOLVED
Go to solution
Geoff Wild
Honored Contributor

‎01-12-2006 03:31 PM

‎01-12-2006 03:31 PM

How to stop Misdirected bounces with sendmail

Someone complained to spamcop about my mail server - said I sent "Unsolicited bounce"...

So... on their site:

http://www.spamcop.net/fom-serve/cache/329.html#bounces

doesn't say how to fix sendmail.

Any ideas?

Thanks...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
12 REPLIES 12
Stuart Browne
Honored Contributor

‎01-12-2006 04:19 PM

‎01-12-2006 04:19 PM

Re: How to stop Misdirected bounces with sendmail

Why is your system sending bounces, instead of just REJECTing the envelope?

If you give some details about the mail-path setup you've got, I'll give some advice where I can.
One long-haired git at your service...
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-12-2006 04:33 PM

‎01-12-2006 04:33 PM

Re: How to stop Misdirected bounces with sendmail

Shalom Geoff,

Misdirected bounces are a common port 25 exploit.

It is possible to detect this by scanning the maillog file and taking the source IP addresses and adding them as rejects to the /etc/mail/access file

Its not really all that common any more. I've not seen it on my public Internet servers in many months.

I'd first make sure from the header and logs provided that it really came from your server. Unsolicted bounce is similar in nature to what may have happened to your web server.

If the system does not need accept mail then turn off sendmail. That will stop most of the garbage. If the system needs to accept mail, then it can be exploited this way and you probably need to implement some form of protection in sendmail.

http://www.hpuxconsulting.com/buildmail

That is the basis of a complex system I built to deal with all kinds of sendmail stuff.

There is a great deal you can do with sendmail.mc to thwart these people, also virtusertable and genericstable to make the outbound mail addresses invalid.

Better the bounce stays on your log versus having your sendmail daemon and binaries manipulated to send mail.

Still, no real evidence of a hack.

If you need these systems, please contact me directly. I consider them open source and know you're able to implement them with little assistance on my part.

http://www.isnamerica.com/contactsep.shtml

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎01-13-2006 01:34 AM

‎01-13-2006 01:34 AM

Re: How to stop Misdirected bounces with sendmail

Here's the scoop.

I run a small web hosting company on the side.

I also am a backup mail server for the ISP where my servers are - so - when their "windows" server can't handle the lkoad - mail relays through me - and I hold it until their server can accept it.

Issue is, joespammer sends an email as someone@legitimateemail.com to abc123@isp.net - I accept it - cause I'm just doing a store/and forward - once the ISP server's load is down, I forward the email - only then to find out that the email addy does not exist - so - they bounce back to me, and I bounce back to someone@legitimateemail.com - stating "no such address".

I do forgery checking for "popular" email (aol, microsoft, yahoo, hotmail, etc) but I can't for every possible domain name.

IE - If you say the return is joe@hotmail.com, and it doesn't come from a hotmail server - then I reject it.

So what I need to do - is disable bouncing - reject is fine - but I don't know all the email addresses of the ISP - so how do I verify?

Making any sense?

Thanks...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-13-2006 01:45 AM

‎01-13-2006 01:45 AM

Solution

Re: How to stop Misdirected bounces with sendmail

Shalom Geoff,

I would suggest the following steps:

1) Use the sendmail hack that prevents acceptance of mail in the first place from any ip without a reverse lookup. I do this because aol does and it stops several hundred emails a day.

2) I just learned that one of my new companies offices in Austrailia or New Zealand has a new check in place. They check that the source IP address matches the domain mx record. No match, bounce the mail. This aol also does apparently. I don't know how this is done yet but will make an inquiry to see how they do it.

I don't have time, with the Sabbath upon you to post the reverse dns hack, but its extremely reliable and I'll try and remember to do the post over the weekend.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Bill Thorsteinson
Honored Contributor

‎01-13-2006 02:12 AM

‎01-13-2006 02:12 AM

Re: How to stop Misdirected bounces with sendmail

This site is directed at Exim a sendmail
replacement.
It discusses the various filtes you may
want to use to block spam.
http://slett.net/spam-filtering-for-mx/index.html
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎01-13-2006 03:27 AM

‎01-13-2006 03:27 AM

Re: How to stop Misdirected bounces with sendmail

Here's how to do the reverse ip - in your mc file add:

define(`_IP_LOOKUP_',1)dnl
define(`_DNSVALID_',1)dnl
define(`_DNSRELAY_',1)dnl

Then make install-cf

Then service sendmail restart

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎01-14-2006 03:54 AM

‎01-14-2006 03:54 AM

Re: How to stop Misdirected bounces with sendmail

Steven - please post the reverse hack - tried that way I posted - doesn't work.

Thanks...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎01-14-2006 04:13 AM

‎01-14-2006 04:13 AM

Re: How to stop Misdirected bounces with sendmail

Actually - just found one that works:

http://www.cs.niu.edu/~rickert/cf/

cp the HACK(`require_rdns') to /usr/local/src/sendmail-8.13.X/cf/hack/

Add to sendmail.mc

HACK(`require_rdns')

Then build it:

sh Build install-cf

works like a charm!

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-14-2006 05:30 AM

‎01-14-2006 05:30 AM

Re: How to stop Misdirected bounces with sendmail

Thats where I got it, btw.

I'm sorry you had to wait. I had literally seconds before I had to go offline. I'm working on the second hack for you and hopefully will provide it within a few days.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-14-2006 06:38 AM

‎01-14-2006 06:38 AM

Re: How to stop Misdirected bounces with sendmail

Geoff,

I think you may have come across your answer for my second recommendation, validating the sending domain.

_DNSVALID_
perform a DNS lookup on the domain part of the envelope from address, temporarily refuse the mail if there is no A, MX, or CNAME recor

Requires:

http://www.sendmail.org/~ca/email/rules/check_mail3.m4

I'm not certain it works and don't like the warning about not using on a production machine, but am currently checking it out.

Most of the spam that gets throuh the reverse dns hack we use and spam assasin which I see in the logs eating hundreds of emails per day is stuff that gets relayed through people who have spyware that installed smtp relay.

The domain it came from almost never matches the domain of the from adress.

I'll let you know.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Geoff Wild
Honored Contributor

‎01-14-2006 03:44 PM

‎01-14-2006 03:44 PM

Re: How to stop Misdirected bounces with sendmail

Yeah - I tested that - caused issues - I lost a lot of mail - even though it was valid - I think that is only good if you know every single email address to accept - or every email that you plan to receive from - something like that....

Example - this should have been accepted:

Jan 14 08:32:04 dune sendmail[27018]: k0EGW4Lx027018: ruleset=check_from, arg1=gjwild@myispemail.net, relay=outbound01.myisp.net [XXX.XXX.XXX.XXX], reject=553 5.3.0 H ... :myisp.net><

So I removed that hack...

So far, the "require_rdns" HACK is doing what I need - and then some.

Rgds...Geoff
Proverbs 3:5,6 Trust in the Lord with all your heart and lean not on your own understanding; in all your ways acknowledge him, and he will make all your paths straight.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎01-14-2006 06:20 PM

‎01-14-2006 06:20 PM

Re: How to stop Misdirected bounces with sendmail

The checkmail hack is not working as advertised.

Since I last posted I got two spam messages where the from address did not match the source ip address. So obviously the hack does not work.

I can if I find a good hack completely shut down all inbound spam. That would be nice. I will let you know if I make progress.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.