programming and human factors
by Jeff Atwood
I have modest email needs, so I use the default SMTP and POP3 services in Windows Server 2003. Although I have email relay disabled, spammers are still managing to send spam through my SMTP service -- via non-delivery reports!
In other words, spammers are intentionally sending email messages to nonexistent email addresses on my domain. Here's a representative sniffer trace from earlier today:
MAIL FROM:<lolando@glocos.com> 250 2.1.0 OK RCPT TO:<uucp@codinghorror.com> 250 2.1.5 OK 354 Start mail input DATA (spam email body elided) 250 2.6.0 Queued mail for delivery MAIL FROM:<meskes@getinthepicture.com> 250 2.1.0 OK RCPT TO:<support@codinghorror.com> 250 2.1.5 OK DATA (spam email body elided) 250 2.6.0 Queued mail for delivery
This repeats dozens of times, with different from and to email address. The person in the "from" address will get a non-delivery report from my server that includes the original spam message as an attachment.
This is also known as a "Reverse NDR attack", because the non-delivery report goes to the recipient (eg, the victim) instead of the sender.
I've pored over the SMTP settings in Windows Server 2003 and I can't figure out a way to fix this. I did find this cool STMP tar pit feature which sounds appropriate -- but unfortunately, will have no effect in my case. As you can see from the above sniffer trace, the basic SMTP service is not smart enough to perfom "recipient filtering"-- to reject email for users that don't exist at the time of submission. The validation of the address occurs after the email delivery process begins, which is too late.
I thought about suppressing non-delivery reports entirely, but this breaks the email protocol:
Some of you might think it would be better to simply turn off recipient filtering, rely on your 3rd party antispam product, and suppress NDRs (as spammers typically use spoofed domains anyway). This is possible but unfortunately doing so breaks RFC 2821, which states that a NDR must be returned if an e-mail message for an invalid recipient is accepted. In addition it also means normal users that perhaps make a typo in an e-mail address will never receive an NDR informing them of the issue.
What I really need is some way to make the default SMTP service in Windows Server 2003 reject emails for invalid recipients prior to accepting the message. That, along with the built-in tarpit support, should break spammers.
I hate to buy a commercial mail server to replace the simple STMP and POP3 services provided with Windows Server 2003. But unless I can stem the tide of SMTP non-delivery report spam, I guess I'll have to.
Would setting up a catch-all account do what you wanted?
http://isorecorder.alexfeinman.com/catchall.htm
Don't know if this is of any use, and I haven't tried it because I don't run a 2k3 machine, but it may be useful.
Carl
Carl Wright on May 8, 2006 3:03 AMI've been getting bounces for mails I didn't send, so I assume it's probably something like this. Interestingly, some ISPs appear to be wise to the tactic and are not including the original text of the bounced message. This makes it pointless to bounce off their servers for spam purposes. Of course, it's unlikely the spammers will ever see that their message wasn't delivered. But that never stopped them anyway.
Darrin on May 8, 2006 3:34 AMJeff,
This is a shameless plug, but you might consider using Majodio Mail (http://www.majodio.com). It has the following features:
• Email verification of SMTP from command to ensure that whoever is sending the email is legitimate. This is accomplished by doing a reverse DNS lookup on the IP and seeing if the domain matches (at least partially) the from email address provided
• API support for .Net 2.0
• Plugin manager to allow for additional functionality if desired.
• DNS Black List (DNSBL) support to reduce Spam.
• Email Spam filtering based on the DNSBL server used.
• Configurable encrypted email storage for security
• Support for MIME 1.0 parsing.
• Multi-threaded SMTP/POP3/Logging servers
• Multiple domain support
• User Aliases with multiple destination mail boxes
• The ability to define banned IP addresses
• Includes a friendly user interface to make configuration effortless
• Real-Time monitoring of all services (scrolling event log)
• Real-Time statistics (counters) so server administration is a breeze.
But the best feature of all is that it's FREE!
Brian Swiger has told me that he would like to add a Web based UI so hopefully that will be coming soon. You can download the latest version of the server from:
http://www.majodio.com/downloads/majodiomailsetup.msi
The documentation can be found here:
http://www.majodio.com/downloads/help.pdf
If you do download it, let me know what you think. You can contact me at support@majodio.com
egad, that uucp@ address...
i believe i'm getting the exact same spammer. i've just been too lazy t analyze what was happening - thanks for the heads-up on that. i've been using Merak's mail server (http://www.merakmailserver.com/) and it has not been blocking those messages. i will investigate the options and see what i find.
for home use on and off i've been using lumisoft's mail server (free, open source, c#). i've written filter plug-in's for it in teh past using the provided interfaces. that may do the trick.
janos erdelyi on May 8, 2006 6:40 AMWhat are the repurcussions of breaking that RFC? Seems to me like the good is outweighing the bad here.
Coleman on May 8, 2006 6:41 AM Would setting up a catch-all account do what you wanted?
http://isorecorder.alexfeinman.com/catchall.htm
The catch-all script indeed DOES work. It's not technically compliant, since emails to unknown users now no longer result in a NDR.. but I'm willing to live with that.
A better solution would be to send the 550 and use a tarpit to slow down dictionary attacks, but this lets me stick with the existing built-in Win2k3 services.
Jeff Atwood on May 8, 2006 6:43 AMhrm. i'm not seeing a way to do that in Merak MailServer.
seriously, i've been tempted to write my own mail server for my personal, more light-weight needs. i just feel so dirty writing a mail server in the year 2006, especially when it's something that i feel needs to be scrapped and re-written as a protocol.
janos erdelyi on May 8, 2006 6:46 AMMailEnable Standard Edition is free and rejects unknown recipients prior to accepting the message.
Chris S on May 8, 2006 8:17 AMOr you could stop being lazy, but a P100 with 32 mb ram and a mere 1gb HDD on ebay, put any linux flavor and configure qmail with LifeWithQmail document. It can take 1 hr. It will work forever.
That's what I did :)
You should consider XWall for the mail server. It has every kind of spam filter including Grey Listing which is the easy way to stop spam before it can even be delivered. Exactly what you are asking for.
www.xwall.us
Ludicrosity on May 8, 2006 8:31 AMAre you saying that Microsoft Windows 2003 is improperly handling the SMTP protocol? The software from Microsoft, the guys who promised two years ago that this year there will be no more spam? Nooo... That's impossible!
Irony away, a properly functioning SMTP server should NEVER generate post-delivery NDRs. The server should check whether the account in RCPT TO exists, and if it does not, it should NOT accept the message, but return a 5xx code (eg. "554. Recipient address unavailable."). Then the NDR is generated by the sender SMTP server, so an NDR is indeed created, if, obviously, the sender is a real SMTP server.
I don't know about MS Windows Server 2003, but look harder for a solution, and if not, publicize this fact as much as you can. If this is the case, MS Windows Server 2003 is UNUSABLE as a mail server, and if you continue to use it, you'll end up in DNSBLs listing improperly configured MTAs. Even Spamcop these days accepts reports of incorrectly sent NDRs.
Tomasz Andrzej Nidecki on May 8, 2006 8:46 AMIrony away, a properly functioning SMTP server should NEVER generate post-delivery NDRs. The server should check whether the account in RCPT TO exists, and if it does not, it should NOT accept the message, but return a 5xx code
The problem is that the SMTP service and the POP3 service are written by different groups and have different interfaces. There's no integration (eg, checking to see if the mail account exists before accepting the message). Even though both services come "in the box"..
Would setting up a catch-all account do what you wanted?
Hmm. This might work.. I was creating accounts manually for commonly spammed aliases, if I had a single local account that accepted ALL unknown email, that would fix my problem!
Jeff Atwood on May 8, 2006 10:20 AMI'm having the opposite problem, lots of emails being sent (probably through some open relay) with random @{mydomain}.com return addresses. I'm seeing hundreds of 'no such user' and otehr error returns per day to zzdhtyej@{mydomain}.com etc. I have no clue how to stop this since I have a catch all which is why they all end up in my account.
Zman on May 8, 2006 11:17 AM
Another option is to reject the mail if the MAIL FROM: address' domain doesn't match the sending host's reverse DNS lookup (and HELO domain). This is something people sometimes do against spammers, but it certainly violates RFCs and will also block a whole lot of legitimate email too, but it's possible.
The correct way to do it is to send a 550 back if the RCPT TO: address doesn't exist.
I'm not familiar with Windows' email services at all, only Linux. Do email addresses tend to correspond to user accounts?
reed on May 8, 2006 12:16 PMThere is always some new trick to get around the newest filters. accept and move on.
Oh, and get a real server. That stock crap that comes with the OS isn't suitable for more than just concept testing, never EVER point it to a public interface.
Xepol on May 8, 2006 12:39 PMI use ArgoSoft MailServer with MailFilter Pro, and it works like a champ.
Nicholas on May 8, 2006 1:13 PMI'm going to try out SurgeMail. It's free for personal (5-user license) use.
http://www.larkware.com/Reviews/surgemail.html
Jeff Atwood on May 8, 2006 1:44 PMI've been hit with NDR spam recently, though at a pretty low rate.
If I had the time and inclination, I'd be rolling my own SMTP command sink:
http://msdn.microsoft.com/library/en-us/dnsmtps/html/writingmngsinks.asp?frame=true
I *imagine* that it'd be really straightforward to check for the presence of a POP3 account (ADSI?) on RCPT.
Surprised I didn't find any other hits for SMTP event sinks that did this though, so perhaps not...
TristanK on May 9, 2006 5:04 AMThe SMTP server could be on a different machine to the domain controller, which contains the e-mail addresses. To avoid wasting time on the SMTP connection, Windows doesn't do the lookup until after accepting the message. This also has the side effect that an attacker can't determine whether an email address is genuine or not (since the server accepts any addresses). It's perfectly entitled to do this because SMTP allows servers to accept messages for relaying to other servers.
We've been blocked a couple of times by our ISP for sending viruses. We use their outgoing mail server using the Smart Host feature in Exchange - this saves the DNS lookup traffic that occurs to look up the next hop, and reduces the number of connections, useful on a low-bandwidth connection. On investigation we discovered that it wasn't actually originating with us: in fact what was happening was that viruses were sent to non-existent mailboxes, and Exchange was attaching the original message (containing the virus) to the NDR. I got around this by limiting the size of the NDR that would be generated to a few hundred bytes, which causes Exchange not to attach the original message in almost all cases.
You might be able to prevent it by using the registry key documented in KB article 842528: http://support.microsoft.com/kb/842528
Mike Dimmick on May 10, 2006 2:35 AMI think a good firewall can stop this attack
iptables on May 10, 2006 5:24 AMI would like to second the motion for Argosoft's mail server. Not the prettiest in the world, but so far I've not been disappointed.
Yeah, it's $80 or so, but we can't all survive if we give our software out for free all the time ;)
Robb Allen on May 15, 2006 5:45 AMBetter late than never - spotted this:
http://www.lundin.info/filterrecipients.aspx
Haven't tried it, so no warranty, expressed or implied is conferred by my words, actions or deeds in sickness or in health blah blah blah.
TristanK on July 9, 2006 10:15 AMGammadyne just released a solution to this problem. It's called Toriss and it is a plugin for IIS. I bought it and it works great!
SickDude on September 1, 2006 1:05 PMsimple: just enable "Recipient Filtering" :-)
Exchange Manager - Global Settings - Message Delivery Properties - Message Delivery Properties - Recipient Filtering - Filter recipients who are not in the Directory
greetings
Martin Meixger
Just to let you know I've been suffering the same problem, just installed http://www.lundin.info/filterrecipients.aspx as noted above and has fixed the problem 100%. The program is amazing!
,atthew on March 14, 2007 11:34 AMThis is a thing of beauty. Many thanks to Patrik Lundin! Finally this horrible problem is solved. Please spread the word that the SMTP non-existent recipient problem has been fixed.
P.S. Way to read the thread Martin Meixger, he wasn't talking about Exchange Server. DUH.
RobertH on May 7, 2007 2:12 AMSeems like the
"Recipient Filtering"
Is the thing!
Do anyone have it to veryfi a SQL or another form of database?
Micke on March 14, 2008 9:37 AMLundin's page is offline. anyone that can send me the script? thanks
john card on December 1, 2008 7:36 AMI had a problem with spammers a while back. You can either buy software to prevent it like several posters have already suggested, or go after the spammers and shut down the account they are using. I used www.arin.net to help track down a few guys from China about 6 months back. Depending on where they are coming from, you might have to use a different whois service to find out where the email is originating from. They were sending 1000s of emails a day to my website using real but fake names. Once I figured out who they were, I sent the sysadmin of the network they were using a nastagram and the emails stopped within a few days. It took a while and a few pesky email followups, but eventually, no more spam.
Software prevents the problem, but doesn't stop the spammers. I prefer trying to end the mails from the source, which is usually more difficult to do.
Good luck.
Jon Raynor
Jon Raynor on February 6, 2010 9:46 PMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |