Handling spam in DSNs from other sites?

Furnish, Trever G TGFurnish at herffjones.com
Thu Jun 8 21:28:37 IST 2006 

Thanks, Steve. :) 

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of Steve Freegard
> Sent: Wednesday, June 07, 2006 3:34 AM
> To: MailScanner discussion
> Subject: Re: Handling spam in DSNs from other sites?
> 
> Hi Trever,
> 
> Furnish, Trever G wrote:
> >  
> > 
> >> -----Original Message-----
> >> From: mailscanner-bounces at lists.mailscanner.info
> >> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of 
> >> Glenn Steen
> >> Sent: Tuesday, June 06, 2006 6:02 PM
> >> To: MailScanner discussion
> >> Subject: Re: Handling spam in DSNs from other sites?
> >>
> >> On 06/06/06, Furnish, Trever G <TGFurnish at herffjones.com> wrote:
> >>> I have a feeling I'm missing an obvious answer, but what
> >> does everyone
> >>> suggest for handling DSNs from other sites (not mine) 
> that include 
> >>> spam in the message?
> > 
> >> Glenn Steen wrote:
> >> I'm sure others have other views, but ... why treat them any 
> >> different than any other mail? scan them, tag them, drop 
> them....:-).
> >> If they are legitimate, they will pass MS/SA/AVs anyway.
> >> --
> >> -- Glenn
> >> email: glenn < dot > steen < at > gmail < dot > com
> >> work: glenn < dot > steen < at > ap1 < dot > se
> > 
> > Thanks.  However, in many cases these are actually getting through.
> > Since the ip address of the sending server isn't the 
> spammer and isn't 
> > in the RBLs those checks aren't as helpful as they would've 
> been for 
> > the original message.
> > 
> > I tend to think these aren't being sent by a spammer who's 
> identified 
> > a particular server with the specific intention of using 
> the DSN for 
> > delivery, but rather just by a worm that's using my domain 
> addresses 
> > as the faked sender address.  If a specific server had been 
> targeted, 
> > it'd probably end up in a DNSBL.  SPF would help with the original 
> > message, but of course it does nothing to help with the bounce.
> 
> I've been experimenting with some stuff to address this.  The 
> problem being that the DSN is being sent to you for a message 
> that never originated at your site.
> 
> After some investigation I found out that someone else had 
> come up with a clever solution to this:  using SRS (part of 
> SPF) to re-write all the envelopes of messages sent from out 
> from your domains (and re-writing all inbound returns) with 
> SRS (which contains a hashed-secret which would be impossible 
> for the spammer to guess).  Then you use a milter that 
> rejects any DSNs that are not SRS signed or that are SRS 
> signed and do not have a valid signature.
> 
> Here's my results so far - this shows all MTA level 
> rejections on my test box:
> 
>      date    | greet_p |  rbl  | relay | uribl | 8bit | dsn_no_srs
> ------------+---------+-------+-------+-------+------+------------
>   2006-06-07 |     135 |  2168 |   263 |   467 |  101 |         82
>   2006-06-06 |    1389 | 25462 |  1061 |  4456 | 2214 |       1001
>   2006-06-05 |    1728 | 23948 |    93 |  5111 | 1591 |       1129
> 
> There are several down-sides, SRS is 'frowned' upon by some 
> as it has the potential to break the RFCs that state that the 
> local-part field size should be 64 bytes although it does 
> state that an implementation can pick a larger value (also 
> VERP has been doing this for years without issue).  The other 
> down-side is that to implement this I had to re-compile 
> Sendmail with -DSOCKETMAP and hack the .cf file as the 
> provided m4 HACK provided didn't work for me (it put the 
> changes in the wrong place).  I've also never tried this on a 
> production system.
> 
> See http://srs-socketmap.info/sendmailsrs.htm for the gory details...
> 
> Exim users have it slightly better than the Sendmail crowd - 
> see http://srs.mirtol.com/exim.php for details.
> 
> Before anyone asks -- I couldn't find an implementation for Postfix.
> 
> Cheers,
> Steve.

Very neat idea.  In my case though, besides the mild scariness of SRS
:), I would also have to start handling outbound mail (since I currently
only handle the inbound portion of our mail), and I'd have to figure out
some way to handle users who I've created SPF "exceptions" for, since
those users don't currently go out through our relays.  That means I'd
need another server to handle the increase load from outbound messages
and would need to work with remote users to have them use our relays.
In my particular case, these are probably showstoppers for this approach
(at least for the time being).

I'm in the midst of deploying a new mailscanner (and mailwatch, of
course ;) ) system, so I've got some work to do before I can even start
on this problem in earnest, but maybe when I start looking more closely
at the number of messages like this getting through I'll find out that
just adding a bit to the spamassassin score of bounces will suit my
sites, even if that's not a good generic solution.

--
Trever

More information about the MailScanner mailing list