Fake Reply and sender address - looping receive mail in mailscanner

Neal Morgan Neal at Morgan-Systems.com
Tue Jul 15 05:30:59 IST 2008 

Ronald Ong wrote:
> Hi,
>
> It seems Spammers are sending spams to different mail servers using
our 
> domain as REPLY address. All users in the reply address 
> (ourusers-fake at ourdomain)  are fake . RECIPIENT address also 
> non-existent. Both servers are looping and bouncing mail notification.
>
> Recipient  anti-spam server will send a notification email to our
server 
> (using the fake reply) saying that it cannot deliver.
> Since REPLY address are fake , MAILSCANNER will send out bounce 
> notification.
>
> These are the subject headers from MAILWATCH using  MAILSCANNER  4.70
- 
>     FROM : blank    TO:  fakeuser at ourdomain
>     SUBJECT :
>    - Undelivered Mail Returned to Sender
>    - failure notice
>    - Returned mail: Cannot send message within 5 minutes
>    - Returned mail: see transcript for details
>    - Delayed Mail (still being retried)
>    - Delivery Status Notification (Failure)
>    - Unable to deliver your message
>
> 1. Are these subject headers are legitimate and generated by
MAILSCANNER 
> or it is a bogus bounce header?
> 2.  Why is it  the TO:  field is    fakeuser at ourdomain  instead of the

> recipient email.  and the FROM is blank.
>       Im thinking the source of spam is within our network, but when i

> checked the first mail receive , the IP is  from other country.
> 3.  How can i trap  bogus reply address or stop mailscanner sending
this 
> emails on second attempt ( looping)
>  
> Thanks
>
> Ronald
> AMA University


Ronald:

What you are experiencing is called a "Joe Job" - spammer uses fake
local part @YourDomain as the from on his mail.  The MTA at the
recipient domain is reacting properly (arguably) by responding with a
non-delivery report since the recipient doesn't exist.

NDRs usually do have a blank from address, so this part is valid too.

Hopefully one of the smarter folks on the list can help with an answer
to why your MTA is looping, and/or how MailScanner can best help with
this.  (I suspect the answer is going to have to do with using
watermarking...)

The good news is "Joe Jobs" don't last forever!  The spammer will
eventually change his from domain to something else.


Good luck,

Neal Morgan

More information about the MailScanner mailing list