Backscatter and Internet protocol
I've been left to pickup a half implemented anti-spam mail filter called ORF that sits on a DMZ Windows stand-alone along with IMSS (don't say it, it's not changing). Currently the IP Address allocated to ORF is blacklisted on Backscatterer.org and I'm required to resolve it as it shows up in the morning checks as an alert.
Backscatterer.org says the blacklist will expire in a month but the issue is why it was there in the first place. ORF's default configuration is to send an NDR upon rejection of spam but I've felt it's best practice to drop spam, not send a bounceback. ORF has a warning that doing this breaches Internet RFC.
Any word on this? What do people do in other organisations? Do you drop spam or or do you return 10^n "5.1.1 error invalid recipient" messages, possibly to unwitting spoofed addresses?
Backscatterer.org says the blacklist will expire in a month but the issue is why it was there in the first place. ORF's default configuration is to send an NDR upon rejection of spam but I've felt it's best practice to drop spam, not send a bounceback. ORF has a warning that doing this breaches Internet RFC.
Any word on this? What do people do in other organisations? Do you drop spam or or do you return 10^n "5.1.1 error invalid recipient" messages, possibly to unwitting spoofed addresses?
Comments
Sending NDRs for spam is a bad idea. Opens you up to directory harvest attacks and more.
If they are saying it violates the RFC, then their product does not handle it properly. See section 7.3 of the RFC for the SMTP protocol here: http://www.ietf.org/rfc/rfc2821.txt
You should be able to get your domain off the blacklist before it expires... it should tell you exactly why you got blacklisted. You are correct that you need to identify why you ended up on there in the first place, otherwise you'll just end up right back on it. Many of the blacklists will stop allowing you to remove yourself after you end up on them a few times.
Not sending a bounceback IS a violation of RFC but this particular rule is flexible when it comes to backscattering. Most anti spam systems I use do not do a silent drop but do not send a NDR. When a server is rejected the sending SMTP server receives an enhanced status code which is relayed to the sender by the sending SMTP server. That way you can be mainly in compliance with IEEE but you are also not sending out backscatter. An enhanced status code normally includes the reason for the drop, like being on a blacklist, malformed mail headers, non-existent recipients, policy violation etc.
I know it isn't changing but if you are going to have a Windows server in the DMZ the 2007 and 2010 edge transport servers are really very good at spam filtering and I think in their default configuration they do not send NDR's for spam. Next time you set one up keep it in mind
So a 5.1.1 SMTP response isn't considered backscatter? I'll have to look more into why I'm blacklisted.
Not these guys, this is what they say: Except there's nothing remarkable in the logs at those times to identify the cause.
Sounds like you inherited someone else's mess.
Make sure your mail gateway system handles it in a way that will prevent directory harvest attacks.
Yep, that's managed services alright
My problem is that I actually want to make a difference for the better, not just kick the can. Thanks for the replies.
Well my blacklist is renewing everyday, even though I've switched off the ORF service. There's no logs to check at the dates being generated. This is suss.
EDIT: Just realised this is a VM and that the 2x network cards don't seem to be working independantly. The ORF NIC is constantly sending packets; may need to analyse the wire.
The NIC was still sending even after you turned the service off? Sounds like you may have an infection...
Turn the VM off and watch the traffic coming out of the host. Are there any other VMs running on the host that should be sending SMTP traffic out? If the traffic stops when the VM is shut down, it may be time to blow that VM away and start with a fresh install.
I'd hope your external firewall is configured to only allow outbound SMTP traffic from your mail gateway, that may be another place to look too. If everything is NAT'd and the firewall isn't configured properly, something else could be spewing spam out of your network very easily.