Backscatter and Internet protocol

mikedisd2

I've been left to pickup a half implemented anti-spam mail filter called ORF that sits on a DMZ Windows stand-alone along with IMSS (don't say it, it's not changing). Currently the IP Address allocated to ORF is blacklisted on Backscatterer.org and I'm required to resolve it as it shows up in the morning checks as an alert.

Backscatterer.org says the blacklist will expire in a month but the issue is why it was there in the first place. ORF's default configuration is to send an NDR upon rejection of spam but I've felt it's best practice to drop spam, not send a bounceback. ORF has a warning that doing this breaches Internet RFC.

Any word on this? What do people do in other organisations? Do you drop spam or or do you return 10^n "5.1.1 error invalid recipient" messages, possibly to unwitting spoofed addresses?

Everyone

Drop or quarantine to be evaluated by a human, depending on if it's known spam, or suspected spam.

Sending NDRs for spam is a bad idea. Opens you up to directory harvest attacks and more.

If they are saying it violates the RFC, then their product does not handle it properly. See section 7.3 of the RFC for the SMTP protocol here: http://www.ietf.org/rfc/rfc2821.txt

You should be able to get your domain off the blacklist before it expires... it should tell you exactly why you got blacklisted. You are correct that you need to identify why you ended up on there in the first place, otherwise you'll just end up right back on it. Many of the blacklists will stop allowing you to remove yourself after you end up on them a few times.

it_consultant

mikedisd2 wrote: »

I've been left to pickup a half implemented anti-spam mail filter called ORF that sits on a DMZ Windows stand-alone along with IMSS (don't say it, it's not changing). Currently the IP Address allocated to ORF is blacklisted on Backscatterer.org and I'm required to resolve it as it shows up in the morning checks as an alert.

Backscatterer.org says the blacklist will expire in a month but the issue is why it was there in the first place. ORF's default configuration is to send an NDR upon rejection of spam but I've felt it's best practice to drop spam, not send a bounceback. ORF has a warning that doing this breaches Internet RFC.

Any word on this? What do people do in other organisations? Do you drop spam or or do you return 10^n "5.1.1 error invalid recipient" messages, possibly to unwitting spoofed addresses?

Not sending a bounceback IS a violation of RFC but this particular rule is flexible when it comes to backscattering. Most anti spam systems I use do not do a silent drop but do not send a NDR. When a server is rejected the sending SMTP server receives an enhanced status code which is relayed to the sender by the sending SMTP server. That way you can be mainly in compliance with IEEE but you are also not sending out backscatter. An enhanced status code normally includes the reason for the drop, like being on a blacklist, malformed mail headers, non-existent recipients, policy violation etc.

I know it isn't changing but if you are going to have a Windows server in the DMZ the 2007 and 2010 edge transport servers are really very good at spam filtering and I think in their default configuration they do not send NDR's for spam. Next time you set one up keep it in mind

mikedisd2

it_consultant wrote: »

Most anti spam systems I use do not do a silent drop but do not send a NDR. When a server is rejected the sending SMTP server receives an enhanced status code which is relayed to the sender by the sending SMTP server. That way you can be mainly in compliance with IEEE but you are also not sending out backscatter. An enhanced status code normally includes the reason for the drop, like being on a blacklist, malformed mail headers, non-existent recipients, policy violation etc.

So a 5.1.1 SMTP response isn't considered backscatter? I'll have to look more into why I'm blacklisted.

Everyone wrote: »

You should be able to get your domain off the blacklist before it expires... it should tell you exactly why you got blacklisted.

Not these guys, this is what they say:

To track down what happened investigate your smtplogs near 27.06.2011 12:50 CEST +/-1 minute.
...
Reading your logs carefully it shouldn't be a big deal to figure out what caused or renewed your listing.

Except there's nothing remarkable in the logs at those times to identify the cause.

mikedisd2

Another thing I intended to do was AD authentication. Again, I thought this would be standard practice to instantly reject non-existing addresses. It'll mean opening LDAP ports on the DMZ/Internal firewall. Is anyone disinclined to do this?

Everyone

mikedisd2 wrote: »

Another thing I intended to do was AD authentication. Again, I thought this would be standard practice to instantly reject non-existing addresses. It'll mean opening LDAP ports on the DMZ/Internal firewall. Is anyone disinclined to do this?

Sounds like you inherited someone else's mess. As long as the rule only allows it between your mail gateways and a domain controller, you should be fine. Use SSL LDAP if you can (port 636).

Make sure your mail gateway system handles it in a way that will prevent directory harvest attacks.

mikedisd2

Everyone wrote: »

Sounds like you inherited someone else's mess. As long as the rule only allows it between your mail gateways and a domain controller, you should be fine. Use SSL LDAP if you can (port 636).

Yep, that's managed services alright . The reason I mention AD auth is because some ppl around here seem hesitant about it. Hey, sometimes ports have to let traffic through.

My problem is that I actually want to make a difference for the better, not just kick the can. Thanks for the replies.

it_consultant

I have LDAP integration between my edge spam filter and firewall to our domain specifically to fight harvesting attacks. Helps with the NDRs for sure. You can also configure exchange anti spam features (2007 2010) to not send NDRs for non-existent recipients. I use both exchange anti spam and my edge device for 2 layers. A few spams get through, but not many.

mikedisd2

A total of 148 Impacts were detected during this listing. Last was 30.06.2011 16:38 CEST +/- 1 minute.
Earliest date this IP can expire is 28.07.2011 16:38 CEST.

Well my blacklist is renewing everyday, even though I've switched off the ORF service. There's no logs to check at the dates being generated. This is suss.

EDIT: Just realised this is a VM and that the 2x network cards don't seem to be working independantly. The ORF NIC is constantly sending packets; may need to analyse the wire.

Everyone

mikedisd2 wrote: »

Well my blacklist is renewing everyday, even though I've switched off the ORF service. There's no logs to check at the dates being generated. This is suss.

EDIT: Just realised this is a VM and that the 2x network cards don't seem to be working independantly. The ORF NIC is constantly sending packets; may need to analyse the wire.

The NIC was still sending even after you turned the service off? Sounds like you may have an infection...

Turn the VM off and watch the traffic coming out of the host. Are there any other VMs running on the host that should be sending SMTP traffic out? If the traffic stops when the VM is shut down, it may be time to blow that VM away and start with a fresh install.

I'd hope your external firewall is configured to only allow outbound SMTP traffic from your mail gateway, that may be another place to look too. If everything is NAT'd and the firewall isn't configured properly, something else could be spewing spam out of your network very easily.