Spoofed email address question

Richard Lyons · *nix forums Guru Joined: 08 Mar 2005 Posts: 312

On Wed, 14 Jun 2006, Thomas Raef wrote:

Thomas Raef · *nix forums beginner Joined: 10 Apr 2006 Posts: 21

I did and I use goodrcptto patch for blocking incoming invalid email
addresses, but how does that prevent the spoofed bounces?

As I understand it, if someone spoofs my email address and goes email
address harvesting, they may send out millions of messages claiming to
be from my email address. As the recipient email servers reject the
message it will bounce back to my email address. My system has my email
address as a valid address so my system would accept the bounce.

Maybe I'm not understanding the process clearly and if this is true,
please enlighten me or send me somewhere for more research. I've tried
investigating this already but haven't found any definitive answers.

Thank you for your insight.

-----Original Message-----
From: Richard Lyons [mailto:frob-qmail@webcentral.com.au]
Sent: Wednesday, June 14, 2006 7:34 AM
To: qmail@list.cr.yp.to
Subject: Re: Spoofed email address question

On Wed, 14 Jun 2006, Thomas Raef wrote:

Gerrit Pape · *nix forums beginner Joined: 06 Apr 2005 Posts: 19

On Wed, Jun 14, 2006 at 07:47:07AM -0500, Thomas Raef wrote:

Ken Jones · *nix forums beginner Joined: 02 Feb 2005 Posts: 18

It is called a Joe Job.
There is no way to prevent it.

http://en.wikipedia.org/wiki/Joe_job

You can use SPF or Domain Keys to help the receivers
verify that it came from a valid sender.

Ken Jones

Thomas Raef wrote:

Richard Lyons · *nix forums Guru Joined: 08 Mar 2005 Posts: 312

On Wed, 14 Jun 2006, Thomas Raef wrote:

Thomas Raef · *nix forums beginner Joined: 10 Apr 2006 Posts: 21

No problem.

I am reading: http://cr.yp.to/proto/verp.txt now and will investigate
even further. I think my options are somewhat limited based on the fact
this is an email gateway in front of an exchange server and therefore
doesn't have a mailbox or maildir for each user.

If it's of any interest I can post my findings/results to this list but
I'm sure most of your already know what to do or accept the way things
are. This seems to be a very informed group.

Thank you all for your help.

-----Original Message-----
From: Richard Lyons [mailto:frob-qmail@webcentral.com.au]
Sent: Wednesday, June 14, 2006 8:10 AM
To: qmail@list.cr.yp.to
Subject: RE: Spoofed email address question

On Wed, 14 Jun 2006, Thomas Raef wrote:

U. George · *nix forums addict Joined: 01 Feb 2005 Posts: 51

I dont bounce any messages with names of accounts that dont exist. I
forward these fake e-mails to spamcop.net as spam. Then the ISP's that
bounce the fake e-mails are blacklisted. This seems to get their
attention that there is an issue - but not always :-{

Some ISP's will claim that the bounce is legit as per an outdated RFC.
The victim that received the bounce, now has one more spam mail to
process. Either case, for both the sender and receiver, the process has
wasted bandwidth, some cpu processing, and in this case used some time
on a qmail list.

So, do u bounce mails with forged headers?

Thomas Raef wrote:

Thomas Raef · *nix forums beginner Joined: 10 Apr 2006 Posts: 21

Currently, yes I do bounce them. Well let me clarify, I bounce any email
that is not sent to a valid recipient email address. I also bounce bad
reverse DNS messages as well which I guess could be, at times, forged.
To date, I have not had anyone complain that their message to me didn't
go through due to bad reverse DNS.

-----Original Message-----
From: U. George [mailto:gatgul@gatworks.com]
Sent: Wednesday, June 14, 2006 8:46 AM
To: Thomas Raef
Cc: qmail@list.cr.yp.to
Subject: Re: Spoofed email address question

I dont bounce any messages with names of accounts that dont exist. I
forward these fake e-mails to spamcop.net as spam. Then the ISP's that
bounce the fake e-mails are blacklisted. This seems to get their
attention that there is an issue - but not always :-{

Some ISP's will claim that the bounce is legit as per an outdated RFC.
The victim that received the bounce, now has one more spam mail to
process. Either case, for both the sender and receiver, the process has
wasted bandwidth, some cpu processing, and in this case used some time
on a qmail list.

So, do u bounce mails with forged headers?

Thomas Raef wrote:

Thanos Massias · *nix forums addict Joined: 25 May 2005 Posts: 98

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas Raef wrote:

Charles Cazabon · *nix forums Guru Joined: 08 Jan 2005 Posts: 805

U. George <gatgul@gatworks.com> wrote:

Charles Cazabon · *nix forums Guru Joined: 08 Jan 2005 Posts: 805

Charles Cazabon <qmail@discworld.dyndns.org> wrote:

U. George · *nix forums addict Joined: 01 Feb 2005 Posts: 51

For this small site, all bounced mails go to an aliased address.
I then 1 by 1 submit the bounced mails to spamcop. In that manual
process, i can recognise what is, is not spam that has been bounced.
But if i get more than a few, say 18 in a morning, I just process some,
and delete the rest.
If I get 50,000, I will more likely be automagically dropping them all.
Unfortunately, If i dont tell the folks who bounce the spam, they will
just go on, and on, and on.

In my reality, because of DUL lists, I am likely to think that even
properly addressed e-mails are silently dropped by ISP's and users who
knowingly, and unknowingly do so based merely on an IP number.

Anyway I used to bounce the bad headers with spam content. Now I dont. I
just report what I can, and let the ISP's that bounce know that no one
from 'gatworks.com' has sent the mail, via spamcop, presuming that the
ISP is at all interested.

Charles Cazabon wrote:

U. George · *nix forums addict Joined: 01 Feb 2005 Posts: 51

I suppose then it becomes a philosophical question to bounce or not to
bounce. I cant tell you what would be the best way to handle bounces,
and neither can an RFC. All anyone can do is show the possible
consequences of your actions, or inactions.

Thomas Raef wrote:

Thomas Raef · *nix forums beginner Joined: 10 Apr 2006 Posts: 21

I appreciate your insight. You have given me much to think about which
is a good thing.

I always appreciate other views on any topic. To this, I am grateful.

-----Original Message-----
From: U. George [mailto:gatgul@gatworks.com]
Sent: Wednesday, June 14, 2006 9:54 AM
To: qmail@list.cr.yp.to
Subject: Re: Spoofed email address question

I suppose then it becomes a philosophical question to bounce or not to
bounce. I cant tell you what would be the best way to handle bounces,
and neither can an RFC. All anyone can do is show the possible
consequences of your actions, or inactions.

Thomas Raef wrote:

Sami Farin · *nix forums addict Joined: 01 Feb 2005 Posts: 98

On Wed, Jun 14, 2006 at 16:57:44 +0300, Thanos Massias wrote:
...

Google