2

Hi I recently got an email from Amazon, saying that my EC2 instance is sending spam. So what they say is my mail server is receiving email for a non-existing user and therefore bounces the email back without validating the source netrange.

So to my understanding, some jerks are sending bogus emails to my mail server claiming to be someone else, and since the email delivery failed my mail server bounces the email back to that "someone else" that the jerk claimed to be.

I just want to know how I can reproduce this and how I can fix my mail server to not do it.

My system spec:

OS: Ubuntu 10.04
Mail Program: Sendmail

Experiments:

I tried the following:

1.

sendmail me@mydomain.com
FROM: bogus@notmydomain.com
SUBJECT: Spoof
Spoof
.

The above email got delivered to my mail box, with the FROM: header being bogus@notmydomain.com. This case people aren't getting spammed since the email is delivered to me.

2.

sendmail non-existing-user@mydomain.com
FROM: mypersonalemail@notmydomain.com
SUBJECT: BOUNCE!!!
Spoof
.

So I'm trying to reproduce the spamming attack here, I send an email to a non existing user in my domain, claiming to be someone else. However, I did not get any bounced email in my personal email box, not even in the junk folder.

3.

sendmail mypersonalemail1@notmydomain.com
FROM: mypersonalemail2@notmydomain.com
SUBJECT: hacked!!
Spoof!
.

This time I am trying to simulate a spoofing attack where I used my mail server to send email to someone faking someone else. This time I got the email in my junk folder, with the FROM: header being the faked user.

So the above is what I have found after my experiments. I cannot seem to reproduce the bounced email problem, but I can send email with faked origin.

So how can I prevent my mail server being used as spoofing tool??

Xavier_Ex
  • 159
  • 1
  • 9

1 Answers1

2

Sounds like backscatter and if I'm understanding you, your understanding is correct but you're missing the right experiment:

sendmail non-existing-user@mydomain.com
FROM: me@mydomain.com
SUBJECT: hey
hi there
.

(I changed the message a bit to make the bounce easier to spot.)

Better, try sending the same message from outside your server.

xofer
  • 3,052
  • 12
  • 19
  • Thanks for the reply @xofer, however after I performed this action only a bounced email appeared in my /var/mail. There is nothing in me@mydomain.com. – Xavier_Ex Aug 16 '12 at 19:29
  • I did a bit of research and yes this does sound exactly like backscatter, thus I changed the title of this post. Thanks for the info. – Xavier_Ex Aug 16 '12 at 20:18
  • Righto -- that's exactly the problem. Some spammer sends an email to `non-existing-user@mydomain.com` with a fake *from* `real-address@example.com` -- then your server bounces that email back to `real-address@example.com`. That's how your server is sending spam. – xofer Aug 16 '12 at 22:13
  • Yes I think that is it. Since I realized that my mail server is only used for sending out notification emails for internal use, I completely shut off the daemon that listens to incoming emails to prevent this. I just want to know how I can test if my solution is taking effect? – Xavier_Ex Aug 16 '12 at 22:16
  • You could test by mimicking the spam mails -- send mails to a nonexistent account at your domain from your machine (or another one, like your local machine) with the from field set to some actual account you can check elsewhere (i.e. a free web mail account). Also you might have a look at your outgoing mail queue. There will likely be a lot of bounce messages that cannot be delivered because the faked 'from' address domain does not exist (or is otherwise unreachable). – xofer Aug 17 '12 at 15:37
  • Cool beans, I checked and there was no messages in the queue. Now I'm struggling to properly test it... How do I send email to my server? Do I just use user@myserverip? Plus, what exact feedback do I expect? I'll accept your answers first since it is greatly helpful :) – Xavier_Ex Aug 17 '12 at 16:00
  • After several days I got the clear results that I expected... I got notification from Google's mail delivery subsystem saying that my email delivery failed permanently after a couple of retries. I think this justifies that my effort is in effect :) – Xavier_Ex Aug 20 '12 at 17:57