Posted by paragonhost in Hosting News, Internet, Internet Protection, Linux, Network 101, ParagonHost, Security Focus, Technology News, cPanel.
Tags: backscatter, bounce email, E-Mail, emails, managed, ParagonHost, reply address, security, spam, spammer
Bounced Email or Backscatter
April 28, 2008 10:07 AM
Email Bounces
In the past few weeks, we have seen a sharp rise in email bounces. These bounces are for emails that the person did not send. While there are many reasons you can get a bounce, the current wave appears to be a spamming technique where spammers spoof reply-to addresses.
Backscatter
Backscatter occurs when a Mail Transport Agent (aka email server) sends a bounce to a person who did not really send the email. Spam Links has a good description of Backscatter and why it happens. Essentially, someone is spoofing the Reply-To field in an email. They then send it to a mail server and it bounces not back to the sending server but to the Reply-To address. Thus you may receive hundreds of spam messages this way.
Symantec, in their April 2008 Spam Report, also noted an upward trend in backscatter attacks. So if you are seeing this issue, you are certainly not alone.
Backscatter Victim?
Unfortunately, there is little you can do. The protocols for email permit anyone to craft a Reply-To address. There is nothing you can do to force someone not to do it. There are some emerging tools that can help. SPF, sender policy framework, is a DNS based method to try to prevent email forgeries. Using DNS, you can specify what servers and IPs are allowed to send email from your domain. SPF can work very well, however, the technique is not widely adopted. Gmail, HotMail and some other major ISPs do use SPF records; however, using SPF alone will not prevent backscatter. The mail administrators must also configure their systems not to bounce emails that fail SPF tests.
If you are being bombarded by these bounces, you may be able to use your own spam filtering to drop the emails. They often have similar subjects, like failed delivery, Delivery Status Notification, or something similar. Typically the attack stops in 2-3 days.
Otherwise, you just have to keep deleting those emails.
Don’t Backscatter
A main source of backscatter is MTA’s that bounce email to unknown users. You should not bounce email that is sent to unknown users. On Plesk and Cpanel there are setting to reject/fail email to unknown users. On Ensim, there is a problem in that the system creates a default catch-all. From a management standpoint this is very poor. The default prevents you from rejecting email to unknown users. As a result, Ensim servers can become overloaded with dictionary-based email attacks. If your server does bounce emails, you could potential end up in RBLs like Spamcop.net, which not treats backscatter as spam.
Catch-22
Hackers are taking advantage of a key feature of email delivery. Bounces are important for system administrators as they are the first notification that something in the email systems may be awry. However, when they become hijacked by spammers, they become useless as you have to sort through the emails to find real bounces. As a result, some admins just route all bounces to the bit bucket. Disabling bounces can be dangerous however as they can give you an earlier indication if your system has been exploited by a spam bot. Many spammers use web based exploits to use your system to send out the messages. Disabling bounces or null-routing them prevents you from seeing these messages.
Headers, Headers, Headers
To determine if you are the victim of backscatter or if your server is really spamming, you have to analyze the email headers. If the headers do not contain your server as a source for the email, then backscatter is the cause.
Many attackers now spoof many headers in attempts to obfuscate the true sender, but with careful analysis you can often find the source.
Summary
If your inbox is full of those “Delivery Failure Notification” messages then you are likely seeing backscatter. Check the email headers and if the header nearest the bottom is not your server, then it is definitely backscatter.
TrackBack URL for this entry:
http://www.rackaid.com/cgi-bin/mt/mt-tb.cgi/54
Tags: buttons brokent, format, graphics, htaccess, lw forum, mod security, modsecurity, phpfox, phpfox.com, phpsns.com, spaw editor
If ModSecurity is Turned On via your Web Server , then build a .htaccess file and place it in the root of the folder running the script that may be having issues.
Issues such as Web Scripts and Broken Graphics also any script that use’s the Spaw Editor will break the format of the editor button layout, this is due to Mod_Security in effect.
Building a .htaccess file and / or adding the noted commands below will resolve. this.
ModSecurity is an open source embeddable web application firewall, or intrusion detection and prevention engine for web applications. ModSecurity provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with no changes to existing infrastructure, by operating as an Apache Web server module mod_security or standalone, and thus increase web application security. However, misconfigured or overly strict rule sets, ModSecurity may cause your website to return various errors such as HTTP 403 Forbidden error or access denied error, login problems, or HTTP 412 Precondition Failed error, or HTTP 406 Not Acceptable error and other false positive symptoms.
To make matter worse, the configuration of ModSecurity rules and filters have to be done manually. Although there are free predefined certified rule set which can be used with ModSecurity out of the box, however the rule sets may be not suitable for each and every environment and may interfere with the operation of websites or blogs, and customizing and modifying the rules may be too sophisticated or complicated for some users. And for some websites that hosted on shared hosting service, the mod_security may be enable by default without options. So in this case, the best solution or workaround for mod security related issues is to disable mod_security filtering and rules.
If you’re using Apache web server (which mostly do), mod_security can be disabled by adding a specific in .htaccess file. Locate the .htaccess file in Apache web root directory (public_html or /var/www/ or others), if it does not exist, create a new file named .htaccess, and add in the following code:
SecFilterEngine Off
SecFilterScanPOST Off
The above entries in the .htaccess will disable the ModSecurity (mod_security) module for the domain.
Uninstallation of ModSecurity (mod_security) from Apache module
The easiest way to remove and uninstall mod_security is to comment out or delete the related mod_security entries from httpd.conf Apache configuration file. The lines that should be removed include:
AddModule mod_security.c
LoadModule security_module modules/mod_security.so
Include “/usr/local/apache/conf/modsec.conf” This line may be different depending on what variant of Linux or Unix you used and the installation location
Save the httpd.conf and restart the Apache. ModSecurity will not be loaded and as if uninstalled.
If you’re using WebHost Manager (WHM), uninstallation is even simpler. Just scroll to cPanel section, and click on Addon Modules. Then scroll to module named modsecurity. It should be checked Install and Keep Updated currently. Just click on Uninstall to remove the mod security feature from Apache web server.
Tags: aim, client, Collaboration, console chat, dave safley, google chat, icq, im, instant message, instant messenger, Linux, linux chat, mulitple im, open source, ParagonHost, paragonhost llc, scandefense, text based chat client, thespambusters, yahoo im
http://www.pidgin.im/
Pidgin is a multi-protocol Instant Messaging client that allows you to use all of your IM accounts at once.
Pidgin can work with:
- AIM
- Bonjour
- Gadu-Gadu
- Google Talk
- Groupwise
- ICQ
- IRC
- MSN
- MySpaceIM
- QQ
- SILC
- SIMPLE
- Sametime
- XMPP
- Yahoo!
- Zephyr
Pidgin is free software. It is licensed under the GNU General Public License (GPL) version 2. This means you are free to use it and to modify it, but if you distribute your modifications you must distribute the modified source code as well.
Pidgin is an instant messaging program for Windows, Linux, BSD, and other Unixes. You can talk to your friends using AIM, ICQ, Jabber/XMPP, MSN Messenger, Yahoo!, Bonjour, Gadu-Gadu, IRC, Novell GroupWise Messenger, QQ, Lotus Sametime, SILC, SIMPLE, MySpaceIM, and Zephyr.
Pidgin can log in to multiple accounts on multiple IM networks simultaneously. This means that you can be chatting with friends on AIM, talking to a friend on Yahoo Messenger, and sitting in an IRC channel all at the same time.
Pidgin supports many features of the various networks, such as file transfer, away messages, and typing notification. It also goes beyond that and provides many unique features. A few popular features are Buddy Pounces, which give the ability to notify you, send a message, play a sound, or run a program when a specific buddy goes away, signs online, or returns from idle; and plugins, consisting of text replacement, a buddy ticker, extended message notification, iconify on away, spell checking, tabbed conversations, and more.
Pidgin runs on a number of platforms, including Windows, Linux, and other UNIX operating systems. Looking for Pidgin for OS X? Try Adium!
Pidgin integrates well with GNOME 2 and KDE 3.1’s system tray, as well as Windows’ own system tray. This allows you to work with Pidgin without requiring the buddy list window to be open at all times.
Pidgin is under constant development, and releases are usually frequent. The latest news regarding Pidgin can be found on the news page.
What is Finch?
Finch is the text-based version of Pidgin. It supports the same IM networks, but you can run it in a console window. You can use it on Linux, BSD, and other Unixes.
What is libpurple?
libpurple is the programming library that powers Pidgin and Finch. It’s responsible for connecting to all the IM networks, and for managing your accounts and preferences. It’s written in C and makes heavy use of Glib.
Is all of this free?
We believe in freedom of communication. To support our aspirations of “IM Freedom,” we release Pidgin, Finch, and libpurple as free software under the GNU General Public License (GPL). We believe that giving others the freedom to modify, share, and augment our code contributes to the goal of bringing freedom of communication to the Internet. The GPL allows us to ensure that any modifications to our code remain free, so that everyone may enjoy their benefits.
How can I help?
We always welcome feedback and contributions. You don’t need to be a developer to help out, but if you are, you can help us by fixing bugs in our code or building new functionality into it. Our development site includes numerous resources for getting started with libpurple, Pidgin, and Finch development.
If you are a regular user, we encourage you to let us know about any problems you encounter and to provide us with suggestions for improvement. You can do so via our support system, IRC channel, XMPP conference, or development mailing list. We also encourage users to help one another solve problems and discover new features using any of these media.
Aggregation: ParagonHost, LLC http://www.ParagonHost.com
Content Filtering: Scan Defense http://www.ScanDefense.com
Email Spam Prevention: The Spam Busters http://www.TheSpamBusters.com
| Fun with DNS: Three Useful Commands |
| Last update: 01.25.07 |
Submitted by Dan Forootan
|
| There are three crucial commands that can put all the DNS information you need at your fingertips. The way to use this article is to try each of the commands listed on a domain name, so you can see what the output looks like. |
|
The DNS is a distributed, hierarchical database where authority flows from the top (or root) of the hierarchy downward.
When thinking of the structure of the DNS, imagine an inverted tree. Each branch of the tree is within a zone of authority; however, multiple branches of the tree can be within a single zone.
The software (Bind being the most common) that stores domain name information is called a domain name server. A single name server can be authoritative for multiple zones. All zones have a primary master and a secondary master name server that provides authoritative responses for their zones.
If you query a name server not authoritative for a particular zone, that name server will most likely have up-to-date information. This is because zone information propagates throughout the Internet at regular intervals, and name servers cache zone information for which they are not authoritative.
DNS Commands
There are three crucial commands that can put all the DNS information you need at your fingertips. The way to use this article is to try each of the commands listed on a domain name, so you can see what the output looks like. Learn by doing!
Zone file database records divide DNS information into three primary types: NS (Name Server) records, MX (Mail Exchange) records, and A (Address) records. NS records indicate the name servers. MX records indicate the hosts that handle e-mail delivery; the priority (pri) number indicates the order in which mail servers are used, with the lowest number receiving the highest priority. The A (Address) records map hostnames to IP addresses, the real names of machines.
host
This is the simplest of the DNS commands. It is a quick way to determine the IP address of a hostname:
: host www.your-domain-name.com
The -a option will return all of the DNS information in verbose format.
: host -a www.your-domain-name.com
Now that you know the IP address for www.your-domain-name.com , try a reverse lookup.
: host IP-ADDRESS
dig (domain information groper)
This command gathers and returns DNS information in a format the name server can use directly. You will find it easy to query specific name servers with dig.
You can quickly determine the Name servers of your host or any other host:
: dig ns your-host.com
Then you check your (or another) website against the host’s name servers:
: dig www.your-domain-name.com @ns.your-host.com
Dig can provide output that is in the same format as the zone file itself. Here is how to get the whole zone file:
: dig any your-domain-name.com
Here are the most useful dig query types: dig any (gathers all DNS information), dig ns (gathers name server information), dig mx (gathers mail exchanger information) and dig a (gathers network address information).
The dig command can also do reverse lookups with output formatted for the zone file:
: dig -x IP-Address
nslookup
You can use this tool as a single line command, or you can use it interactively, which distinguishes it from the other DNS commands. Once you have started nslookup, type set all to list the default options. As with dig you can choose the server (name server) you want to query, and you can decide the type of DNS information on which to focus.
Just as you can issue commands to nslookup interactively, you can also change the initial defaults by starting a .nslookuprc file. The format of the .nslookup is one command per line:
set type=NS
set domain=srvns.your-host.com
set timeout=10
Conclusion
These three commands can provide you with most of the information you need about your domain names. They are powerful tools, and this article should provide you enough information to get started or offer a quick refresher if you already use these commands.
|
“World Class Internet Services”
Tags: , blackhole, cPanel, email, exim, fail, mail, mail routes, mail server configuration, mailroutes, ParagonHost, smtp, whm
Source: ConfigServer.com http://www.ConfigServer.com
Why you should use :fail:
There are sound technical reasons that you should only use :fail: and not :blackhole: on a cPanel server running exim. We have conducted quite extensive testing to establish this configuration is best and outline the reasons here.
In general the two different settings both discard email not destined for a POP3 account, an alias or a catchall alias. However, ever since cPanel included the verify = recipient code in the standard cPanel ACL section for exim, the way email is discarded differs with the two methods quite starkly:
- Using :blackhole: email is accepted and received into the server in its entirety. It is then processed through exim and only on delivery is it written to the null device (/dev/null) and silently ignored.
- This wastes server bandwidth as the email data, or body, of the email is accepted into the server
- This wastes server resources (CPU, memory and disk I/O) as the email is fully processed by exim before being finally written to /dev/null
- Because the blackholed email is still processed through the whole of exim before it is finally deleted, if any of the usual checks and routing that any email goes through fails, such email can be placed in the exim mail queue for later reprocessing. This can lead to tens of thousands of blackholed emails accumulating in the exim mail queue which in turn can cause a range of serious server performance and resource problems and will affect the normal and timely delivery of email
- This actually breaks the SMTP RFC’s because you’re not notifying the sending SMTP server that the email is undelivered, which is a requirement
- Causes emails that will never be delivered onto the exim mail queue because checks such as sender verification are still carried out when processing such emails and if they cannot complete they will stay on the exim mail queue and repeatedly reprocess the email until it is finally discarded (usually 4+ days). This can cause very large mail queues full of spam which is repeatedly processed causing severe performance degradation
- Using :fail: the email is never accepted into the server. During the initial SMTP negotiation when the senders SMTP server connects to your SMTP server, the sending SMTP server issues a RCPT command notifying your server which email address the email to follow is intended for. Your server then checks whether the recipient email actually exists on your server (a POP3 account, an alias or a catchall alias) and if it does not, it issues an SMTP DENY which terminates the attempt to deliver the email.
- This saves bandwidth as the email data is never received into your server
- This saves server resources as the email never has to be processed
- This complies with the SMTP RFC’s because the sending SMTP server receives the DENY command
- Your server does not send a bounce message (just the DENY command)
- Your server does not send anything to the sender of the email (i.e. the address in the From: line)
- The sending SMTP server is responsible for notifying the original sender
Here is a simple explanation of what happens during the SMTP conversation
- Some other SMTP server connects to your server on port 25 and initiates an SMTP connection (EHLO command)
- Other server then sends a message saying who they’re delivering a message for (MAIL FROM command)
- Other server then sends who the message is for on your server (RCPT command)
- At this point your server then checks whether the email address in the RCPT command can actually be delivered on your server. If you do not have a catchall alias configured to point to an email address (Default Address) and you have it set to :fail: the following happens:
- Your server sends back along the same connection to the sending server “Go away, no-one here” (the DENY command)
- The sender server would then normally tell their user that the attempt to email your server failed. Your server does not send a “bounce” message. As far as your server is concerned, all that has happened is a little SMTP chatter and no email has been received and no bounce sent
Additionally, this is what our Exim Deny ACL does:
- If the sender server tries four email addresses that don’t exist on your server the ACL disconnects the session with the sender server (DROP) and puts the IP address of the sender server into /etc/exim_deny
- If the sender server connects again, the ACL first checks /etc/exim_deny and if it finds the senders IP address there the session is immediately disconnected
*** If a user reports that they can send mail from Horde but cannot save to sent mail folder or if using SquirrelMail , sending mail fails with the following error:
Email quota - invalid maildirsize file
Here is the solution:
In some cases when a mailbox can get corrupt and needs a small tweak. There are many different email issues that can happen.
If you see when changing a quota in your cPanel Center, the following message “invalid maildirsize file.
The following will help 99% to fix the issue, its easy and don’t be scared!
This would be a courier maildirsize file for the email account, which you can usually find by logging into cPanel, click on File Manager, click on the folder icon next to the mail folder, click on the folder icon next to the domain name, click on the folder icon next to the email user name, then click on the file called maildirsize in that folder (don’t click on the icon but the file’s name itself). In the upper right hand list of links, click to delete the file. Once you delete it, it will reform for the account automatically and it should then have the correct quota size.
| Category |
cPanel WHM |
 |
Question |
RVSkin Master Account (hosting) removed by accident also How do you ReInstall RVSKIN |
|
Answer |
If you delete the master account (Hosting account that ends with a .zz) you will need to run the following commands as root:
rm -f /usr/local/cpanel/Cpanel/rvversion
perl /root/rvadmin/auto_rvskin.pl
This will ReInstall RVSkin and rebuild the master hosting account.
You will need a “active” support account at RVSkin in order to install using the above commands. May need to update your support subscription. |
|
Supporting File |
|
|
Keywords |
rvskin cpanel whm reinstall master hosting account command line script perl script install rvadmin rvskin reinstallation |
Remote MySQL Connection :: How To
Can I remotely connect to mysql? YES!Follow these simple instructions to remotely connect to mysql.
Before you can connect to MySQL, You must enable your computer as an access host. It may sound confusing, but CPanel makes this ver simpe. First, login to cpanel using yourdomain.com/cpanel. Then, on the main menu of CPanel, click [MySQL]. Now, scroll down to about mid way through the page until you see “Access Hosts:”. Under that, you will see a list of all the IPs that are permitted to connect to your mysql databases. As default, only “localhost” will be listed. Directly under that, you will see “Host (% wildcard is allowed):” with a text field next to it. In that text field you can enter your computers IP address. After you enter your IP address, click [Add Host] and your done. Your computer can now remotely connect to your mysql database(s).
How can I find out my computers IP address?
- Simple, just go to http://www.ViewIP.info Wait a minute, my IP constantly changes!
Okay, you have a dynamic IP address. Therefore, everytime you go online, or every once in awhile, your IP changes. You have a few options here. The most secure, would be to update your IP in “Allowed Hosts” in CPanel (under MySQL) everytime your IP changes. However, you do have other options available. However, you could simply enter “%” (a percentage sign) in the “access hosts” text filed in CPanel (under mysql). This would allow any IP to remotely connect via mysql. Another option: Lets say the first three parts of your IP never change. Then, you could enter 93.138.%.% , where the first two parts are your actual IP address numbers.
After your IP is added to the Access Hosts list:
First, you will have to create a mysql database and assign a user to it. Please see documentation on how to do this, as this article will assume you already have a database setup. Your username and password will be the username and password of the user assigned to the database.
Database name = cpanelusername_databasename
Database username = cpanelusername_databaseusername
MySQL Connection Port = 3306
* The database name and username is clearly displayed in CPanel, in the MySQL area.
Aggregation: ParagonHost, LLC http://www.paragonhost.com“World Class Internet Services”
Q:
I have lost my system (centos 4.3) root password,
I have change try to change the root password by the command “change password” but I receive the message “error 32 you must be authentificated”
Thank you,
A:
You need to boot into single user mode (by sitting in front of the actual computer)
Then you can reset it from there.
Quoted from another post:
“Boot into single user mode. You can do that by modifying the grub boot option on startup.
1. Press ‘e’ to edit startup
2. Use the arrow keys to highlight the kernel line and pres ‘e’ to edit the parameters
3. At the end of the line, add the word ’single’ (without the ‘) and press Enter
4. Press ‘b’ to boot the system
You will be dropped directly into a bash shell as root and can change the password. You can also access your file system from there. You will not have any network access while in single user mode though.”
Business Class Hosting by: ParagonHost
http://www.ParagonHost.com
“World Class Internet Services”
METHOD 1 - phpMyAdmin
You can use phpMyAdmin to backup/restore your database if it is relatively small (~200k)
If your database is larger than that please skip to METHOD 2 - command line
BACKUP:
1) Select the database you’d like to back up from the column on the left
2) Click on “Export” from the top set of tabs
3) Select the tables from the list that you would like to backup, if you want to backup the
entire database hit “Select All”
- Select “Structure and data” from the bullet list
4) Selection boxes:
- Check the “Add ‘drop table’” box if you are moving the database to a new location and don’t
want to merge the old table with an existing one
- Click the “Save as file” box
- Use the “Save as file zipped” if you want to compress the backup before downloading it from
the server
5) Click the “Go” button, when prompted save the file to your local computer
RESTORE:
1) From the column on the left select the database to restore the from backup, if one doesn’t exist
you must first create it.
2) Click on “SQL” from the top set of tabs
3) Click on the “Browse” button next to “Or Location of the textfile:” near the bottom
4) Browse to the local backup and click “Open”
- If you have the local backup in a non-text file format, e.g. you selected “Save as file: zipped”
when you backed up the database, you’ll have to unzip the file on your local computer before you
can select it during this step
5) Click the “Go” button
- You should get a message like this:
Your SQL-query has been executed successfully :
The content of your file has been inserted. (X Instructions)
If not you might have a corrupted backup
METHOD 2 - command line
This method works regardless of the size of your database. You must have SSH access to your server. On (gs) plans you can invoke SSH access from within your Control Panel. On (dv) plans you must enable Shell Access through Plesk.
BACKUP:
1) Log into your server via SSH and cd into a directory where your user has write access. On (ss) plans
you would do something like this:
cd /var/www/html/
2) Enter the following command:
mysqldump –add-drop-table -u Username -p dbname > dbname.sql
- omit the ‘–add-drop-table’ argument if you’ll want to merge this backup with an existing database
upon restoral
- Where ‘Username’ is replaced by the mySQL username. On (ss) plans this user is the same as the
administrative FTP user. On (as) plans this user can be found by logging into Plesk, clicking
on the domain and going to databases and clicking on the database to be backed up.
- Replace ‘dbname’ with the name of the database to be backed up.
- Replace dbname.sql with what you’d like to name the backup.
3) Enter your mySQL password at the prompt. If you don’t know it you can reset it in your webcontrol or Plesk
admin panel
- If you get an error that looks like this:
ERROR 1045: Access denied for user: ‘Username@localhost’ (Using password: YES)
you have entered an incorrect password, please retype it carefully or reset it to something else via
the webcontrol panel or Plesk administrator
- On (ss) plans if you have reset the password in the webcontrol panel and are sure you’ve entered it correctly
on the command line this might be a permissions problem. Try renaming your database to something else in the
webcontrol panel and then back to the original, this often fixes permissions problems.
4) Use FTP to download the file to your backup location, probably your local computer.
- Don’t forget to delete the backup from your public html directory after you’ve found a safe place for it.
You don’t want to leave your backup lying around where anyone with a web browser can download a copy.
RESTORE:
1) Use FTP to upload the file to your server, your public html directory will work for now
- Don’t forget to delete the backup from your public html directory after you’ve done the database restoral.
You don’t want to leave your backup lying around where anyone with a web browser can download a copy.
2) Log into your server via SSH and cd to the directory where you’ve uploaded the file. On the (ss) plan if you
uploaded the backup into your public html directory you would use the command:
cd /var/www/html/
3) Enter the following command:
mysql -u Username -p dbname < dbname.sql
- Where ‘Username’ is replaced by the mySQL username. On (ss) plans this user is the same as the
administrative FTP user. On (as) plans this user can be found by logging into Plesk, clicking
on the domain and going to databases and clicking on the database to be restored.
- Replace ‘dbname’ with the name of the database to be restored.
- Replace dbname.sql with the name of the backup.
If you have a zipped backup of your database you can use this line instead:
gunzip < dbname.gz | mysql -u Username -p dbname
- Where ‘Username’ is replaced by the mySQL username. On (ss) plans this user is the same as the
administrative FTP user. On (as) plans this user can be found by logging into Plesk, clicking
on the domain and going to databases and clicking on the database to be restored.
- Replace ‘dbname’ with the name of the database to be restored.
- Replace dbname.gz with the name of the backup.
4) Enter your mySQL password at the prompt. If you don’t know it you can reset it in your webcontrol or Plesk
admin panel
- If you get an error that looks like this:
ERROR 1045: Access denied for user: ‘Username@localhost’ (Using password: YES)
you have entered an incorrect password, please retype it carefully or reset it to something else via
the webcontrol panel or Plesk administrator
Comments (2)
Three quick additions, SPF is actually about the envelope sender address (Return-Path, MAIL FROM), not the Reply-To address.
Receivers checking SPF hopefully reject a forged mail from, if it was spam that’s it. If it was no spam (erroneous sender policy or receiver rejected FAIL elsewhere, relevant for forwarding) the legit sender gets an error code, and will create a good bounce (non-delivery notification) for the user.
Spammers won’t reach many of their targets with an SPF FAIL protected address, and hopefully give up using an unprotected address after some time.
Posted by Frank | May 2, 2008 10:20 AM
Posted on May 2, 2008 10:20
Thanks. I was being careless with my wording. I will make a clarification in the post.
For the backscatter issue, the field is the return-path field. For SPF, I am pretty sure most filters key off of the mail from header. So you could still spoof a reply-to even with SPF filtering provided the mail from headers were correct.
Currently, when we implement SPF filtering for a client, we reject all messages that have a hardfail. Also, on control panels like Plesk, we setup the default templates to include SPF records by default.
I suspect SPF’s ability to curtail spam will be short lived, but at least it should cut down on the email forgeries which are much more dangerous than the spam.
*** Back Scatter 101
http://spamlinks.net/prevent-secure-backscatter.htm
Bounces are messages, officially called non-delivery reports (NDR) or delivery status notifications (DSN), that are generated by a mail server to report on the delivery status of an email message.
Problems arise with bounces if they are sent by a mail server to a non-local recipient. If a message did not originate locally, then a mail server cannot know for sure if the address it is sending the bounce to is forged or not. This quickly leads to unsolicited “backscatter” (or more rarely “outscatter”), sent to sites that never originated the email.