Sunday, March 01, 2009

Preventing Your Exchange Server From Producing Backscatter Spam

We use DNSStuff.com to monitor Spam Blacklists and make sure our mail servers stay off them.

I recently got a notification that one of our exchange 2003 mail servers was blacklisted by Backscatterer.org, a "service" that lists email servers that allow backscatter spam. More on what I think of them later...

You have probably seen backscatter spam - it is when someone uses a reply address which is not their own, and then sends the message to a know BAD recipient address. The spammer actually wants the message to go to the "forged" reply address - not to the actual recipient listed in the message.

You see in the past, under these circumstances, the recipient's mail server would accept the mail, and make best effort to deliver it. But once the server realized that it could not deliver the message, it would send a non-delivery report (NDR) to the sender, Which in this case would be the "forged" e-mail address.

The result is that the message, including the body (spam) then go to the fake reply address. Most people, when confronted with an NDR, will read it to check and see if it is valid or not. Spam delivered...

To prevent this sort of thing, it is a good practice to have your mail server NOT send these types of NDRs. Filtering based on directory is a good way to do this in Exchange. As detailed here, you can do this by setting the following in exchange 2003 server manager:

Go to:
Global settings, message delivery, properties, recipient filtering tab.
Set the check on "filter recipients who are not in the directory".

Next you need to apply that to the virtual host(s) that you want to use the filtering:
Administrative tools, Administrative Group, Servers, Protocols, SMTP, properties on your virtual server. General Tab, advanced, edit.
Check the box "Apply Recipient Filter".

You probably need to restart the SMTP service to make the changes stick.

After this change, mail sent to an invalid internal sender will produce a "550 5.1.1 User unknown" error.

This is probably a good thing to do. NDRs do provide important info, but they are being abused so much now, it is important to do our part.

But I don't think any mail servers should use the blacklist maintained by backscatter.org. Here is why. After DNSStuff notified me of our listing, I went to Backscatter.org's page to get the removal process. Check out the results:

This IP is temporary listed. It will be removed automatically and free of charge if you are not abusing the net for 4 weeks.
Express delisting is available optionally by paying 50 Euro's using the following services.
Before requesting expressdelisting make sure the problem is fixed, otherwise you are at risk to get listed again.


Read that paragraph again.

This is extortion, plain and simple. This is the first time I've ever seen a blacklister that requires payment for timely removal. It is ridiculous. I'm not worried for my own systems, this is philosophical. Do not use their blacklists.

3 comments:

Anonymous said...

They may list you in case you do Sender Address Verification, aka Call Back Verification.

Being fair to them they explain how their list should be used safely, to avoid not receiving good email. It does not work though when sending email to a listed site which uses SAV/CBV.

Yes, some smell of an extorsion scam in here...

Alex said...

I have many tools on my PC. But no one of them can't help here. But as far I remember one tool would help in this problem. It was noticed at one soft blog. Many weeks ago it helped me - exchange recovery tools.

Anonymous said...

I started my career from the time where people must spend days to explain how an email could be useful...

I was involved in the first nationwide email system roll-out where emails like mails had stamps and be paid to be delivered...

Of course, I'm not pleading for paying emails system, but...
...just for identifying, certifying, authenticating emails senders : I'm ready to paid for registering my servers in 'white lists', not for removal for 'black lists', then those clean operators can do business to resell their listing or to do cross check between them. It's quite fair.

Those blacklisters have some things belonged to betrayals and false accusations like nazi did in 30's with jews...

Unfortunately, too many stupid email administrators are too lazy to do their jobs, to maintain a their proper white list of senders, and prefer to promote those b...