cancel
Showing results for 
Search instead for 
Did you mean: 

Spam from Autoturn.plus.net

mssystems
Rising Star
Posts: 269
Thanks: 33
Fixes: 1
Registered: 10-08-2007

Spam from Autoturn.plus.net

Over the last week we have been testing various Anti-spam techniques. During these tests I managed to disable the outgoing finger command to the Autoturn server which is our secondary MX.

So this morning I turn the finger back on and wait a couple hours for the mail server to chew over several thousand incoming messages. I have just finished looking at the logs and it turns out EVERY message that came from the Autoturn was spam.

Down time on our mail server during the test period can be measured in minutes so it stands a chance these spam mails were never directed at our primary MX.

A sample header is attached

Anyone care to comment on why this is happening?

Regards
Matt

----- sample header ------
Received: (qmail 8736 invoked from network); 24 Mar 2004 11:54:15 -0000
Received: from unknown (HELO 212.159.3.9) (207.164.90.26) by autoturn.force9.net with SMTP; 24 Mar 2004 11:54:15 -0000
Received: from [33.25.34.68] by 212.159.3.9 id <5136388-41531>; Wed, 24 Mar 2004 13:36:23 +0200
Message-ID: <q-0$r9-c7o4-rnx@eje.8.smriv5>
From: "Lavonne Douglas" <xbyqwf8p@millenium.b3ta.org>
Reply-To: "Lavonne Douglas" <xbyqwf8p@millenium.b3ta.org>
To: <invalid-address@my-domain>
Subject: cobfocal anstlmo kxikpmf
Date: Wed, 24 Mar 04 13:36:23 GMT
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-Priority: 3
X-MSMail-Priority: Normal
Return-Path: <xbyqwf8p@millenium.b3ta.org>
X-OriginalArrivalTime: 25 Mar 2004 09:48:25.0834 (UTC) FILETIME=[518FBCA0:01C4124E]
9 REPLIES
N/A

Spam from Autoturn.plus.net

Some spammers use a teqnique where backup mail servers are spammed rather than primary. Or rather, any other bah the highest priority one.

This is to prey on the fact that some mail server administrators fail to set protection up correctly.

Some admins whitelist there backup servers, in a bid to prevent anything coming from it being blocked. Not just that, but techniques like SPF checking would normaly see mail rejected from there backup server.

This is why spammers use this, because some of the normcal detection teqniques are disabled.

With more small businesses and even home users running there own mail servers then ever before, spammers need to try every method possible.
mssystems
Rising Star
Posts: 269
Thanks: 33
Fixes: 1
Registered: 10-08-2007

Spam from Autoturn.plus.net

Thanks Phil

I sort of suspected it would be something like that. I have just installed an RDNS and BL check but anything that comes fromm Autoturn will defeat it.

For now I am turning off the Autoturn finger and legitimate mail should come through on a re-try if our mail server is down.

Quote
With more small businesses and even home users running there own mail servers then ever before, spammers need to try every method possible.


Sounds like another justification for SMTP filtering to me Wink

Regards
Matt
N/A

Spam from Autoturn.plus.net

It depends on your mail server and the whitelist process.

You can often setup a server as a designated/authorised relay, rather that whitelisting it.

Mail can often then be allowed past without issue.

Further to this, another method is to perform HOSTS file based whitelisting.

Please the IP address of the server you want, in reverse dotten notation, and append the RBDNS domain to this, into the HOSTS file. Set the IP value to one that is considered as valid by your lookup schema.
N/A

Spam from Autoturn.plus.net

Quote
For now I am turning off the Autoturn finger and legitimate mail should come through on a re-try if our mail server is down.

If you want to go down that route and your server is live most of the time, it may be better to change the MX records by deleting autoturn and mx.last, leaving just your own domain - that way the sending MTA will retry after whatever delay it has set (a few hours usually). The other way, you will have to wait for autoturn to send the non-delivery advice (a few days, presumably), and then for the sender to retransmit the email.
mssystems
Rising Star
Posts: 269
Thanks: 33
Fixes: 1
Registered: 10-08-2007

Spam from Autoturn.plus.net

pacaya thanks for the tip.

So how do I go about removing the the plus.net servers from my DNS records?

I just tried to do it on configure DNS from the Domain Names portal and the interface appears to have changed since I last used it. I have specified 'I want to confgure DNS' and left the existing records for my server. There is no option to remove the plus.net MXs


The route I would like to go down is to get the damn stuff filtered prior to it taking up my bandwidth and server resource. Message Labs are a little out my price range though.

I have to maintain an Exchange IMC in order to support my clients. AIUI the IMC pretty much accepts anything addressed to the domain. Currenty I am using or-filter to check the mail between it hitting the pre-submission que and internal delivery. Ideally I would like to reject mail at the transport layer. I have thought about writting my own proxy filter but I have two other development projects on at the mo.

Regards
Matt
N/A

Spam from Autoturn.plus.net

After reading that, I have a little more to add on the way spammers work.

When your mail server rejects the e-mail from them, they ignore it. They simply progress through the list of MX servers available to them, untill all are exausted.

As you can see, you mail server rejects it, but autoturn happily accepts it.

The problem with this, is that spammers class a e-mail address as valid if the server accepts the e-mail. This you are entered onto the confirmed delivery list.

SMTP level spam checking at PlusNet would rule this out. However, you have no control over it, and it may still accept a lot of possative faulses unlike your own system.

As such, the only way is to set your mail server as the only accepting MX record. Though you may find your become of need for your own backup MX running your own set of filters in the future.

One thing I might sugest. Check one or two of the headers of messages accepted via autoturn, against the rejection log of your own mail server.

You may find a few duplicates.
mssystems
Rising Star
Posts: 269
Thanks: 33
Fixes: 1
Registered: 10-08-2007

Spam from Autoturn.plus.net

Phil I ammended my other post while you were writting your last one.

Regarding the mail headers. OR-Filter is not too sophisticated, it is free after all. It only looks at the sending mail server and compares that to the black/white list and RDNS BL servers. So anything that is relayed through Autoturn would be accepted unless the subject triggers the baysian filters. Keyword checking cripples my poor little server so I have to restrict the baysians to the most obvious terms.

I realise there is an issue with false positives if the filters are too tight. In fact it is one reason I don't use RDNS BLs for my clients. The BLs have a habit of listing the major ISPs every few days.

What I have set up for my clients is that mail goes to Message Labs which filters 80 to 90% of the definately, no question about it spam. This is usually enough for most people. I have one particular client who processes 'a lot' of mail, they provide a forwarding service for around 1,000 volunteers. At the last count ML were filtering 15,000 spams a day from their feed. In fact the ML service has paid for itself; the reduction in bandwidth has allowed us to downgrade the leased line without a reduction in service. We have a secondary filter on their mail server and in combination with ML, spam is pretty much eliminated. It has required very little maintenance since being set up.

What I would like plus net to offer (as you may know) is a subscription service to remove the, absolutely, positively is, spam from my SMTP traffic. I realise that drug companies, dating agency and even porn companies have a right to send mail, but I don't want to recieve it, process it or pay for the bandwidth it takes up.

Regards
Matt
N/A

Spam from Autoturn.plus.net

To remove PlusNets servers from the loop, you need to set mail delivery for the domain in question to "Other".

After this, your existing MX record should remain in place and accapt the e-mail as normal. Autoturn will just fade away after 48 hours or so.

IE. Keep collecting from it for a week.
mssystems
Rising Star
Posts: 269
Thanks: 33
Fixes: 1
Registered: 10-08-2007

Spam from Autoturn.plus.net

Thx Phil