Re: Is one of my PC's sending out spam?

Alex Fraser wrote:

Nigel Wade wrote:
R D S wrote:
I deleted a bunch of unused email accounts today on my hosting control panel
and since I have had a load of undeliverable mail reports for emails I
haven't tried to send about watches.
I use 3 PC's, 2 at work and one laptop, is it possible that one of them has
been compromised in some way? Or are this type of emails doing the rounds at
the moment and this is a coincidence? They all have up to date AV and are
regularly syware checked.

Unlikely, but not impossible.

The most likely reason is that those email addresses have been joe-jobbed,
and
have received the "Undeliverable" bounce messages from badly configured mail
servers. A well configured mail server won't accept-and-bounce, it will
reject,
thus generating no bounce message. Unfortunately there are far too many
Microsoft Exchange servers out there which are mis-configured by design (or
incompetence) on the part of Microsoft.

This is somewhat unfair. Spammers often seem to send to backup MXes
which, since they cannot generally know which addresses are valid in a
domain, have no option but to accept the message. Therefore they will
generate a bounce when they find (often moments later) that they cannot
relay it.

There is no reason in principle why a backup server can't verify the recipient
during the SMTP conversation. It should be possible, and if the backup can't
then it's a limitation of the configuration not the protocol. If spammers are
sending to backup MX it's most likely because they've identified that backup MX
are a weak point in many setups, presumably where the admin has hardened the
main MX but hasn't paid the same attention to the backup.

Similarly, some content inspection (which may result in
rejection) may be done only after mail has been accepted because of the
hardware resources required to check it as it is received.

You can check the contents after receiving, but before accepting the message.
Also, once you've accepted the message you cannot reject, only bounce. The
message isn't accepted until the response is returned to the "client".
Obviously there may be some delay if you virus scan, spam scan and check RBL's
before sending the response... It all depends on where you put your priorities
- is a quick acceptance of a message, at the expense of vastly increased
amounts of backscatter spam, a good thing?


(However, there certainly are some broken - mostly MS-based - systems
which go looking for an address to send a bounce to, eg the "From"
address, for a message with an empty envelope sender.)

As I understand it earlier versions of Exchange couldn't verify the recipient
during the SMTP conversation. More recent versions can, but it is disabled by
default. Microsoft makes it far too easy for inexperienced people to install
and operate mail servers. Pointy-clicky interfaces to configure a mail server,
in the hands of those with only a little knowledge, are a dangerous thing.
No-one would take on sendmail with the same lack of regard for personal
safety...


Have a look at the full source of the message. The sequence of Received:
headers
will tell you the route the message took through each SMTP server in reverse
order. [...]

The simple rule is that you should only consider the first (most recent)
one because, as you went on to say, spammers sometimes add them.


You can, with experience, use the others with varying degrees of accuracy. The
ones added by the spammers are usually self-evident to a human eye, but almost
impossible to spot accurately with any sort of automated algorithm. There will
nearly always be an inconsistency in the Received: trace where the spammer's
headers end and the real headers begin.

--
Nigel Wade
.

Relevant Pages

  • Re: some emails going to ISP vice Exchange
    ... Good Idxea about DynDNS's Backup MX service. ... DynDNS's backup service as the secondary mail server. ... Exchange about 2 weeks ago), and saw over 100 emails there. ...
    (microsoft.public.windows.server.sbs)
  • Re: Need suggestion for mail server
    ... Look at a third party backup email server solution - I use ZoneEdit, ... They act as backup mail server, if for some reason I'm not reachable. ... few emails are to ISP mailbox, ... then ISP mail server still can backup. ...
    (microsoft.public.windows.server.sbs)
  • Re: some emails going to ISP vice Exchange
    ... MailHop Backup MX service to use as your single Backup MX service and ... DynDNS's backup service as the secondary mail server. ... Exchange about 2 weeks ago), and saw over 100 emails there. ...
    (microsoft.public.windows.server.sbs)
  • Re: Email and intermittent connectivity problems
    ... A backup MX is routinely used by spammers, and I've noticed a very significant reduction in spam since going without backup MX. ... The primary mail server is responsible for delivering the mail to the appropriate user mailbox. ... Mail delivery is first attempted to be delivered to the primary mail server. ... If the second lowest mail server in priority can not be reached then the mail will be delivered to the mail server with the third lowest mx level and so on. ...
    (microsoft.public.windows.server.sbs)
  • Re: Backup mail server?
    ... > tools for your backup MX". ... script then edits the db files on the dns server, ... the primary mail server with an expect script using esmtp. ...
    (Fedora)