Print Page | Close Window

Spammers using SpamFilter to send Spam

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6857
Printed Date: 22 November 2017 at 12:43am


Topic: Spammers using SpamFilter to send Spam
Posted By: ITI Computers
Subject: Spammers using SpamFilter to send Spam
Date Posted: 26 July 2010 at 10:03am
Hello,
 
I discovered on Friday that Spammers are using the SpamFilter program to send out their Spam. I did not know that was possible. We talked to our Host Provider RackSpace and they showed us how it is being done, the following is from their Technician...
 
"What's happening is spammers are connecting to the spam filter on the 67.192.242.2 IP address. They send a message to a bogus recipient on the aps2000.com domain, and set the Reply-To address in the headers to whoever they want to send spam to. I was able to test and exploit this once I figured out what was going on.

When the spam filter tries to deliver to Imail, it gets an error that the user is invalid. The spam filter then sends an error message to the Reply-To address, using "Webmaster" <webmaster@iticomputers.com> as it's from address. Because Imail allows relay from 192.168.100.199, it sends this error message out.

It essentially is backscatter spam, but the wrinkle is Imail isn't sending backscatter, the problem is the way your spam filter handles errors.

In order to solve this issue, you need to configure your spam filter not to send an error message when a user doesn't exist."
 
Please advise on how we can configure SpamFilter to prevent this.
We are using Version 4.0.1.785
 
Thanks,
Bill Turner
 

 


-------------
ITI Computers
Web Design and Hosting



Replies:
Posted By: LogSat
Date Posted: 26 July 2010 at 9:23pm
Bill,

SpamFilter v4.2.4.830 that was released a few months ago has the following feature, which is exactly what you're looking for: 

/ New to VersionNumber = '4.2.4.830';
{TODO -cNew To avoid backscatter, if an incoming email passes all filtering rules, but cannot be forwarded (ex. mailbox full, non-existent user), SpamFilter maintains open the incoming remote connection until it can verify with the destination server that the email can be delivered. If not, a 5xx error is output forcing the remote server to generate the NDR, rather than having SpamFilter send an NDR notification email}

With versions of SpamFilter prior to v4.2, a very effective way to both eliminate the backscatter and to at the same time reduce spam, is to implement the "Authorized TO" whitelist in SpamFilter. If you provide SpamFilter a list with all the valid email users on your system, SpamFilter will immediately reject any attempt to deliver emails to non-existent users. This causes an immediate disconnect of the spammer, without any NDRs (non-deliverable receipt emails) being generated.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: ITI Computers
Date Posted: 27 July 2010 at 9:10am
Thanks for the reply.
Adding our users to the "Authorized To" list is not a viable option, as we have 100's of domains and 1000's of users. And more being added all the time, which we do not control.
 
I upgraded our SF program yesterday to the newest version on the site, SpamFilter ISP (v4.1.2.812), I did not see a link to the 4.2.4.830 version. Is it stable? And can you provide a link to it either here or to my email?


-------------
ITI Computers
Web Design and Hosting



Print Page | Close Window