[nsp-sec] Bounce message backscatter attack against abuse mailbox

Mike Lewinski mike at rockynet.com
Thu Apr 24 11:10:48 EDT 2008 

I post to our client-facing Security and Status blog yesterday in 
response to complaints about an increase in bounce spam:

http://status.rockynet.com/index.cgi/advisories/mail/spam-bounces

"not only does using a bounce delivery mechanism allow them to evade 
many spam filters, but it also increases the likelihood of the end user 
seeing the actual spam contents instead of deleting it based on either 
Sender or Subject criteria."

Given these two factors, I expect bounce delivery to become more popular 
and NDRs to become even less useful. I got the first bounce spam at a 
personal gmail account about a week before it showed up at work. Then it 
was quiet for a couple weeks, and now I'm seeing a low volume again on 
the personal account. I don't think this is backscatter, I think I'm the 
intended recipient.

My experience has been that the spammers have stopped making any attempt 
to clean abuse@ addresses from their lists (though based on the ratio of 
foreign-language spam I'd say that this is more true in Asia). Prior to 
this recent increase in backscatter we'd observed a steady increase in 
the volume of spam being sent directly to abuse@ (and yeah, we'd love to 
filter that and still receive real reports but I don't know how without 
writing some code myself).

We also have an older advisory out about the particular issues with 
spurious NDRs from Exchange server:

http://status.rockynet.com/index.cgi/email

I discovered last week that an old legacy Imail listserv machine was 
being used as a bounce delivery mechanism (albeit at a low enough level 
that only a manual audit of the spool turned it up, perhaps 1-3 / hour). 
Basically Imail will bounce to the header From: address messages sent to 
a restricted posting listserv. There are a couple other ways to get the 
Imail listserv mechanism to generate such bounces but I was able to 
point it at a postfix smart host and delete them after the fact with 
header checks (working on replacing the old listserv with mailman).

We are taking a number of different steps to harden our shared mail 
infrastructure. All the users are migrating to a new set of servers with 
SSL required for all connections. We're taking time to educate customers 
about the importance of SSL authentication in preventing pharming-type 
attacks against their mail accounts. Also the incidence of brute force 
attacks against the POP3 service is leading to a crackdown on poor 
passwords. So we're educating users that "even if you think there's 
nothing of value in your account, system resources are always of value 
to spammers and the server is only as strong as the weakest user password".

Mike Lewinski
Rockynet.com, Inc.
INOC-DBA 13345*MJL
POTS: 303-629-2860

More information about the nsp-security mailing list