[Dshield] PDF Spam Wave

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Aug 9 14:47:20 GMT 2007

On Tue, 07 Aug 2007 05:55:35 EDT, jayjwa said:

> to stop the incoming PDF spam. This is what everone assumed was happening. 
> Yes, we've seen this before. Yes, you should reject this. Not sure what 
> "accept then bounce" is, I use Sendmail and it does not have an "accept then 
> bounce" option.

Actually, you *do* know what "accept then bounce" - you mention it yourself:

> 4. They reject this. How is this *not* correct behavior?
> 5. Now certain.domain gets this "bounce". Only it's not a real bounce because
> certain.domain _never sent anything or handled any mail_.

That's "accept then bounce" - the mail server gets an incoming connection,
accepts the mail, sends an SMTP '250 OK' reply acknowledging it, and then
discovers the destination userid is bad/mailbox full/whatever.  So it tries
to bounce it back to the almost-certainly forged/bogus RFC821 'MAIL FROM:',
which of course will do one of 2 things:

1) If the MAIL FROM is *really* bogus, the mail server is left holding the
bag, and usually double-bounces it to the postmaster.

2) If it's only partly bogus (i.e. forged but exists), the poor victim gets
a bounce message for a mail they never actually sent.

In today's environment, the Right Thing To Do is to reject the mail *inband*
while the connection is open - send back a 4xx or 5xx reply for the MAIL FROM,
RCPT TO, or DATA commands. If you never '250 OK' it, you're not responsible for
generating a bounce - that becomes the responsibility of the machine that's
trying to feed you the mail.

> 6. "Bounce" (remember, certain.domain did not send anything to begin with) is 
> labeled to (random)@certain.domain. Obviously, (random) does not exist. What
> to do with mail to a user that does not exist? Do you see the cycle here?

Often, the terms "outscatter" or "backscatter" are used to refer to these
missives routed to innocent third parties - the term *also* includes those
antivirus packages that insist on spamming the purported sender with a
"virus detected" message, when the package knows (or *should* know) that
the source address is forged.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20070809/10b02bf7/attachment.bin 

More information about the list mailing list