This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPF reject messages flooding impersonated victim

We have this scenario:

  • Bad actor uses some mail server: 192.0.2.25
  • Bad actor attempts to impersonate our CEO: ceo@example.com (spoofed)
  • Bad actor sends e-mails to our finance department and others: ceo@example.com > finance@example.com, ceo@example.com > hr@example.com, ...
  • Bad actor's mails get rejected by our UTM, because our own domain example.com does not list 192.0.2.25 as a legitimate sender
  • Our UTM notifies the sending mail server 192.0.2.25 about the rejected e-mail (due to SPF record checks)
  • Mail server 192.0.2.25 sends "Undelivered Mail Returned to Sender" to ceo@example.com
  • Our CEO gets flooded by those reject messages

 Is there any way to utilize UTM to get rid of those reject notification floods?

Just to be clear: We are fully aware that in the scenario above, the mail server 192.0.2.25 is misconfigured (and probably hijacked by bad actors). Our published SPF records yield the desired result and the SPF checking of our UTM works as intended.

The problem is the backscatter that floods the impersonated victim.

 

 

 



This thread was automatically locked due to age.
  • Saw after posting that the same problem already existed 10 years ago: SPF Rejected mails cause NDR generation to internal email address

    Existing thread does not contain a solution, but a potential pointer to one (BATV). Will update, if that leads to a solution for us.

  • Hi terrzfor,

    yes BATV should solve that. Unfortunately BATV has one side effect, which prevents me from using it. It’s the problem with Out of office messages.
    But in your situation I would accept that.

    Best regards 

    Alex 

    -

  • The out of Office problem is caused by a Microsoft bug , because Exchange does send this messages not as regulary reply mail but as NDR on protocol level.

    We run into this problem often until our mail routing was moved away from Sophos to a central mail managemant in our company. The cisco solution that runs there seems to handle this issue.

  • The core problem is that UTM sends Non-Delivery Reports (NDRs), and the feature cannot be disabled.    The direction from IETF is that NDRs should not be sent in reply to incoming mail; either you reject unwanted messages as they are being received, or you discard silently.    The mail capability in UTM is weak.

    I have concluded that the ideal environment is one with (at least) three mail components:

    - inbound mail gateway

    - mail server

    - outbound mail gateway

    In this configuration, I use my firewall to ensure that the incoming gateway cannot send outbound mail (port 25 is blocked).   This prevents NDRs as well as ensuring that it cannot be used as additional assurance that it cannot be used as an open relay.

    At my outbound gateway, I quarantine messages with subjects starting "Failed:" or "Undeliverable:".   This captures NDRs generated by my mail servers without generating an NDR in return.  You may be able to use other criteria, such as messages coming from postmaster@domain

    How could UTM fit into this picture while still using both inbound and outbound features?  Simplest approach is to add an outbound gateway.

    Inbound flow:

    • Internet -> UTM SMTP proxy -> Mail server

    Outbound flow:

    • Mail Server -> UTM SMTP Proxy -> Outbound Gateway -> Internet

    with the Outbound gateway filtering NDRs based on Subject text or other criteria.

    SmaterTools.com has a Windows-based mail server that can be used for free as an incoming or outgoing gateway.   There are a bunch of Unix-based email systems that could also be used, including Exim (which is inside UTM) and PostFix.