SMTP – Backscatter check

backscatterI will dedicate the next couple of posts on a few on these mechanisms and checks. The first is to check for Backscatter. Backscatter is when a NDR (Non Delivery Report) or bounce message contain the full body of a mail / spam message.

After the recent DirectAdmin posts there was a lot to do with email traffic and the sending of email that proved to be quite difficult to get going reliably. This is because there are many mechanisms in place preventing spam, that make it also harder to send larger volumes of legitimate mail.

Mailservers vulnerable to this exploit will guaranteed end up on blacklists. Most modern mailservers are OK by default, but sometimes you discover they bounce improperly.

You can manually check if a mailserver is open for backscatter.

First a mailserver that is correctly configured.

root@web02:~# telnet server1.yourdomain.com 25
Trying 109.23.59.12...
Connected to server1.yourdomain.com.
Escape character is '^]'.
220 server1.yourdomain.com ESMTP Exim 4.90 Thu, 08 Feb 2018 08:37:33 +0100
helo server1.yourdomain.com
250 server1.yourdomain.com Hello web02.otherdomain.com [82.38.111.3]
MAIL FROM: email@yourdomain.com
250 OK
RCPT TO: idontexist@office.yourdomain.com
550 "Unknown User"

Now a mailserver that is open.

root@web02:~# telnet server2.yourdomain.com 25
Trying 201.34.80.123...
Connected to server2.yourdomain.com.
Escape character is '^]'.
220 server2.yourdomain.com Microsoft ESMTP MAIL Service ready at Thu, 8 Feb 2018 08:10:20 +0100
helo server2.yourdomain.com
250 server2.yourdomain.com Hello [72.123.9.23]
MAIL FROM: email@yourdomain.com
250 2.1.0 Sender OK
RCPT TO: idontexist@office.yourdomain.com
250 2.1.5 Recipient OK

When the last line does not contain something like ‘Unknown user’ or ‘Recipient address rejected’ the mailserver is vulnerable and should be reconfigured.

Complete series: Backscatter check, DMARC, SPF, DKIM with Postfix, DKIM with Postfix and rspamd, DKIM with DirectAdmin and Exim and SMTP checks.

2 comments Add yours
  1. IMHO I think none of that test check backscattering. Perhaps would be better something like this:

    root@web02:~# telnet server2.yourdomain.com 25
    Trying 201.34.80.123…
    Connected to server2.yourdomain.com.
    Escape character is ‘^]’.
    220 server2.yourdomain.com Microsoft ESMTP MAIL Service ready at Thu, 8 Feb 2018 08:10:20 +0100
    helo server2.yourdomain.com
    250 server2.yourdomain.com Hello [72.123.9.23]
    MAIL FROM: spam-to@hotmail.com
    250 2.1.0 Sender OK
    RCPT TO: email@yourdomain.com
    250 2.1.5 Recipient OK
    DATA
    Subject: Testing

    XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

    .

    If you don get a hard reject or a bounce mail is send to spam-to@hotmail.com, then you are vulnerable to backscattering.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.