Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SPAM with Reply-To and DSN notify
  •  
RadimAdmin

Messages: 3
Karma: 0
Send a private message to this user
hi,

we have encountered an emerging problem with SPAM messages with Reply-To header and delivery notification set.

1. Even in case of marked spam message, KConnect tries to deliver DSN notification to Reply-to address, but with real recipients addresses (not aliases).....this is huge security problem to reveal real addresses to spammers.

2. Server is bloated because of hundreds of delayed DSN messages, because not all Reply-to addresses have existing domains (some have A records, but no MX records).

3. Why is server trying to deliver these DSNs to domains without MX record. It tries to connect to host derived from reply-to address (simply striped part after <at> a tries to connect to SMTP).

4. Message filters do not apply to DSN sent by server itself.

Any advice?

EXAMPLE:
[30/Jul/2017 15:34:29] Sent: Queue-ID: 597dc8e2-00000095, Recipient: <bedag13ek95<_at_>gaxljk.com>, Result: delayed, Status: 4.4.1 Cannot connect to host, Remote-Host: gaxljk.com, Msg-Id: <182948812-47324@xxxxxxxxxx>

[Updated on: Mon, 31 July 2017 02:36]

  •  
atomitech

Messages: 23
Karma: 0
Send a private message to this user
Same here. Getting more and more messages like this; currently a few hundred per day.

Big problem in the making.


Maybe need an option to disable DSN reply messages for any emails that fail any sort of security checks? Including spam lists, black lists, custom rules, called id, spf, AV, etc...

An option to just disable all server delivery reports by category might be tempting too. Or at least turn them off for sender addresses not in a users contacts or white-list.
  •  
Brian (GFI/Kerio)

Messages: 742
Karma: 70
Send a private message to this user
In the SMTP server -> Security options, make sure all of the options are enabled.
This issue can happen if you are forwarding messages to another backend mail system and the message was addressed to an unknown recipient. Try to avoid this situation if possible.
Kerio Connect only sends delivery status notifications to messages that have passed all security settings and have been received to the queue.
I suggest contacting technical support to investigate how these messages are being received into the queue.
You may find some helpful tips from this KB article http://manuals.gfi.com/en/kerio/connect/content/server-confi guration/security/securing-kerio-connect-1239.html

Brian Carmichael
Instructional Content Architect
  •  
RadimAdmin

Messages: 3
Karma: 0
Send a private message to this user
Hi Brian,

we are not forwarding messages to any backend systems.

This issue is with delivery status messages to messages originally MARKED as possible SPAM, not REJECTED as SPAM. There are two threshold settings in SPAM section.

Secondary problem is: spammers are harvesting real addresses using DSN, because DSN to these messages contains real addresses, not aliases.

I think adding a funtionality to disable DSN for messages MARKED as possible spam might solve this issue. And of course adding possiblity to reject messages from domain without valid (or any) MX records. I am unaware of any legit mail from domain with A record only (without MX record).

Support ticket already posted, here is the progress:
1. asking for license number - SENT
2. waiting for 2 days
3. asking for logs and messages samples - SENT
4. waiting for 3 days for answer...

  •  
atomitech

Messages: 23
Karma: 0
Send a private message to this user
Here's a log which demonstrates.

[14/Aug/2017 05:19:48] Recv: Queue-ID: 599116d4-00014080, Service: SMTP, From: <behelqkt3z1s@rmxsmania.com>, To: <sales@mydomain.com>, Size: 3797, Sender-Host: 66.37.0.103, Subject: mivel frissülj 40 fokban? kellemes szellőt adó szobaventilátor, 1 áráért 2 jár, Msg-Id: <MViobBcyfZPkFFRYOl-4N4SA19<_at_>rmxsmania.com>

[14/Aug/2017 05:19:50] Recv: Queue-ID: 599116d6-00014081, Service: DSN, From: <>, To: <behelqkt3z1s@rmxsmania.com>, Size: 3211, Report: success, Subject: Visszaigazolás: **SPAM** [***]  mivel frissülj 40 fokban? kellemes szellőt adó szobaventilátor, 1 áráért 2 jár, Msg-Id: <3737204058-17195<_at_>mail.mydomain.com>

[14/Aug/2017 05:19:50] Sent: Queue-ID: 599116d4-00014080, Recipient: <sales@mydomain.com>, Result: delivered, Status: 2.0.0 , Remote-Host: 127.0.0.1, Msg-Id: <MViobBcyfZPkFFRYOl-4N4SA19<_at_>rmxsmania.com>


Kerio Connect identifies the dodgy e-mail as spam (adding the SPAM prefix to the subject), and then replies to the sender who had requested a delivery receipt. The DSN sits in the msg queue, as Kerio cannot deliver to the spammy sender's MX. I've just deleted 327 such DSN messages from the queue, and 248 were deleted yesterday midday-ish.

As a quick solution, we'd like to be able to disable server-delivery-receipts (preferably all, or at least for those messages deemed probable spam). Maybe that can already be done by manual edit of mailserver.cfg? Users can still choose to reply with read-receipts, although it would also be nice to have an option to remove read-requests from spammy emails too- save users being bombarded with all the work.

No doubt smarter ways to handle the situation could be figured with more than the 5 seconds thought I've given it, but if there's a quick existing way to resolve this without us having to add external processes in-front of Kerio then I'd be very grateful to learn from anyone who's found a solution.

Cheers!
  •  
atomitech

Messages: 23
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Tue, 08 August 2017 20:30
In the SMTP server -> Security options, make sure all of the options are enabled.
This issue can happen if you are forwarding messages to another backend mail system and the message was addressed to an unknown recipient. Try to avoid this situation if possible.
Kerio Connect only sends delivery status notifications to messages that have passed all security settings and have been received to the queue.


Thanks Brian.

To reply your q's... all Security Options ticked and no forwarding. Seems like same situation as @RadimAdmin describes- that DSN's are being sent for probable spams, and the spammers are starting to milk that loophole Smile
  •  
Brian (GFI/Kerio)

Messages: 742
Karma: 70
Send a private message to this user
Check the Spam Filter -> Spam Rating area. Make sure you are NOT sending bounce messages to the sender. This option is in the "Reached block score limit action".
Otherwise if you view the content of these messages in the queue it could help to identify which component is replying to theses messages.

Brian Carmichael
Instructional Content Architect
  •  
atomitech

Messages: 23
Karma: 0
Send a private message to this user
Brian Carmichael (Kerio) wrote on Mon, 14 August 2017 21:04
Check the Spam Filter -> Spam Rating area. Make sure you are NOT sending bounce messages to the sender. This option is in the "Reached block score limit action".
Otherwise if you view the content of these messages in the queue it could help to identify which component is replying to theses messages.


We are NOT sending bounce messages.
However, we DO forward msgs to a local quarantine address (an email address on the Kerio mailserver), should that be something.

Will check the msg queue sources when some more appear....

  •  
atomitech

Messages: 23
Karma: 0
Send a private message to this user
Got one...

Seems to show "Mail Delivery Subsystem <postmaster<_at_>mail.mydomain.com>" is sending this delivery receipt, despite having marked the message subject line as spam.

Thanks again for your suggestions, and hope this helps you diagnose.


What I did for testing: Created a custom spam rule to add 6 score to messages with "spam test" in the title, then sent myself a message with the delivery and read receipt options ticked.

Return-Path: <>
Received: from localhost
	by mail.mydomain.com; Tue, 15 Aug 2017 10:22:27 +0200
Date: Tue, 15 Aug 2017 10:22:27 +0200
Message-ID: <3841761417-21799<_at_>mail.mydomain.com>
MIME-Version: 1.0
From: Mail Delivery Subsystem <postmaster<_at_>mail.mydomain.com>
To: <sales<_at_>mydomain.com>
Subject: =?utf-8?Q?Visszaigazol=C3=A1s=3A_**SPAM**_=5B****=5D__spam_test?=
	=?utf-8?Q?_2?=
Content-Type: multipart/report; report-type=delivery-status;
	boundary="MIME-3841761417-2090780927-delim"

...

X-Spam-Status: Yes, hits=4.6 required=3.8
	tests=AWL: -0.007, BAYES_00: -1.665, HTML_MESSAGE: 0.001,
	XPRIO: 0.299, CUSTOM_RULE_SUBJECT: 6.00, TOTAL_SCORE: 4.628,autolearn=no
X-Spam-Flag: YES
X-Spam-Level: ****
  •  
Brian (GFI/Kerio)

Messages: 742
Karma: 70
Send a private message to this user
It would be better to capture the content of a real (not simulated) DSN message. However, as a solution to your problem you can create an outgoing message filter rule that discards messages with **SPAM** in the subject.

Brian Carmichael
Instructional Content Architect
  •  
atomitech

Messages: 23
Karma: 0
Send a private message to this user
Thank you Brian.

My (mis)understanding was that the server msg filter doesn't work on DSN's or server-originating messages. I've added that filter now and will report back.

For reference, here's a real .eml from the queue this morning. Apart from the return-path tag, the rest appears the same to my untrained eye!

Received: from localhost
	by mail.mydomain.com; Tue, 15 Aug 2017 10:54:12 +0200
Date: Tue, 15 Aug 2017 10:54:12 +0200
Message-ID: <3843666046-22916<_at_>mail.mydomain.com>
MIME-Version: 1.0
From: Mail Delivery Subsystem <postmaster<_at_>mail.mydomain.com>
To: <violah3tbj2a<_at_>spalks.com>
Subject: =?utf-8?Q?Visszaigazol=C3=A1s=3A_**SPAM**_=5B*****=5D__=C5=90R?=
	=?utf-8?Q?=C3=9CLT_ny=C3=A1ri_le=C3=A1raz=C3=A1s=3A_3_l=C3=B3er?=
	=?utf-8?Q?=C5=91s_f=C5=B1r=C3=A9sz=2C_52_k=C3=B6bcentivel=2C_osz?=
	=?utf-8?Q?tr=C3=A1k_min=C5=91s=C3=A9g?=
Content-Type: multipart/report; report-type=delivery-status;
	boundary="MIME-3843666046-28497765-delim"

--MIME-3843666046-28497765-delim
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit


Ezt a tájékoztató üzenetet küldte: mail.mydomain.com.

A szerver sikeresen kézbesítette a levelet 

  Subject: **SPAM** [*****]  ŐRÜLT nyári leárazás: 3 lóerős fűrész,  ...
  Date: Tue, 15 Aug 2017 10:55:53 +0200



a következo címzetteknek:

  <delio<_at_>mydomain.com> (delivered)
--MIME-3843666046-28497765-delim
Content-Type: message/delivery-status

Reporting-MTA: dns; mail.mydomain.com
Arrival-Date: Tue, 15 Aug 2017 10:54:11 +0200

Original-Recipient: delio<_at_>mydomain.com
Final-Recipient: rfc822;delio<_at_>mydomain.com
Action: delivered
Status: 2.0.0

--MIME-3843666046-28497765-delim
Content-Type: text/rfc822-headers

X-Spam-Status: Yes, hits=5.5 required=3.8
	tests=BAYES_50: 1.567, HTML_IMAGE_ONLY_20: 1.546, HTML_MESSAGE: 0.001,
	HTML_SHORT_LINK_IMG_3: 0.148, MIME_HTML_ONLY: 0.723, URIBL_BLOCKED: 0.001,
	URIBL_RHS_DOB: 1.514, TOTAL_SCORE: 5.500,autolearn=no
X-Spam-Flag: YES
X-Spam-Level: *****
Received: from gone.spalks.com ([66.37.0.99])
	by mail.mydomain.com with ESMTP
	for delio<_at_>mydomain.com;
	Tue, 15 Aug 2017 10:54:10 +0200
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=dkim; d=spalks.com;
 h=Date:To:Subject:Message-ID:From:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; i=violah3tbj2a<_at_>spalks.com;
 bh=Hamk0Y0BvBrkfSpaOf7FDTklK84=;
 b=SUQi/cDju7Hz/BB6k9vP9dbtTZJLbdM5pjTka93joNgU0jS7neJ1TFirAnbvCro3lgQ8oNIoX4Ac
   9n4zfP91nXcp0LkhXBE+t3xqPcOqsPizIeGt6PIHjQoqycdkp0U/vvaW/k1Gm9/OokOqICN5KE8W
   bUiEMcpFsGpt4TUgTk8=
DomainKey-Signature: a=rsa-sha1; c=nofws; q=dns; s=dkim; d=spalks.com;
 b=LXlLUSSUpy/jxVkSYAj9leQWIowCTQRgvUWZ6fPWjP7iB+hKYQmnXocg5WbY96dxopENdIxcgbBO
   fBRe6SsK4IPJ2LwCkBgKcRGiZvjuF5IHXpju1YHu2OZ7o2D2ugnInrT7K2C3r7H0tlU3wBA9oG0w
   vL0HzNUbYC6Yv0theIA=;
Date: Tue, 15 Aug 2017 10:55:53 +0200
To:  <delio<_at_>mydomain.com>
X-Original-Subject: =?UTF-8?Q?=C5=90R=C3=9CLT_ny=C3=A1ri_le=C3=A1raz=C3=A1s:_3_l=C3=B3er=C5=91s_f=C5=B1r=C3=A9sz,_52_k=C3=B6bcentivel,_osztr=C3=A1k_min=C5=91s=C3=A9g?=
Subject: **SPAM** [*****]  =?UTF-8?Q?=C5=90R=C3=9CLT_ny=C3=A1ri_le=C3=A1raz=C3=A1s:_3_l=C3=B3er=C5=91s_f=C5=B1r=C3=A9sz,_52_k=C3=B6bcentivel,_osztr=C3=A1k_min=C5=91s=C3=A9g?=
Message-ID: <axzxsnhqiqolsqsfvotrfmeucvkckpfc<_at_>spalks.com>
Return-Path: ua16vc1esky8ftic8.joNmls<_at_>spalks.com
From: =?UTF-8?Q?Viola?= <violah3tbj2a<_at_>spalks.com>
Reply-To: violah3tbj2a<_at_>spalks.com
MIME-Version: 1.0
X-Priority: 3
Precedence: bulk
X-Mailer: class SMTPMail
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

--MIME-3843666046-28497765-delim--



This is what shows (over and over) in the Warning log:

Cannot connect to SMTP server spalks.com. Messages will stay in the message queue.


To give some perspective, their are currently 247 such messages in the queue. Not counted how many different sending-domains, but looks like 20 or so different ones.

[Updated on: Wed, 16 August 2017 06:58]

  •  
atomitech

Messages: 23
Karma: 0
Send a private message to this user
Update-

Unfortunately the DSN/server messages were NOT processed by the global message filter. I've enabled sieve-msgs in debug log, and can see the rule processing everything except the DSN's.

sample for non-dsn (normal email) message indicates the filter is operational:

[16/Aug/2017 08:13:34][8046] {sieve} Global sieve rule keriodb://sieverule/ca700663-8f8e-41a2-b0f9-7ab125e9ffd3 (**SPAM**) successfully parsed.


I've also tried adding a filter for all messages from the postmaster email address (postmaster<_at_>mail.mydomain.com), but that doesn't pick up any messages either.

  •  
Brian (GFI/Kerio)

Messages: 742
Karma: 70
Send a private message to this user
The rule should be in the Outgoing rules and should specify if any of the following conditions are met:
Subject contains **SPAM**
Discard message

Brian Carmichael
Instructional Content Architect
  •  
atomitech

Messages: 23
Karma: 0
Send a private message to this user
Correct. And that doesn't discard them when they are sent by the server (ie. DSN messages).

The rule does discard a test message, which I sent myself.

Furthermore, nothing appears in the "sieve filter" debug log for DSN types of messages. whereas logs appear for all other user messages.

All this leads me to deduce that DSN messages skip the filter...

Brian, could I ask specifically... Are you 100% that all outgoing messages originating from the server itself (such as DSN messages) do get parsed by the filters?

If you are certain, then I sure will look for other reasons why the filter on those messages doesn't get actioned.
Brian (GFI/Kerio)

Messages: 742
Karma: 70
Send a private message to this user
I've done some testing and it seems that the outgoing rules apply to bounces from the spam filter, however if I request a delivery receipt then I am able to reproduce the behavior you describe. It does seem to skip the outgoing rules for some reason. So it seems there are two issues here:
1. There is no possibility to disable delivery receipt confirmation messages.
2. Outgoing rules do not apply to DSN messages.
I will file a bug for these two items.
Unfortunately I can't find any other solution to this problem.

Brian Carmichael
Instructional Content Architect
Previous Topic: Öffentlicher Ordner Berechtigung
Next Topic: Missing Spam button
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Sep 21 01:52:25 CEST 2017

Total time taken to generate the page: 0.00524 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.