</p><p> How-to</p><p>

Spoofing and NDR messages in MailGate

Summary

The article provides information spoofing and NDR messages in MailGate.Note that the information below applies for the kind of email spoofing, where you are the victim of Non-Delivery Report (NDR) messages sent to your domain that are not responses to something sent from your domain. Please also note that the term Anti-Spoofing in MailGate's administrative interface refers to blocking senders that pretend to be from your domain and have no relevance to the current article.

Details

The NDR messages you are observing are in response to emails that have been sent "on behalf" of internal senders of your network, or so called spoof emails. What is actually happening is that a lot of external domains receive messages, claiming to be sent from your domain and your internal staff as sender. They are actually coming from external sender, who is usually a spammer and is spoofing your domain/senders, pretending he is sending from your domain.

This is possible because many hosts in Internet cannot afford to use a technique called reverse DNS Lookup against the sending IP. The reason is the high risks of false positives, since too many domains do not have DNS record matching the rDNS record or there is no rDNS record at all. In theory, with rDNS widely used, all hosts that implement it would be able to "understand" that not your domain, but some unknown spammer is sending them messages, claiming to have SMTP FROM: and Reply-To: address of a valid sender within your domain.

It is important to understand that there is little to none to do when somebody already gathered information for valid senders within your organization. Such persons can freely use the sender information as SMTP sender of his spam/bulk/virus/DHA messages against other domains. Nearly no relay would be able to identify that the real sender is not part of your domain and cannot send messages on your behalf.

Eventually, many of the relays that do not use Edge/connection defense mechanisms reply back to the "original" sender, who is a valid recipient within your domain. Their reply is a valid NDR, stating that the recipient who the spammer tried does not exist in their network. Thus the spammer achieves the goal to spam your domain with multiple NDRs generated by valid domains as a result of his attack.

If you decide to quarantine all NDR messages you would lose any valid NDR as well, which would be devastating in cases where some real message from valid sender of yours was not accepted by some external host.

In such cases we would suggest the implementation of two policies. The first one should mark all outgoing messages with some custom X-header
The second one should look for keywords in subject suggesting NDR, and also should check if the custom X-header is present in the body or attachments of the message.

The headers of the original message that could not be delivered must be present either in the envelope of the NDR or attached to it as a whole message as per RFC1891:

The SMTP protocol [1] requires that an SMTP server provide notification of delivery failure, if it determines that a message cannot be delivered to one or more recipients. Traditionally, such notification consists of an ordinary Internet mail message (format defined by [2]), sent to the envelope sender address (the argument of the SMTP MAIL command), containing an explanation of the error and at least the headers of the failed message.

Bellow are the steps needed to build the set of policies in MailGate.

Outbound policy
1. There are no catch conditions.
2. In the Action conditions, specify deliver normally.
3. Choose Modify Headers to add an X-header, for example the header could be: X-Outbound:PASSED

The summary of the outbound policy should look in the following way:

IF: any message
THEN: add the X-Headers: 'X-Outbound:PASSED' and continue processing

Inbound policy
1. Choose Keyword Match, leave only the Subject checkbox selected, and then select a word list with keywords specific for an NDR subject:

Delivery Status Notification (Failure)
Undelivered Mail Returned to Sender
Undeliverable: Delivery Status Notification (Failure)
Undeliverable:*
DELIVERY FAILURE:*
Undeliverable Mail

You may also add other strings in order to accommodate the NDR messages you are receiving.

2. Click on the Exceptions link and leave selected both the Body and Attachments checkboxes.
3. Select Any of the following words or phrases and in the text field paste the custom X-header from chosen above.
In this example you can use X-Outbound:PASSED.
4. For Action condition, select to quarantine the message as the ones the policy catches should be the 'invalid' NDRs.

The summary of the inbound policy should be close to:

IF: message subject contains entries in any of the list(s): ,NDR Subjects
EXCEPT IF: message body or attachments contain any of the words: 'X-Outbound:PASSED'
THEN: quarantine message (and make visible to recipients) and tag message as: NDR Spoof

Please note that this solution currently would quarantine all valid non-deliverable messages that do not contain the original message embedded in the body. This would result in quarantining around 80% of the valid NDRs, which, however would be available for end-users trough their daily report and may be released upon clicking.

Additional resources on the subject:
http://en.wikipedia.org/wiki/E-mail_spoofing
http://en.wikipedia.org/wiki/Reverse_DNS_lookup