About defending against bounce attacks
|Article:HOWTO53527|||||Created: 2011-06-06|||||Updated: 2012-08-20|||||Article URL http://www.symantec.com/docs/HOWTO53527|
A bounce attack occurs when a spammer obscures message origins by using one email server to bounce spam to an address on another server. The spammer does this by inserting a target address into the "Mail From" value in the envelope of their messages then sending those messages to another address.
If the initial recipient finds the message undeliverable, that mail server recognizes the forged "Mail From" value as the original sender, and returns or "bounces" the message to that target. When the targeted system recognizes the server from which the message was bounced as a legitimate sender, it accepts the message as a legitimate non-deliverable receipt (NDR) message.
Bounce attacks can be used to leverage the initial recipient's "good" reputation when sending spam, pollute the initial recipient's IP reputation, or create denial of service attacks at the target's server.
To set up Bounce Attack Prevention for your mail system, you must:
Provide a Bounce attack prevention seed value in your Control Center.
Determine and configure the policy groups to which you want the system to apply Bounce Attack Prevention.
Assign a policy (a default policy is provided) to the policy group that determines the actions to be taken for NDRs that do not pass Bounce Attack Prevention validation.
For successful processing you must also ensure that all of your applicable outbound mail is routed through the appliance.
Once your system is configured for Bounce Attack Prevention, Symantec Messaging Gateway calculates a unique tag that uses the provided seed value as well as the current date. Your Scanner attaches this tag to outbound messages sent by users in your defined policy groups.
If the message is then returned as undeliverable, the envelope's return address will contain this tag.
When the system receives a message that appears to be a message returned as undeliverable, the system will compare the inbound message's recipient with the policy group configuration to see if the user's policy group is configured for Bounce Attack Prevention. If the policy group is configured, the system calculates a new tag that includes the seed value and current date, then uses that new tag to validate the tag in the email.
A valid tag on an inbound NDR will include the following:
The correct tag format
A seed value that matches the seed value in the new calculated tag
A date that falls within a week of the new calculated tag
Based on this evaluation, Symantec Messaging Gateway will do the following:
If the system determines that the tag is valid, the system strips the tag from the envelope and sends the message forward for filtering and delivery per your mail filtering configuration.
If there is no tag, or the tag content is found to not match the tag that is calculated for validation, the address will be rewritten without tag information then managed per your Bounce Attack Prevention policy configuration. An error will be logged and this message will be accounted for in your message statistics as a message with a "single threat." The message is also included in your system spam statistics as a "bounce threat."
If your policy defines an action other than "reject" when the message fails validation, the message can acquire more threats and could then be counted in your statistics as a "multiple threat."
If, due to an unrecognizable format, validation cannot be performed by the system, the system will not strip the tag and will keep the tag as part of the address. The system will then act upon this message based on the actions you define in your spam policy configuration.
Bounced messages over 50k are truncated. Attachments in truncated messages may be unreadable.
Article URL http://www.symantec.com/docs/HOWTO53527