Prevent Bounce Attacks with Brightmail

Hello,

A bounce attack occurs when a spammer obscures message origins by using one email server to bounce spam to an address on another server. The spammer does this by inserting a target address into the “Mail From” value in the envelope of their messages then sending those messages to another address.

Symantec Brightmail Gateway product does not come configured off the box to prevent bounce attacks.

Rule of thumb before doing this configuration is that all your outgoing e-mail should be going through Brightmail Gateway so that they can processed.

So here is what you need to do to configure the Brightmail to protect you against those attacks. (This procedure is accurate for Brightmail Gateway version 9.0.x. For earlier versions, you just need to find the proper configuration points for the same actions)

We basically need to do three configuration changes to prepare for these attacks:
A. Assigning a seed value
B. Configure policy groups
C. Creating a policy

So, step by step, here is what we need to do:

A. Assign a Seed Value

1. Login to Brightmail web console.
2. Navigate to Administration > Settings > Control Center. And open Certificates tab.
3. Type in an 8 character alpanumeric seed into the "Bounce attack prevention seed" box.
4. Click Save.

(Click on image for original size)

This seed will be used when creating validation tags for outgoing messages.
You need to do this for each Brightmail which has a Control Center role in your environment.

B. Configure Policy Groups

1. Navigate to Administration > Users > Policy Groups.
2. Select the policy group you want to process and click Edit button.
3. Click on Spam tab.
4. Select the check box next to the option "Enable bounce attack prevention for this policy group".
5. Click Save at the bottom of the page.

(Click on image for original size)

(Click on image for original size)

If you do not configure at least one policy group, bounce attack prevention will remain disabled.

C. Create a Spam Policy

You need a spam policy to define the action when there is a bounce attack. To do so:

1. Navigate to Spam > Policies > Email.
2. Click Add button.
3. Name the policy, for example "Bounce attack policy"
4. For If the following condition is met: condition, select "If a message fails bounce attack validation". (You'll notice that "Apply to" section will change to "Inbound messages" automatically.
5. As for the action, select "Reject messages failing bounce attack validation" option and click "Add Action". (This is the recommended action, but you may chose something else as per your needs)
6. Select the policy group you wish this rule to be applied.
7. Click Save.

(Click on image for original size)

Now your Brightmail Gateway is ready to protect your environment against bounce attacks.

Regards,
Bekir Burak Durmaz