Why an empty MAIL FROM address can sent out email?
Solution 1
The empty MAIL FROM
is used for delivery status notifications. Mail servers are required to support it (RFC 1123 section 5.2.9).
It’s used primarily for bounce messages, to prevent an endless loop. When MAIL FROM
is used with an empty address (represented as <>
), the receiving server knows not to generate a bounce message if the message is being sent to a non-existent user.
Without this, it might be possible for someone to DoS you simply by faking a message to a non-existent user at another domain, with a return address of a non-existent user at your own domain, resulting in a never-ending loop of bounce messages.
What would happen if you block messages with an empty MAIL FROM:
?
- Your users would not get bounce messages from other domains: they would never know if they made a typo when sending mail to a user at another domain.
The empty MAIL FROM:
messages that you are seeing are probably not coming from a spammer.
Instead, a spammer has faked an address at your domain and used it as the return address for a message to another domain. Let’s say you are yourdomain.com
and my domain is mydomain.net
. The spammer sends a message to [email protected]
, faking the return address as [email protected]
. Since there is no user johnq
in my domain, my mail server sends a bounce message (MAIL FROM:<>
) to the apparent sender, [email protected]
. That is what you are probably seeing.
Blocking empty MAIL FROM
messages will do more harm than good, in my opinion. Spammers, in my experience, rarely use an empty MAIL FROM:
since they can easily fake a real-looking address. When the message is actual spam, there are far better ways to detect and block it, including RBLs, Bayesian filters, and SpamAssassin.
And finally, you can prevent at least some of the forgeries using yourdomain.com
by setting up proper SPF records for your domain.
Update: After looking closer at your log, someone was able to AUTH
using a valid username and password for your server. This puts it in a whole other category of trouble. However, everything I said about MAIL FROM:
still stands. 99% of the time it’s going to be the result of bounce messages.
Solution 2
You can search option for you mail server to limit MAIL FROM to authenticated user e-mail. Many mail systems apply that limitation.
And so,force hacked users to change password.
eatyourpeas
Updated on September 17, 2022Comments
-
eatyourpeas almost 2 years
We are using Smarter Mail system. Recently, we found that hacker had hacked some user accounts and sent out lots of spams. We have firewall to ratelimit the sender, but for the following email, the firewall couldn't do this because of the empty FROM address. Why an empty FROM address is consider OK? Actually, in our MTA(surgemail), we can see the sender in the email header. Any idea?
11:17:06 [xx.xx.xx.xx][15459629] rsp: 220 mail30.server.com 11:17:06 [xx.xx.xx.xx][15459629] connected at 6/16/2010 11:17:06 AM 11:17:06 [xx.xx.xx.xx][15459629] cmd: EHLO ulix.geo.auth.gr 11:17:06 [xx.xx.xx.xx][15459629] rsp: 250-mail30.server.com Hello [xx.xx.xx.xx] 250-SIZE 31457280 250-AUTH LOGIN CRAM-MD5 250 OK 11:17:06 [xx.xx.xx.xx][15459629] cmd: AUTH LOGIN 11:17:06 [xx.xx.xx.xx][15459629] rsp: 334 VXNlcm5hbWU6 11:17:07 [xx.xx.xx.xx][15459629] rsp: 334 UGFzc3dvcmQ6 11:17:07 [xx.xx.xx.xx][15459629] rsp: 235 Authentication successful 11:17:07 [xx.xx.xx.xx][15459629] Authenticated as [email protected] 11:17:07 [xx.xx.xx.xx][15459629] cmd: MAIL FROM: 11:17:07 [xx.xx.xx.xx][15459629] rsp: 250 OK <> Sender ok 11:17:07 [xx.xx.xx.xx][15459629] cmd: RCPT TO:[email protected] 11:17:07 [xx.xx.xx.xx][15459629] rsp: 250 OK <[email protected]> Recipient ok 11:17:08 [xx.xx.xx.xx][15459629] cmd: DATA
-
eatyourpeas about 14 yearsThank you very much! It's very helpful. I should ask this question earlier. :)
-
Nate about 14 yearsGlad to help. Please see the “Update” that I added.
-
eatyourpeas about 14 yearsWe had tried to limit the MAIL FROM to authenticated user e-mail before, but it caused client can't send email if they have multiple email accounts in their POP client. After we found the hacked account, we had changed their password immediately. Thanks.