Why an empty MAIL FROM address can sent out email?

spam email
21,988

Solution 1

The empty MAIL FROM is used for delivery status notifications. Mail servers are required to support it (RFC 1123 section 5.2.9).

It’s used primarily for bounce messages, to prevent an endless loop. When MAIL FROM is used with an empty address (represented as <>), the receiving server knows not to generate a bounce message if the message is being sent to a non-existent user.

Without this, it might be possible for someone to DoS you simply by faking a message to a non-existent user at another domain, with a return address of a non-existent user at your own domain, resulting in a never-ending loop of bounce messages.

What would happen if you block messages with an empty MAIL FROM:?

  • Your users would not get bounce messages from other domains: they would never know if they made a typo when sending mail to a user at another domain.

The empty MAIL FROM: messages that you are seeing are probably not coming from a spammer.

Instead, a spammer has faked an address at your domain and used it as the return address for a message to another domain. Let’s say you are yourdomain.com and my domain is mydomain.net. The spammer sends a message to [email protected], faking the return address as [email protected]. Since there is no user johnq in my domain, my mail server sends a bounce message (MAIL FROM:<>) to the apparent sender, [email protected]. That is what you are probably seeing.

Blocking empty MAIL FROM messages will do more harm than good, in my opinion. Spammers, in my experience, rarely use an empty MAIL FROM: since they can easily fake a real-looking address. When the message is actual spam, there are far better ways to detect and block it, including RBLs, Bayesian filters, and SpamAssassin.

And finally, you can prevent at least some of the forgeries using yourdomain.com by setting up proper SPF records for your domain.

Update: After looking closer at your log, someone was able to AUTH using a valid username and password for your server. This puts it in a whole other category of trouble. However, everything I said about MAIL FROM: still stands. 99% of the time it’s going to be the result of bounce messages.

Solution 2

You can search option for you mail server to limit MAIL FROM to authenticated user e-mail. Many mail systems apply that limitation.

And so,force hacked users to change password.

Share:
21,988
eatyourpeas
Author by

eatyourpeas

Updated on September 17, 2022

Comments

  • eatyourpeas
    eatyourpeas almost 2 years

    We are using Smarter Mail system. Recently, we found that hacker had hacked some user accounts and sent out lots of spams. We have firewall to ratelimit the sender, but for the following email, the firewall couldn't do this because of the empty FROM address. Why an empty FROM address is consider OK? Actually, in our MTA(surgemail), we can see the sender in the email header. Any idea?

    11:17:06 [xx.xx.xx.xx][15459629] rsp: 220 mail30.server.com
11:17:06 [xx.xx.xx.xx][15459629] connected at 6/16/2010 11:17:06 AM
11:17:06 [xx.xx.xx.xx][15459629] cmd: EHLO ulix.geo.auth.gr
11:17:06 [xx.xx.xx.xx][15459629] rsp: 250-mail30.server.com Hello [xx.xx.xx.xx] 250-SIZE 31457280 250-AUTH LOGIN CRAM-MD5 250 OK
11:17:06 [xx.xx.xx.xx][15459629] cmd: AUTH LOGIN
11:17:06 [xx.xx.xx.xx][15459629] rsp: 334 VXNlcm5hbWU6
11:17:07 [xx.xx.xx.xx][15459629] rsp: 334 UGFzc3dvcmQ6
11:17:07 [xx.xx.xx.xx][15459629] rsp: 235 Authentication successful
11:17:07 [xx.xx.xx.xx][15459629] Authenticated as [email protected]
11:17:07 [xx.xx.xx.xx][15459629] cmd: MAIL FROM:
11:17:07 [xx.xx.xx.xx][15459629] rsp: 250 OK <> Sender ok
11:17:07 [xx.xx.xx.xx][15459629] cmd: RCPT TO:[email protected]
11:17:07 [xx.xx.xx.xx][15459629] rsp: 250 OK <[email protected]> Recipient ok
11:17:08 [xx.xx.xx.xx][15459629] cmd: DATA
  • eatyourpeas
    eatyourpeas about 14 years
    Thank you very much! It's very helpful. I should ask this question earlier. :)
  • Nate
    Nate about 14 years
    Glad to help. Please see the “Update” that I added.
  • eatyourpeas
    eatyourpeas about 14 years
    We had tried to limit the MAIL FROM to authenticated user e-mail before, but it caused client can't send email if they have multiple email accounts in their POP client. After we found the hacked account, we had changed their password immediately. Thanks.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

PermError SPF Permanent Error: Too many DNS lookup
how to avoid email header Received: from unknown and email going to spam
PHP - Send email from other domain without being spam!
sending mail with php & escaping hotmails junk folder
Fake Bounce Spam Emails in Gmail - Are These Really That Fake?
Gmail is marking my emails as SPAM - Please help
How to avoid getting spam through a website?
My website's email is being marked as spam, how do I analyse a X-CNFS-Analysis email header?
Way to list "Contact Us" email address on web site, yet reduce likelihood of spam?
How can I find out if my domain has been added to email blacklists?