Defending against email bounce attacks
search cancel

Defending against email bounce attacks

book

Article ID: 171499

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

You are receiving bounce messages for messages not sent from your environment.

Resolution

A bounce attack occurs when a spammer obscures message origins by using one email server to bounce spam to an address on another server. The spammer does this by inserting a target address into the "Mail From" value in the envelope of their messages and then sending those messages to another address.

If the initial recipient finds the message undeliverable, that mail server recognizes the forged "Mail From" value as the original sender, and returns or "bounces" the message to that target. When the targeted system recognizes the server from which the message was bounced as a legitimate sender, it accepts the message as a legitimate non-deliverable receipt (NDR) message.

Bounce attacks can be used to leverage the initial recipient's "good" reputation when sending spam, pollute the initial recipient's IP reputation, or create denial of service attacks at the target's server.

To set up Bounce Attack Prevention for your mail system, you must:

(NOTE: For successful processing, you must also ensure that all of your applicable outbound mail is routed through the appliance)

Once your system is configured for Bounce Attack Prevention, Symantec Messaging Gateway calculates a unique tag that uses the provided seed value as well as the current date. Your Scanner attaches this tag to outbound messages sent by users in your defined policy groups.

If the message is then returned as undeliverable, the envelope's return address will contain this tag.

When the system receives a message that appears to be a message returned as undeliverable, the system will compare the inbound message's recipient with the policy group configuration to see if the user's policy group is configured for Bounce Attack Prevention. If the policy group is configured, the system calculates a new tag that includes the seed value and current date, then uses that new tag to validate the tag in the email.

A valid tag on an inbound NDR will include the following:

  • The correct tag format
  • A seed value that matches the seed value in the newly calculated tag
  • A date that falls within a week of the newly calculated tag

Based on this evaluation, Symantec Messaging Gateway will do the following:

  • If the system determines that the tag is valid, the system strips the tag from the envelope and sends the message forward for filtering and delivery per your mail filtering configuration.
  • If there is no tag, or the tag content is found to not match the tag that is calculated for validation, the address will be rewritten without tag information and then managed per your Bounce Attack Prevention policy configuration. An error will be logged and this message will be accounted for in your message statistics as a message with a "single threat." The message is also included in your system spam statistics as a "bounce threat."
  • If your policy defines an action other than "reject" when the message fails validation, the message can acquire more threats and could then be counted in your statistics as a "multiple threat."
  • If, due to an unrecognizable format, validation cannot be performed by the system, the system will not strip the tag and will keep the tag as part of the address. The system will then act upon this message based on the actions you define in your spam policy configuration.

(NOTE: Bounced messages over 50k are truncated. Attachments in truncated messages may be unreadable)