Symptoms
Spam is coming from the server, and there are several transactions within the exim log file "/var/log/exim_mainlog" indicating the following error:
H=host.example.com [x.x.x.x]:50803 I=[x.x.x.x]:25 F=<random@example.net> rejected RCPT <example@cpanel.com>: Sender verify failed
The important aspect to note from the above transaction is the email account right after "F=", and the "Sender verify failed" message at the end.
Using "random@example.net" to indicate some random email ID but with a valid domain @example.net.
Description
This is an email attack named Backscatter which uses auto-generated email replies to an email address that didn't originally send an email. It uses a forge Reply-To and domain forged as the sender on spam messages, and the receiving server accepts a message for delivery but determines later that the message cannot be delivered.
Detailed information about the backscatter attack can be found in the following link:
https://en.wikipedia.org/wiki/Backscatter_(email)
Workaround
There is no single solution to BackScatter attacks, and in many cases, it can't be avoided. The main vulnerabilities that allow BackScatter attacks to occur are:
- Filter setup configured to bounce messages.
- Forwarders or autoresponder exploited by the backscatter attack.
- A website/application contact form without CAPTCHA to reduce abuse.
Comments
0 comments
Article is closed for comments.