Categories: SPAM Posted by Paolo Frizzi on 7/8/2011 2:35 PM | Comments (1)

A real headache for almost all IT managers when discussing spam problems is postmaster@ spam. The most common thing we hear time and time again is:

“We are getting spam from postmaster addresses and we don’t know why.”

This problem has a multitude of variations and is generally labelled as “postmaster@ spam”.

Simply put, postmaster spam is any spam email that has a postmaster email address, either as a sender or recipient , and whether it is the postmaster for your own domain or someone else’s domain.

A little background information may be useful here. The postmaster address performs a critical role in email communication and its presence and use is prescribed in the RFCs for the SMTP protocol. The RFC 2821 - Simple Mail Transfer Protocol reports:

“Any system that includes an SMTP server supporting mail relaying or delivery MUST support the reserved mailbox “postmaster” as a case-insensitive local name.”

…and…

“SMTP systems are expected to make every reasonable effort to accept mail directed to Postmaster from any other system on the Internet.”

Who is this postmaster ?

The postmaster address is usually the source (or “from”) address for system generated emails such as non-delivery reports, although some email servers allow a different address to be used.

But this common usage, combined with the RFC requirements, creates a series of problems. Spammers know that the postmaster@ email address is almost always going to be valid, and email servers often treat email from postmaster@ email addresses as more trusted.

Backscatter Spam

One way spammers create “postmaster spam” is by causing Non Delivery Reports, also known as backscatter spam. With this method a spammer will send an email with forged sender addresses to various email systems. When it is sent to non-existent addresses the receiving server sends back a NDR from their postmaster@ address to the forged sender address.

The person whose email address was used as the forged email address then receives the NDR, usually along with the original spam content attached or embedded. This technique is often successful because email systems don’t want to block important non-delivery reports.

Libra Esva specifically includes protection for this type of NDR backscatter spam through a combination of technologies. Libra Esva uses the Watermarking technique that uses a header tag for all outgoing email. When an NDR comes back from an external source it can be checked for that tag. If it exists and matches a known email that was sent, then the NDR can be trusted and allowed back in to the email system. If the header tag does not exist then it is likely that the email originated elsewhere, probably from a spammer, and can be considered less trustworthy and subject to different filtering rules.

Other Postmaster Forgeries

Another way in which spammers try to exploit this is by forging the sender address of spam to make it appear that it is coming from a postmaster@ address for a well known domain name. This is an effective technique because most email users have received genuine NDRs in the past and have at least some idea that a postmaster@ address is valid and trustworthy.

Because the human element of this exploit is so weak the best defence against this technique is to detect and block the spam before it reaches the intended victim. Libra Esva Anti-spam techniques such as connection filtering, message content protection, and Bayesian filtering are effective in stopping this.

Other common Postmaster Problems

Backscatter Spam and Postmaster Forgeries mostly impact end users, those who we are trying to protect from spam and security threats.

But “postmaster spam” can cause even more problems! Another issue also exists, and that is spam addressed to the postmaster@ address itself. Because of the importance of the postmaster as prescribed in the RFC it is common for it to be exempt from any form of filtering or protection.

This is not the case for IT Managers that are using Libra Esva!

With it's 13 layer spam engine, Esva is an effective solution to postmaster spam.

An accurate multi-level analysis allows Esva to correctly identify up to 99.95% of the spam coming into the organization, including the spam addressed to the postmaster @ address.

Libra Esva offers an impressive arsenal in the fight for messaging security, and all at a very competitive price.

 

This is a guest blog post written by Paolo Frizzi. Paolo is the CEO of Libra , a super-efficient email security gateway. For the last 15 years Paolo has been at the forefront of developing  effective and easy to deploy independent mail  security solutions utilizing the best of open source products.


blog comments powered by Disqus