Unintended consequences - Backscatter vectors
Out of office
Covered that one the other day.
Sorry Declan, I know you don't agree with me but the benefits of being able to inform people outside of your company that you are on holiday must be balanced alongside the risks of informing
- spammers (you just hit a live mailbox; please send more spam),
- spamtraps (backscatter is generally regarded as spam in its own right and will lead to sending systems being blacklisted) and
- innocent bystanders whose addresses were spoofed by spam or viruses (that's just rude).
In my opinion the downside outweighs the upside by some considerable margin.
Secondary directories
This thread at developerWorks illustrates the point nicely.
The original poster wants to know why, when he has relaying turned off, is he still relaying spam to someone else's system.
It transpires that he has additional directories enabled for mail addressing and that these contain Internet email addresses belonging to his company's contacts.
While it may be very convenient to operate additional directories containing Internet email addresses of your common business contacts on your Domino servers, if these directories are enabled for mail addressing on your SMTP inbound gateway, then you are operating a selective open relay.
You might try locking this down by requiring exact email addresses so that inbound mail to <fred.bloggs@example.com> is OK, where mail to <fred@example.com> or <bloggs@example.com> is not, but this is not a complete solution. If Fred Bloggs exists not in your primary, local Domino Directory but in one of your secondary directories then you will still relay email (and spam) to him.
The only robust solution is to segregate the duties of SMTP inbound from all other Domino functions, run SMTP inbound on a separate server and enable only your own local Domino Directory for mail addressing on that server.
See also this similar story here where I was on the receiving end of this problem. The system in that story is still sending dozens of spams here every day (and presumably to a host of other destinations), but it has been permanently blocked here for a long time.
Add-in applications
OK, a fairly arcane example to finish with but a real one too.
We operate a fax gateway on our Domino system called Replix Domino Fax. This system is integrated into the Domino directory by way of a person document in the directory named FAX and a foreign domain, also named FAX. The design of the mail file belonging to the person FAX is not a standard Notes template but a special one for the fax gateway. Users wishing to send faxes address them to (for example) "Fred Bloggs@12345@FAX" where 12345 is Fred Bloggs' fax number.
OK. The obvious problem isn't a problem at all. An external system cannot connect and try to send to <victim%98765%fax@example.com>. Domino rejects that as an attempted relay because the FAX domain is a foreign domain and is thus considered non-local. The back door is this:
You can address a message just to <fax@example.com>. Remember, fax is also a person as well as a domain.
This results in a message being placed in the fax mailbox, but without the required fax number "domain". Replix picks this up and on finding insufficient information for onward routing creates an error report and sends it to the original sender. Voila. Backscatter.
fax@... is a common envelope (both sender and recipient) in many recent mass mailing worms and so backscatter bounces are likely to happen unless actively prevented.
Fortunately this is quite easy. Just include fax@example.com (and the equivalent fax@... for all of your local Internet domains) in the server config field "Deny messages intended for the following internet addresses:".
The more general lesson here is that you should consider the wider consequences of implementing any external application which hooks into Domino by way of mail routing.
Here ends today's lesson.
Category: Domino: Administration
Technorati: Domino: Administration
1. James Johnston15/05/2006 20:39:49
Is is possible to disable OOO at a server level?
2. Chris Linfoot15/05/2006 22:26:09
Only very crudely with a mail rule as far as I know. There may be a policy setting somewhere though.
3. Scott Iver19/02/2008 15:59:42
Suggestion: Chris in the section you talk about locking down the server to only accept email addresses formatted correctly: " You might try locking this down by requiring exact email addresses so that inbound mail to "
Might I suggest a brief line of "here's where to do this in the server config document". From memory (which is not that good) in 7.x I think it's under Messaging settings / Basics / Address Lookup : Fullname
As I recall, there are 3 options, Fullname only, local part only, and Fullname and local part. I'm probably wrong (since I haven't touched on this in a very long time), but I think Fullname means exact match (John.Doe@domain). Local part means try to match anything in front of the @ with a user in the address book (Jdoe, John_Doe, John.Doe, etc.) woud all match.
Anyway, just my humble suggestion :) Thanks
Unable to post a comment? Please read this for a possible explanation...
- 
