Home / server / Questions / 151955
Accepted
garconcn
Asked: 2010-06-17 17:32:18 +0800 CST

Why an empty MAIL FROM address can sent out email?

  • 772

We are using Smarter Mail system. Recently, we found that hacker had hacked some user accounts and sent out lots of spams. We have firewall to ratelimit the sender, but for the following email, the firewall couldn't do this because of the empty FROM address. Why an empty FROM address is consider OK? Actually, in our MTA(surgemail), we can see the sender in the email header. Any idea?

11:17:06 [xx.xx.xx.xx][15459629] rsp: 220 mail30.server.com
11:17:06 [xx.xx.xx.xx][15459629] connected at 6/16/2010 11:17:06 AM
11:17:06 [xx.xx.xx.xx][15459629] cmd: EHLO ulix.geo.auth.gr
11:17:06 [xx.xx.xx.xx][15459629] rsp: 250-mail30.server.com Hello [xx.xx.xx.xx] 250-SIZE 31457280 250-AUTH LOGIN CRAM-MD5 250 OK
11:17:06 [xx.xx.xx.xx][15459629] cmd: AUTH LOGIN
11:17:06 [xx.xx.xx.xx][15459629] rsp: 334 VXNlcm5hbWU6
11:17:07 [xx.xx.xx.xx][15459629] rsp: 334 UGFzc3dvcmQ6
11:17:07 [xx.xx.xx.xx][15459629] rsp: 235 Authentication successful
11:17:07 [xx.xx.xx.xx][15459629] Authenticated as [email protected]
11:17:07 [xx.xx.xx.xx][15459629] cmd: MAIL FROM:
11:17:07 [xx.xx.xx.xx][15459629] rsp: 250 OK <> Sender ok
11:17:07 [xx.xx.xx.xx][15459629] cmd: RCPT TO:[email protected]
11:17:07 [xx.xx.xx.xx][15459629] rsp: 250 OK <[email protected]> Recipient ok
11:17:08 [xx.xx.xx.xx][15459629] cmd: DATA
email spam

2 Answers

  1. Best Answer

    The empty MAIL FROM is used for delivery status notifications. Mail servers are required to support it (RFC 1123 section 5.2.9).

    It’s used primarily for bounce messages, to prevent an endless loop. When MAIL FROM is used with an empty address (represented as <>), the receiving server knows not to generate a bounce message if the message is being sent to a non-existent user.

    Without this, it might be possible for someone to DoS you simply by faking a message to a non-existent user at another domain, with a return address of a non-existent user at your own domain, resulting in a never-ending loop of bounce messages.

    What would happen if you block messages with an empty MAIL FROM:?

    • Your users would not get bounce messages from other domains: they would never know if they made a typo when sending mail to a user at another domain.

    The empty MAIL FROM: messages that you are seeing are probably not coming from a spammer.

    Instead, a spammer has faked an address at your domain and used it as the return address for a message to another domain. Let’s say you are yourdomain.com and my domain is mydomain.net. The spammer sends a message to [email protected], faking the return address as [email protected]. Since there is no user johnq in my domain, my mail server sends a bounce message (MAIL FROM:<>) to the apparent sender, [email protected]. That is what you are probably seeing.

    Blocking empty MAIL FROM messages will do more harm than good, in my opinion. Spammers, in my experience, rarely use an empty MAIL FROM: since they can easily fake a real-looking address. When the message is actual spam, there are far better ways to detect and block it, including RBLs, Bayesian filters, and SpamAssassin.

    And finally, you can prevent at least some of the forgeries using yourdomain.com by setting up proper SPF records for your domain.

    Update: After looking closer at your log, someone was able to AUTH using a valid username and password for your server. This puts it in a whole other category of trouble. However, everything I said about MAIL FROM: still stands. 99% of the time it’s going to be the result of bounce messages.

    • 24

  2. You can search option for you mail server to limit MAIL FROM to authenticated user e-mail. Many mail systems apply that limitation.

    And so,force hacked users to change password.

    • 1