Vulnerability: Spam checks don't run for Null Senders
Problem reported by kevind - August 15, 2017 at 8:02 AM
Resolved
Using SM15, it appears that messages with a null sender (MAIL FROM:<>) skip many of the spam checks (PTR check, greylisting, etc.). We have spammers exploiting this to deliver spam to SmarterMail servers.
 
It might even skip the SMTP Auth as the other day I saw a spoofed message where the From address was the same as the local domain. It was sent from an external IP address and got delivered to the user, but should have been denied because all users must authenticate.
 
Thanks for checking into this.

34 Replies

Reply to Thread
0
echoDreamz Replied
Yeah this has been reported - https://portal.smartertools.com/community/a87411/vulnerability-messages-with-no-ptr-reverse-dns-are-accepted.aspx

Christopher

0
kevind Replied
Yes, slightly different issue so I started a new thread hoping ST will check into it and resolve.
2
Rod Lasky Replied
Employee Post
Hello all.  Our minor release tomorrow will contain a new spam check to block these NULL senders.
Rod Lasky
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
kevind Replied
Nice! v15?
0
echoDreamz Replied
<3 <3 <3

Christopher

2
kevind Replied
Saw in the release notes that messages with null senders will be scored? This is not a fix.
 
System admin messages (e.g. undeliverables) come in with a null sender, so you're scoring legitimate messages as spam.
 
Why not just run these through all the normal spam checks (RDNS, greylisting, etc.)?  Also, would like to see this patched in v15.  Thanks!
3
Matthew Leyda Replied
Pease don't forget about V15.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
4
kevind Replied
Thanks for adding this in v15, but this thread shouldn't be marked as resolved until SMTP Auth, greylisting, and Reverse DNS work for null senders.
 
The current implementation of adding 10 points (or whatever score) to null senders is not useful because a null sender doesn't indicate a message is spam. It's a random attribute -- like saying every message that comes in between 5-6pm should have 10 points because spammers sometimes send mail between 5-6pm.
 
If you want to score something, add a score for FCrDNS -- that would be useful. See Christopher York's comments on FCrDNS here: https://portal.smartertools.com/community/a87411/
 
Thanks!
0
kevind Replied
Found this thread where you can vote for FCrDNS:
https://portal.smartertools.com/community/a88965/dns-check-improvements.aspx
0
kevind Replied
FWIW, the new spam check for null senders is not very useful. It doesn't have the ability to SMTP block (only score). And there are plenty of legitimate messages from null senders, like undeliverables, so scoring doesn't really help.

Is there a technical reason why you can't do greylisting for null senders?
4
kevind Replied
As the originator of this thread, it should NOT be marked as Resolved.  Please change it to Known or Being Fixed.
 
Looking at messages from yesterday and saw over 4,200 messages with null sender.  Of those, only 64 were legitimate, the rest (98.5%) were spam!!!
 
Need to fix this so basic spam checks like Reverse DNS get run for null senders.  The new scoring feature is not acceptable because it marks legitimate messages (e.g. Auto Replies, Delivery Failure, etc.) as spam.
 
Thanks,
Kevin
0
kevind Replied
Rod, can you please pass my comments on to the developers. And change the status so it's not Resolved. Thanks!
0
Matt Petty Replied
Employee Post
If we have a null sender, we don't know what domain to grey list.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Derek Curtis Replied
Employee Post
Matthew -- not sure if you saw, but this was added to the SmarterMail 15.7.6443 release on 8/22.
Derek Curtis
COO
SmarterTools Inc.
(877) 357-6278
0
kevind Replied
Matt, thanks for reply. How about just using a token domain like 'null.sender' plus the IP and recipient? Then when that server retries after greylisting, it will match and be accepted.
0
Matt Petty Replied
Employee Post
Hmm, yea that might work. There might be other pieces of information we might be able to use to uniquely identify that email. I will look into it.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
kevind Replied
Sounds good. Thanks!
0
kevind Replied
Matt, any luck with using a placeholder domain like 'null.sender' for greylisting?
3
kevind Replied
This thread is marked as Resolved, but it's not and I can't get the status changed. So I started a new thread, that's a little more specific:
 
Greylisting doesn't work with Null Senders
 
Sounds like MattP is looking into it. Let's hope he can come up with a solution.
3
Matt Petty Replied
Employee Post
I fixed this today, using Kevin's suggestion. Unless something comes up, we are planning on a minor tomorrow, so you all should see this in SM 16. I will also move this into SmarterMail 15.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matthew Leyda Replied
The SM15 users thank you.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
kevind Replied
The spammers do not thank you. This will reduce qty. of messages delivered.
0
Matthew Leyda Replied
If we are lucky :) Nice to win one once in a while.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
2
Matthew Leyda Replied
Matt
When will we see this in Ver15?
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Matt Petty Replied
Employee Post
We just recently did a SM 15 release, so it may be a while. If you would like a custom build with this functionality in it, just let me know and I can provide you with a link.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
kevind Replied
We'll take the custom link as we get thousands of spam messages each day with null sender.

Also, if there are any release notes for this custom build, that would be appreciated. Always good to know if there are any other changes.

Thanks!
0
Matthew Leyda Replied
Yes, I'll take a custom link.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Matt Petty Replied
Employee Post
Ok, I sent a link to you both.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matthew Leyda Replied
Matt,
Is there any log entries we can sort for to see if it's working?
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
3
Matthew Leyda Replied
So far so good. It looks like the greylisting of null senders is working.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
kevind Replied
Do you see system messages (e.g. undeliverables & auto replies) still coming in after the greylisting? Just want to make sure servers are retrying legitimate messages. Thanks.
0
Matthew Leyda Replied
Took a little work, but yes it looks like legit bounce messages are making it.
A mod to the log entry to see what's going on would be nice. Some thing like this.

2017.10.10-smtpLog.log(168497): 12:33:44 [222.255.175.201][3948966] cmd: MAIL FROM:<> SIZE=4954 (Greylisted)
2017.10.10-smtpLog.log(171977): 12:47:59 [209.59.143.168][9000116] cmd: MAIL FROM:<> SIZE=3937 (Greylisted)
2017.10.10-smtpLog.log(173591): 12:54:26 [209.59.143.168][27110035] cmd: MAIL FROM:<> SIZE=3938 (Delivered)
2017.10.10-smtpLog.log(174483): 12:57:42 [67.43.0.3][48454400] cmd: MAIL FROM:<> SIZE=3939 (Delivered)
2017.10.10-smtpLog.log(184394): 13:28:49 [134.39.30.248][28311044] cmd: MAIL FROM:<> BODY=8BITMIME SIZE=4236 (Greylisted)
2017.10.10-smtpLog.log(185477): 13:32:04 [134.39.30.248][16204693] cmd: MAIL FROM:<> BODY=8BITMIME SIZE=4236 (Delivered)
2017.10.10-smtpLog.log(187069): 13:39:14 [64.26.60.176][58312381] cmd: MAIL FROM:<> SIZE=7287 (Greylisted)
2017.10.10-smtpLog.log(188656): 13:44:55 [67.43.0.3][46425249] cmd: MAIL FROM:<> SIZE=3927 (Greylisted)
2017.10.10-smtpLog.log(189687): 13:49:07 [209.59.144.126][35646666] cmd: MAIL FROM:<> SIZE=6678 (Refused Spam Filter)
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
kevind Replied
Nice.
0
kevind Replied
Rod, this new check only scores, it doesn't block. Can we add a checkbox to block also?

Thanks!

Reply to Thread