Back to Community Threads
1
Spam through bounces on the up
Question asked by YS Tech - 4/29/2025 at 4:32 AM
Unanswered
My clients and myself are seeing a lot more spam coming in via external bounces.
These emails usually have the following field:
X-Rcpt-To: <my@email.account>

Original sender being a bounce of some kind:
X-OriginalSender: bounce-my=email.account@luckypresenttoday.com

Is there any way of stopping these coming in, or at least filtering them or is it just one of those things that's going to get worse?

5 Replies

Reply to Thread
0
YS Tech Replied
6/5/2025 at 5:06 AM
This is becoming quite an issue. Today, I have a long list of bounce addresses under the "top inbound senders" list:


Any idea how I can stop this from happening?
99% of these bounces are spam messages being bounced to an email account on the server.
Many thanks
0
Tony Scholz Replied
6/5/2025 at 10:22 AM
Employee Post
Hello, 

For some of these messages, can you get the SMTP logs? We may be able to see if there is anything common that can be used to block them. 

X-Rcpt-To: <my@email.account>

This indicates that the message was BCCed to the user.  

Thank you
~Tony
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
0
Douglas Foster Replied
6/5/2025 at 11:01 AM
This exemplifies the power and importance of using a customizable tool like Declude to handle problems with multiple-attribute rules.

We had a wave of null sender attacks awhile back.   Our environment had BATV-inspired detection of invalid bounces, but that logic was not activated because a return-path header field was not present.

One part of my solution was to do SPF lookups using the message From address whenever the SMTP Mail From sender is null.  I had already implemented controls to quarantine if a message lacked SPF Pass or aligned DKIM Pass, and this change allowed me to continue using that protection.   I concluded this approach was superior to the RFC 7298 suggestion of using the HELO name as a fall back.  This change was also feasible because I do SPF checks using Python pyspf module called from Declude, evading the bugs in the embedded Declude version and the inflexibility of the SmarterMail version 

In general, sender should not be null unless it is a true bounce, including a return-path field.  So a null sender is likely an attempt to confuse and defeat my defenses.   A second part of the solution was to develop a list of senders that were allowed to use null sender without a return-path header.  Everything else goes to quarantine.   This rule is so also enforced by a Declude filter 
0
YS Tech Replied
6/5/2025 at 3:43 PM
Hi Tony/Douglas,

Douglas, that's a lot of work you've done there, thanks for the insight.

Tony:
Here's one that it looks like I managed to filter to spam-hi:

[2025.06.05] 00:01:33.401 [17332116] Delivery started for info-XJq@untdstatdropromuniflamtionqiNZvkEGf.com at 00:01:33
[2025.06.05] 00:01:39.429 [17332116] Added to SpamCheckQueue (1 queued; 0/30 processing)
[2025.06.05] 00:01:39.429 [17332116] [SpamCheckQueue] Begin Processing.
[2025.06.05] 00:01:39.430 [17332116] Blocked Sender Checks started.
[2025.06.05] 00:01:39.430 [17332116] Blocked Sender Checks completed.
[2025.06.05] 00:01:39.458 [17332116] Spam Checks started.
[2025.06.05] 00:01:49.472 [17332116] Finished running spam checks. Time (non-rbls): 2ms, Time (URIBL/RBLS): 10011ms
[2025.06.05] 00:01:49.473 [17332116] Spam Check results: [_DMARC: 0,skipped - DMARC Disabled], [REVERSE DNS LOOKUP: 0,Passed], [_SPF: 0,None], [_DKIM: 5,None], [_ARC: none], [_CUSTOMRULES: blank sender: 20;], [SORBS - NEW: 0], [UCEPROTECT LEVEL 3: 0], [SORBS - RECENT: 0], [SORBS: 0], [SORBS - NOMAIL: 0], [SPAMCOP: 0], [SPAMHAUS - ZEN: 0], [SURRIEL: 0], [SORBS - DUL: 0], [MCAFEE: 0], [BONDEDSENDER: 0], [IADB: 0], [BARRACUDA: 0], [SPAMRATS: 0], [SEM-BS: 5], [GBUDB: 0], [CBL - ABUSE SEAT: 0], [BACKSCATTER: 0], [SENDERSCORE: 0], [IX: 0], [UCEPROTECT LEVEL 1: 0], [MSRBL: 0], [UBL: 0], [HOSTKARMA - YELLOW: 0], [HOSTKARMA - BLACKLIST: 0], [UCEPROTECT LEVEL 2: 0], [SEM-BL: 7]
[2025.06.05] 00:01:49.473 [17332116] Spam Checks completed.
[2025.06.05] 00:01:49.475 [17332116] Removed from SpamCheckQueue (0 queued or processing)
[2025.06.05] 00:01:51.490 [17332116] Added to LocalDeliveryQueue (0 queued; 1/50 processing)
[2025.06.05] 00:01:51.490 [17332116] [LocalDeliveryQueue] Begin Processing.
[2025.06.05] 00:01:51.491 [17332116] Starting local delivery to my@email.account
[2025.06.05] 00:01:51.493 [17332116] Message saved to MailProcessing directory for my@email.account. File name: 17332116-20039-NOID.tmpmsg
[2025.06.05] 00:01:51.493 [17332116] Process delivery status notification step from local recipient success. Recipient: [my@email.account], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2025.06.05] 00:01:51.493 [17332116] Delivery for info-XJq@untdstatdropromuniflamtionqiNZvkEGf.com to my@email.account has completed (Delivered to Junk E-Mail/Spam-VHi) Filter: Spam (Weight: 67), Action (User Level): PrefixSubject, Spam Very High
[2025.06.05] 00:01:51.493 [17332116] End delivery to my@email.account (MessageID: <I0cBJi4QL44MtTXGRz8jQKbcuQC-RUhDmTwuKYmagIpwNwfdIoxUZbO-cadf-4b64-ba5d-13abc51dd070-000000@.amazonses.com>)
[2025.06.05] 00:01:51.493 [17332116] Removed from LocalDeliveryQueue (0 queued or processing)
[2025.06.05] 00:01:54.511 [17332116] Removing Spool message: Killed: False, Failed: False, Finished: True
[2025.06.05] 00:01:54.511 [17332116] Delivery finished for info-XJq@untdstatdropromuniflamtionqiNZvkEGf.com at 00:01:54    [id:x17332116]


And another that didn't filter:


[2025.06.05] 10:04:05.598 [17333575] Delivery started for 010201973f552b26-968125e8-086a-4146-b9d2-51e9e3afbd6e-000000@bounce.komoot.de at 10:04:05
[2025.06.05] 10:04:11.627 [17333575] Added to SpamCheckQueue (1 queued; 0/30 processing)
[2025.06.05] 10:04:11.627 [17333575] [SpamCheckQueue] Begin Processing.
[2025.06.05] 10:04:11.628 [17333575] Blocked Sender Checks started.
[2025.06.05] 10:04:11.628 [17333575] Blocked Sender Checks completed.
[2025.06.05] 10:04:11.717 [17333575] Spam Checks started.
[2025.06.05] 10:04:12.320 [17333575] Finished running spam checks. Time (non-rbls): 243ms, Time (URIBL/RBLS): 359ms
[2025.06.05] 10:04:12.321 [17333575] Spam Check results: [_DMARC: 0,skipped - DMARC Disabled], [REVERSE DNS LOOKUP: 0,Passed], [_SPF: 0,Pass], [_DKIM: 0,Pass], [_ARC: none], [UBL: 0], [SORBS - NEW: 0], [BARRACUDA: 0], [SORBS - DUL: 0], [IX: 0], [UCEPROTECT LEVEL 3: 0], [SEM-BS: 0], [CBL - ABUSE SEAT: 0], [SENDERSCORE: 0], [SORBS: 0], [BACKSCATTER: 0], [GBUDB: 0], [SPAMHAUS - ZEN: 0], [BONDEDSENDER: 0], [HOSTKARMA - BLACKLIST: 0], [MCAFEE: 0], [IADB: 0], [SPAMRATS: 0], [SURRIEL: 0], [UCEPROTECT LEVEL 1: 0], [SORBS - NOMAIL: 0], [SPAMCOP: 0], [SORBS - RECENT: 0], [SEM-BL: 0], [MSRBL: 0], [HOSTKARMA - YELLOW: 0], [UCEPROTECT LEVEL 2: 0]
[2025.06.05] 10:04:12.321 [17333575] Spam Checks completed.
[2025.06.05] 10:04:12.359 [17333575] Removed from SpamCheckQueue (0 queued or processing)
[2025.06.05] 10:04:14.643 [17333575] Added to LocalDeliveryQueue (0 queued; 1/50 processing)
[2025.06.05] 10:04:14.643 [17333575] [LocalDeliveryQueue] Begin Processing.
[2025.06.05] 10:04:14.644 [17333575] Starting local delivery to my@email.account
[2025.06.05] 10:04:14.653 [17333575] Message saved to MailProcessing directory for my@email.account. File name: 17333575-30004-NOID.tmpmsg
[2025.06.05] 10:04:14.654 [17333575] Process delivery status notification step from local recipient success. Recipient: [my@email.account], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2025.06.05] 10:04:14.654 [17333575] Delivery for 010201973f552b26-968125e8-086a-4146-b9d2-51e9e3afbd6e-000000@bounce.komoot.de to my@email.account has completed (Delivered) Filter: None
[2025.06.05] 10:04:14.654 [17333575] End delivery to my@email.account (MessageID: <010201973f552b26-968125e8-086a-4146-b9d2-51e9e3afbd6e-000000@eu-west-1.amazonses.com>)
[2025.06.05] 10:04:14.654 [17333575] Removed from LocalDeliveryQueue (0 queued or processing)
[2025.06.05] 10:04:17.658 [17333575] Removing Spool message: Killed: False, Failed: False, Finished: True
[2025.06.05] 10:04:17.658 [17333575] Delivery finished for 010201973f552b26-968125e8-086a-4146-b9d2-51e9e3afbd6e-000000@bounce.komoot.de at 10:04:17    [id:x17333575]


And another:


[2025.06.05] 07:01:48.468 [17332336] Delivery started for msprvs1=20251kgxgzaCq=bounces-19615-40@sp-bounce.airshipm2.co.uk at 07:01:48
[2025.06.05] 07:01:54.503 [17332336] Added to SpamCheckQueue (1 queued; 0/30 processing)
[2025.06.05] 07:01:54.503 [17332336] [SpamCheckQueue] Begin Processing.
[2025.06.05] 07:01:54.505 [17332336] Blocked Sender Checks started.
[2025.06.05] 07:01:54.518 [17332336] Blocked Sender Checks completed.
[2025.06.05] 07:01:54.613 [17332336] Spam Checks started.
[2025.06.05] 07:02:04.727 [17332336] Finished running spam checks. Time (non-rbls): 107ms, Time (URIBL/RBLS): 10005ms
[2025.06.05] 07:02:04.729 [17332336] Spam Check results: [_DMARC: 0,skipped - DMARC Disabled], [REVERSE DNS LOOKUP: 0,Passed], [_SPF: 0,Pass], [_DKIM: 0,Pass], [_ARC: none], [BONDEDSENDER: 0], [SURRIEL: 0], [SORBS - RECENT: 0], [SENDERSCORE: 0], [SORBS: 0], [SORBS - DUL: 0], [HOSTKARMA - YELLOW: 0], [SPAMCOP: 0], [IX: 0], [SEM-BL: 0], [BARRACUDA: 0], [SORBS - NEW: 0], [UBL: 0], [UCEPROTECT LEVEL 2: 0], [UCEPROTECT LEVEL 1: 0], [SORBS - NOMAIL: 0], [HOSTKARMA - BLACKLIST: 0], [SPAMHAUS - ZEN: 0], [UCEPROTECT LEVEL 3: 0], [MCAFEE: 0], [BACKSCATTER: 0], [GBUDB: 0], [CBL - ABUSE SEAT: 0], [SEM-BS: 0], [SPAMRATS: 0], [IADB: 0], [MSRBL: 0]
[2025.06.05] 07:02:04.729 [17332336] Spam Checks completed.
[2025.06.05] 07:02:04.776 [17332336] Removed from SpamCheckQueue (0 queued or processing)
[2025.06.05] 07:02:06.556 [17332336] Added to LocalDeliveryQueue (0 queued; 1/50 processing)
[2025.06.05] 07:02:06.556 [17332336] [LocalDeliveryQueue] Begin Processing.
[2025.06.05] 07:02:06.557 [17332336] Starting local delivery to my@email.account
[2025.06.05] 07:02:06.559 [17332336] Message saved to MailProcessing directory for my@email.account. File name: 17332336-90004-NOID.tmpmsg
[2025.06.05] 07:02:06.559 [17332336] Process delivery status notification step from local recipient success. Recipient: [my@email.account], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2025.06.05] 07:02:06.559 [17332336] Delivery for msprvs1=20251kgxgzaCq=bounces-19615-40@sp-bounce.airshipm2.co.uk to my@email.account has completed (Delivered) Filter: None
[2025.06.05] 07:02:06.559 [17332336] End delivery to my@email.account (MessageID: <25.30.46823.3C231486@i-0e7ab2fdf9aa000f5.mta3vrest.sd.prd.sparkpost>)
[2025.06.05] 07:02:06.559 [17332336] Removed from LocalDeliveryQueue (0 queued or processing)
[2025.06.05] 07:02:09.578 [17332336] Removing Spool message: Killed: False, Failed: False, Finished: True
[2025.06.05] 07:02:09.578 [17332336] Delivery finished for msprvs1=20251kgxgzaCq=bounces-19615-40@sp-bounce.airshipm2.co.uk at 07:02:09    [id:x17332336]
0
Douglas Foster Replied
6/5/2025 at 4:54 PM
Now find 1732115 and the other transaction numbers in the SMTP log, so that you know the source IP and host names. Then use the geo-ip demo page at maxmind com to learn the IP block, country, and hosting service.  Add blocks on country, host domain, or IP addresses based on best judgement 

Also judge whether the attack is hosted by a legitimate company that will take down the attack if you reach out to them.

Blocking the right attack source will probably block all of this attack group.
Back to Community Threads

Reply to Thread

Enter the verification text

Related Knowledge Base Articles

SmarterMail and ColdFusion IssuesSmarterMail > Troubleshooting
Send User Spam Feedback Options in SmarterMailSmarterMail > Antispam and Antivirus
Untangle Spam Filtering and SmarterMail TLS IssuesGeneral Topics
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Configure SmarterMail as a Backup MX ServerSmarterMail > Installation and Configuration