Embed Size (px)
DESCRIPTION
A bounce attack occurs when a spammer obscures message origins by using one email server to bounce spam to an address on another server. The spammer does this by inserting a target address into the “Mail From” value in the envelope of their messages then sending those messages to another address.
Citation preview
Symantec Brightmail: defending against bounce attacks
A bounce attack occurs when a spammer obscures message origins by using one email server to bounce spam to an address on another server. The spammer does this by inserting a target address into the “Mail From” value in the envelope of their messages then sending those messages to another address.
If the initial recipient finds the message undeliverable, that mail server recognizes the forged "Mail From" value as the original sender, and returns or "bounces" the message to that target. When the targeted system recognizes the server from which the message was bounced as a legitimate sender, it accepts the message as a legitimate non-deliverable receipt (NDR) message.
Bounce attacks can be used to leverage the initial recipient's "good" reputation when sending spam, pollute the initial recipient's IP reputation, or create denial of service attacks at the target's server.
Symantec Brightmail Gateway uses bounce attack prevention to eliminate NDRs that are a result of such redirection while still delivering legitimate NDRs.
To set up bounce attack prevention for your mail system, you must:
Provide a Bounce attack prevention seed value in your Control Center.
See Configuring the Control Center for bounce attack prevention.
Determine and configure the policy groups to which you want the system to apply bounce attack prevention.
See Configuring policy groups for bounce attack prevention.
Assign a policy (a default policy is provided) to the policy group that determines the actions to be taken for NDRs that do not pass bounce attack prevention validation.
See Creating an email spam policy for bounce attack prevention.
Note: For successfull processing you must also ensure that all of your applicable outbound mail is routed through the appliance.
Once your system is configured for bounce attack prevention, Symantec Brightmail Gateway calculates a unique tag that uses the provided seed value as well as the current date. Your Scanner attaches this tag to outbound messages sent by users in your defined policy groups.
If the message is then returned as undeliverable, the envelope's return address will contain this tag.
When the system receives a message that appears to be a message returned as undeliverable, the system will compare the inbound message's recipient with the policy group configuration to see if the user's policy group is configured for bounce attack prevention. If the policy group is configured, the system calculates a new tag that includes the seed value and current date, then uses that new tag to validate the tag in the email.
A valid tag on an inbound NDR will include the following:
The correct tag format A seed value that matches the seed value in the new calculated tag A date that falls within a week of the new calculated tag
Based on this evaluation, Symantec Brightmail Gateway will do the following:
If the system determines that the tag is valid, the system strips the tag from the envelope and sends the message forward for filtering and delivery per your mail filtering configuration.
If there is no tag, or the tag content is found to not match the tag that is calculated for validation, the address will be rewritten without tag information then managed per your bounce attack prevention policy configuration. An error will be logged and this message will be accounted for in your message statistics as a message with a "single threat." The message is also included in your system spam statistics as a "bounce threat."
If your policy defines an action other than "reject" when the message fails validation, the message can acquire more threats and could then be counted in your statistics as a "multiple threat."
If, due to an unrecognizable format, validation cannot be performed by the system, the system will not strip the tag and will keep the tag as part of the address. The system will then act upon this message based on the actions you define in your spam policy configuration.
Note: Bounced messages over 50k are truncated. Attachments in truncated messages may be unreadable.
Configuring the Control Center for bounce attack prevention
You must configure bounce attack prevention in the Control Center by providing a seed value that will be used to calculate a tag that will be appended to outgoing messages and later used to validate that message if it is returned.
To create a seed value to be used when creating validation tags for outgoing messages
1. In the Control Center, select Administration > Settings > Control Center.2. Click the Certificates tab.3. Under Control Center Certificate, enter a Bounce attack prevention seed.
This seed value should consist of eight alphanumeric characters.
4. Click Save.
Warning: If you are running your inbound and outbound messages on different Scanners with different Control Centers, repeat steps 1 through 3 for each Control Center, using the same seed value. This ensures that all inbound and outbound servers are calculating the same tags for validation.
Note: For successfull processing you must ensure that all of your applicable outbound mail is routed through the appliance.
You must now enable bounce attack prevention for your policy groups and assign a spam policy that describes the actions to be taken when a message does not pass bounce attack validation. If you do not enable at least one policy group for bounce attack prevention, bounce attack prevention will be disabled and your system will not be protected from bounce attacks.
See Configuring policy groups for bounce attack prevention.
A default spam policy is provided, called "Failed Bounce Attack Validation: Reject message". You can use this policy as is, edit it, or create your own policy.
Configuring policy groups for bounce attack prevention
Once you configure bounce attack prevention in the Control Center Settings page, you must enable the policy groups to which the system should apply validation and assign a bounce attack prevention policy.
To configure policy groups for bounce attack prevention
1. In the Control Center, select Administration > Users > Policy Groups.2. Select the policy group you want to edit, or create a new one, then select the Spam tab for
that policy group. 3. Under Email, check Enable bounce attack prevention for this policy group. 4. For the Bounce attack prevention policy, select the policy you want to apply to bounced
messages.
This policy must contain the condition, "If a message fails bounce attack validation" and actions to be taken should bounce address tag validation fail. Symantec Brightmail Gateway provides a default policy: "Failed Bounce Attack Validation: Reject message." This default policy is configured to reject messages that fail tag validation.
You can also edit this policy or create a new one.
See Creating an email spam policy for bounce attack prevention.
5. Click Save.
For successfull processing, you must ensure that all of your applicable outbound mail is routed through the appliance.
Creating an email spam policy for bounce attack prevention
In order to enable bounce attack prevention, you must enable your policy groups for bounce attack prevention and assign a spam policy that describes the actions to be taken when a message does not pass bounce attack validation.
Symantec Brightmail Gateway provides you with a default bounce policy called "Failed Bounce Attack Validation: Reject message". This default policy provides one action, which is to reject all messages that fail tag validation. You can edit this policy to change the actions taken, or you can create a new policy to suit your specific needs.
Create an email spam policy for bounce attack prevention conditions
1. In the Control Center, click Spam > Policies > Email. 2. Click Add to create a new policy. 3. Enter a name for the new policy, and for If the following condition is met: select "If a
message fails bounce attack validation".
The apply to field will automatically be set to "inbound messages" and disabled. You can only configure an inbound policy for this condition. The outbound policy is static and cannot be modified.
4. Select the actions that should be applied if a bounce message fails validation. An action "Reject messages failing bounce attack validation" is provided, or you can select any other action as desired.
Be sure to consider your existing spam policies and how they might affect your overall email configuration.
5. Under Apply to the following policy groups, select the policy groups to which you want to apply this policy.
6. Click Save.
Sources:
http://www.gzone.it
http://seer.entsupport.symantec.com/docs/322196.htm
