MPP and Beyond

Yesterday seemed to be backscatter day for us and for a few of our customers so I thought I would write a little bit about it. First of all, a brief definition. Backscatter refers to bounce messages that come from spam that was bounced by some remote site. Hopefully, it stems from someone forging your email address as the original sender. The alternative is that some machine in your network was exploited, but mostly it is just simple forgery. The net result in either case is that you are flooded with bounce messages from all over the world from email that was sent to unknown email accounts or recognized as spam before it was accepted.

Backscatter is a major pain in the ass for many reasons. If your email server bounces the bounce messages, for example if the original bounces are going to unknown users, and the rate of bounces is high then your mailserver can be blacklisted as a spammer. For example, forged mail to stevewashedupbillionairecase@aol.com from wannabebillionaire@messagepartners.com is bounced by aol.com. Now message partners bounces wannabebillionaire@messagepartners.com since it is unknown. If you multiply this by 1000 as can happen in a backscatter deluge then you can imagine that AOL get’s pissed about all of our bounce messages and they will blacklist us for a while

Even more annoying is when the forged address is your real email address. Now your mobile email device is going nuts telling you about all of the bounce messages that were sent to invalid users in your name.

Here is an example of headers from backscatter:

Microsoft Mail Internet Headers Version 2.0
Received: from 68-185-134-174.dhcp.jcsn.tn.charter.com ([68.185.134.174]) by ppcwm.org with Microsoft SMTPSVC(6.0.3790.3959);
Wed, 26 Mar 2008 18:37:03 -0400
Message-ID: <000501c88f92$0569e9fb$dcc2daaf@ilefylfs>
From: “hubert chanshin”
To:
Subject: Massive discounts for purchases in the month of March are available.

The problem is further exacerbated because most filters don’t bounce the message, the send a bounce message, hence spam gateways see the messages as legit bounces and don’t classify them as spam.

The problem is because of a major design flaw in the SMTP protocol that allows anyone to say that they are anyone when sending email. There have been a number of bandaids to fix this such as Sender Policy Framework, but they are mostly ineffective. I get a laugh looking at all of the bounce messages I see from the recent backscatter attack, many have SPF checks that show a violation, yet they still send me a bounce.

You can learn a lot from all of these bounce messages and to me, being geekish in the antispam industry, I find it interesting. I can see what types of email gateways are in use, how many people use home grown spamassassin based gateways, how different spam configurations are setup, how botnets work and more. But most of all, backscatter is just annoying.

So here are some tips to end it.

1) With MPP we were able to block many thousands of messages using our thresholds. Once we detect a certain amount of bounces from a remote server in a period of time we temporarily block the host.

2) With MPP we also blocked many using our contentfilter module and setting some very basic PCRE based filters to block based on content. This is not very dynamic, but pretty effective.

3) The Postfix site has some good tips, but it is a similar approach to using static content filters as described in step 2.

So in summary, backscatter sucks, MPP can help, but it is a problem endemic to a poorly designed sender verification protocol (i.e. none) in basic SMTP.

The number one complaint we hear about MPP is that it needs to be easier to install and manage. To this end we are pleased to release a redux of our VMWare virtual appliance.

It has never been easier to install MPP than now. With the MPP Virtual Appliance you can have a complete antispam and email archival gateway running in less than 10 minutes after download. You can install on Windows, Linux or Mac OS X and the user needs no knowledge of Linux to configure the system in a typical application.

We are continuing our efforts to improve the MPP user experience and I thank you all for your candid feedback.

Download from here:
http://www.messagepartners.com/wp-content/downloads/

Readme:
ftp://ftp.messagepartners.com/pub/appliance/README.txt

Technorati Tags: email security, antispam, spam, mpp, message partners

We’ve been getting a few questions about MPP Community edition so I thought I would give you a brief update on the product. First of all, it is alive here and you can download here. It was unintentionally orphaned during the move of the web site to our new platform.

More importantly though, I want to explain what MPP Community is. MPP Community (aka MPP Free Edition) was released to build the MPP user base and name recognition. It represented the first version of our product but was scaled down to only support free content scanners - clamav and spamassassin. It is easier to use than some of the open source apps that do something similar, like amavisd, but it is more streamlined in functionality.

In reality, MPP Community has turned out to be a mixed blessing. We do have many people using it, but few are interested in becoming paying customers. Furthermore, MPP Community is soooooo much less interesting and powerful than MPP that people get the wrong idea about MPP itself. There is virtually no resemblance between MPP Community and our commercial product from the perspective of the GUI, functionality and more.

So for now we will keep MPP Community going with no changes and we will see what the future holds.

Thank you for your continued support.

I am pleased to announce the first MPP screencast. This screencast shows the steps for initial configuration of MPP Manager and describes some of the features of MPP GUI.

Get It Here

You must be registered on the support site to get this content.

Despite the fact that all MPP antispam plug-ins out-perform and are far more efficient than SpamAssassin, many MPP users still use SpamAssassin in their antispam arsenal. MPP has many advantages for use with SpamAssassin and I thought I would articulate a few in this blog post.

• Quarantine Management - MPP has an excellent quarantine and archive manager that can be customized and translated and adapted for any application. MPP quarantine management for SpamAssassin is great for service providers because it is multi-domain and supports many different authentication schemes.
• Amavisd replacement - Amavisd is great for super-power users, but for the rest of us it can be complicated, slow and resource hungry. MPP is easy to manage and deploy and offers many features and options not available in AmavisD including GUI management, Archival, Attachment Stripping and much more. MPP is much faster than AmavisD, and even though SpamAssassin is still a horrid performer, MPP will make SA feel faster.
• Scaling SpamAssassin - MPP has native load balancing algorithms to load balance across multiple instances of spamd, either remote or locally.
• Layered spam protection-  MPP effortlessly combines commercial spam scanners with SpamAssassin.
• Familiar options like score reports, header/subject marks, spam symbols and more

So here are just a few of the many ways that MPP makes SpamAssassin easier to use, easier to manage and easier to integrate. MPP has been working with SpamAssassin from the beginning, like an old friend who’s sort of a pain in the ass, but is a cheap date, pretty fat and always a good laugh.

Technorati Tags: spamassassin, email security, antispam