GWIA-Unable to disable undeliverable outbound status

[jstevens]

Gwia 5.5.7.1

Problem: Email server is getting spammed with random email addresses from spam host generating random smtp sender names and domains. GWIA is queueing up thousands of outbound undeliverable return messages. Send folder is getting stuck and gwia stops processing email.

Ex. user1@mydomain.com, user2, user3, all users are invalid users.

I have originally set /badmsg-neither so that bad messages are not being saved in problem folder or sent to postmaster, however the server is still responding to the spam sender with underliverables and I want to turn that function off. Under gwia - Optional Gateway Settings, Outbound Status Level. I am setting it to None however Gwia is still sending out und's. Normal setting is undelivered. I am thinking this is just hard coded into GWIA, Novell expecting no one wanting to set it to none. None setting is flat out not working. I also could not find any gwia switch to change this option either to put the setting into gwia.cfg.

Secondly, I have added mailer-daemon as a nickname to a user, and I also am getting mailer-daemon errors of course as every gw5 system has. 450 host down. So anoying.

Any ideas besides upgrading to 6.5?

 

[N2dClear]

I would like to know a solution for this also, We are waiting for GroupWise 7 later next year before upgrading and want to deal with all this spam until then. The biggest issue is all the messages trying to go out to the bogus spam e-mail accounts as undeliverable. I can deal with the problem messages in the that folder, but these undeliverables to bogus spam addys are being sent and deffered and bogging down the e-mail server, we end up with delays and it's becoming a nightmare to manage these folders manually.

Any ideas out there please?!

Thanks!!

 

[jstevens]

Unfortunately I have not found a solution. I have setup a scheduled task on a logged in machine that is manually deleting these spam replies. Its done late at night so I am hoping that no valid emails are being done away with.

My company nor the customer is willing to pay for a novell incident. If anyone has please update this thread.

Thankyou
Jason

 

[jstevens]

Working with my firewall vendor, we have determined that this is a "harvesting" attack. This type of attack is very difficult to stop. As Gwia has no way of stopping or preventing this, the firewall's vendor suggested that at the email gateway level (spam / av filter) to verify the users rcpt address first using an ldap lookup and if valid, deliver if not, drop connection. Most solutions do not provide this availability yet or at all. Our firewall vendor can create a customized solution at the moment and is currently adding this functionality.

http://www.barbedwiretech.com

The problem is the harvesting attack email is spoofed as if coming from a valid domain and the IP address of the sending server is also spoofed, constantly changing so blocking the IP address at the firewall level is not possible. Enabling the option "Reject mail if senders identity cannot be verified" has no effect. Secondly, the rfc ability of verifying the senders mailbox is not a possible solution. A good percentage of systems do not allow vrfy (verify) to be run as a security practice anyway.

So at the moment the only solution that I am aware of for this type of harvesting attack, is to setup a mail filter (spam / av) and have it do ldap lookups to verify the rcpt username, if yes pass, if no drop.

If anyone has any other ideas or solutions I would love to know.

Thankyou
Jason Stevens