Prev: how to restrict mail to only one recipient?
Next: Unknown senders and spam
From: Marcus Frischherz on 18 Apr 2010 08:10
Hi,

I am new to postfix, so sorry for any inconvenience by questions, which
may have been discussed ealready. I did google for my problem first, though.

I recently migrated an internet server including mail services for a
small group of users from linux to Mac OSX server (not my idea). On
linux I used to run the MTA with exim, so I have some familiarity with
MTA in general, but not with postfix. The postfix on the Mac OSX server
is so far more or less what you can do with the server admin (meaning
Apple defaults, basically).

Here comes the question/problem: I noticed a considerable number of
wicked spam, which seems to work like this: It puts a valid existing
local user not only in the To: but also in the From: header. The spam
gets filtered alright by spamassassin, and then it bounces, but it
doesn't bounce to the actual real originator, but to the local user. So
in this way the spammer manages to deliver the spam to the addrassee,
although it is filtered my spamassassin, abusing the bounce concept. I
searched the internet about disabling boune messages, and came across a
post, where Wietse Venema wrote, that he will not allow "over his dead
body" disabling bouncing. Now, maybe I misunderstand something here, and
my problem and the quoted post do not relate to the same kind of
bounces. It seems to me, that this type of bounce is highly undesirable,
so how to avoid it?

In my exim setup I silently sent all suspicious mail (virus infected ot
spam) to a special acount, where it would get deleted automatically
after one month. I kept it there in case some user complined about not
receiving a specific mail. I did not generate bounce mails, and did not
reject delivery. Basically, I want to do the same now.

kind regards,
Marcus

PS: output of postconf -n:
bash-3.2# postconf -n
biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
enable_server_options = yes
header_checks = pcre:/etc/postfix/custom_header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mail_owner = _postfix
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 104857600
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = s44.at
mydomain_fallback = localhost
myhostname = server.s44.at
mynetworks = 127.0.0.0/8
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relayhost =
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated
permit
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
smtpd_pw_server_security_options = cram-md5,gssapi,plain,login
smtpd_recipient_restrictions = permit_sasl_authenticated
permit_mynetworks reject_unauth_destination check_policy_service
unix:private/policy permit
smtpd_sasl_auth_enable = yes
smtpd_tls_CAfile =
/etc/certificates/server.s44.at.4EF6136BE9E4DFBF0724E064F5B5FB3DD9856EC2.chain.pem
smtpd_tls_cert_file =
/etc/certificates/server.s44.at.4EF6136BE9E4DFBF0724E064F5B5FB3DD9856EC2.cert.pem
smtpd_tls_exclude_ciphers = SSLv2, aNULL, ADH, eNULL
smtpd_tls_key_file =
/etc/certificates/server.s44.at.4EF6136BE9E4DFBF0724E064F5B5FB3DD9856EC2.key.pem
smtpd_tls_loglevel = 0
smtpd_use_pw_server = yes
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
virtual_alias_domains = $virtual_alias_maps
hash:/etc/postfix/virtual_domains
virtual_alias_maps = hash:/etc/postfix/virtual_users

From: Charles Marcus on 18 Apr 2010 08:37
On 2010-04-18 8:10 AM, Marcus Frischherz wrote:
> The spam gets filtered alright by spamassassin, and then it bounces, but
> it doesn't bounce to the actual real originator, but to the local user.
> So in this way the spammer manages to deliver the spam to the addrassee,
> although it is filtered my spamassassin, abusing the bounce concept.

That is your problem. Either set up your anti-spam filter as a pre-queue
filter, so you can smtp reject it, rather than accept>bounce it, or do
*not* bounce it but deliver it tagged and/or to a spam folder.

What you are enagging in is called backscatter, and can eventually get
you blacklisted if your server is high enough volume:

http://www.postfix.org/BACKSCATTER_README.html

--

Best regards,

Charles

From: Marcus Frischherz on 18 Apr 2010 09:47
Am 18.04.10 14:37, schrieb Charles Marcus:
> On 2010-04-18 8:10 AM, Marcus Frischherz wrote:
>
>> The spam gets filtered alright by spamassassin, and then it bounces, but
>> it doesn't bounce to the actual real originator, but to the local user.
>> So in this way the spammer manages to deliver the spam to the addrassee,
>> although it is filtered my spamassassin, abusing the bounce concept.
>>
> That is your problem. Either set up your anti-spam filter as a pre-queue
> filter, so you can smtp reject it, rather than accept>bounce it, or do
> *not* bounce it but deliver it tagged and/or to a spam folder.
>
> What you are enagging in is called backscatter, and can eventually get
> you blacklisted if your server is high enough volume:
>
> http://www.postfix.org/BACKSCATTER_README.html
>
>
Thanks for the link. I read it, and I realize that it is related to my
problem. However, this link describes how to block incoming bckscatter,
while my problem seems to be, that postfix with these settings creates
backscatter (maybe relaying it to outside users as well, certainly, as
evidenced by my mail box, internally). This is exactly the reason why I
want to disable the bounce, and the question is how. Temporarilly I
commented out the line
#bounce unix - - n - 0 bounce

in master.cf, but I think that this is not the ideal solution, as now
undeliverable mails start queuing up.

regards,
Marcus

From: mouss on 18 Apr 2010 10:06
Marcus Frischherz a �crit :
>[snip]
> Thanks for the link. I read it, and I realize that it is related to my
> problem. However, this link describes how to block incoming bckscatter,
> while my problem seems to be, that postfix with these settings creates
> backscatter (maybe relaying it to outside users as well, certainly, as
> evidenced by my mail box, internally). This is exactly the reason why I
> want to disable the bounce, and the question is how. Temporarilly I
> commented out the line
> #bounce unix - - n - 0 bounce
>

don't do that. people will lose mail...

> in master.cf, but I think that this is not the ideal solution, as now
> undeliverable mails start queuing up.
>

the config is in amavisd-new, not in postfix. In amavisd.conf, use
$final_spam_destiny = D_PASS;
so that spam is delivered (and not rejected/bounced) then configure your
delivery mechanism to put spam in a Spam folder (assuming IMAP or
webmail, not POP3).

alternatively, configure amavisd-new to quarantine spma. but then you'll
need a way to handle the quarantine.


in postfix, consider using
reject_rbl_client zen.spamhaus.org
in your access checks. search postfix docs or the web if this is unclear.

From: Charles Marcus on 18 Apr 2010 10:07
On 2010-04-18 9:47 AM, Marcus Frischherz wrote:
>> What you are enagging in is called backscatter, and can eventually get
>> you blacklisted if your server is high enough volume:
>>
>> http://www.postfix.org/BACKSCATTER_README.html

> Thanks for the link. I read it, and I realize that it is related to my
> problem. However, this link describes how to block incoming back-scatter,
> while my problem seems to be, that postfix with these settings creates
> backscatter (maybe relaying it to outside users as well, certainly, as
> evidenced by my mail box, internally).

Postfix is only doing what you told it to do.

I sent the link so you'd understand what back-scatter is.

> This is exactly the reason why I want to disable the bounce, and the
> question is how. Temporarilly I commented out the line
> #bounce unix - - n - 0 bounce
>
> in master.cf, but I think that this is not the ideal solution, as now
> undeliverable mails start queuing up.

Please show entire master.cf file...

I don't use spamassassin, so can't tell you off the top of my head how
to tell it to stop rejecting mail it detects as spam, but I'm pretty
sure it depends on how you have integrated it. Are you using amavisd-new?

--

Best regards,

Charles

 |  Next  |  Last
Pages: 1 2
Prev: how to restrict mail to only one recipient?
Next: Unknown senders and spam