Backscatter problem?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Backscatter problem?

Gaston Dassieu Blanchet
Dear All,

I have found the below in my Postfix logs. I believe I have a backscatter problem, which seems to have gotten me in some SPAM black lists out there:

root@Natsumi:/home/root# cat /var/log/maillog* | grep 54EF0453B
Aug 18 18:26:19 Natsumi postfix/smtpd[12950]: 54EF0453B: client=c-68-44-19-67.hsd1.nj.comcast.net[68.44.19.67]
Aug 18 18:26:20 Natsumi postfix/cleanup[12954]: 54EF0453B: message-id=18133201c901e5$edf450c0$43132c44@computer2007
Aug 18 18:26:20 Natsumi postfix/qmgr[2661]: 54EF0453B: from=<[hidden email]>, size=1009, nrcpt=5 (queue active)
Aug 18 18:26:21 Natsumi postfix/local[12959]: 54EF0453B: to=<[hidden email]>, relay=local, delay=2.3, delays=1.8/0.42/0/0.02, dsn=2.0.0, status=sent (delivered to maildir)
Aug 18 18:26:21 Natsumi postfix/local[12958]: 54EF0453B: to=<[hidden email]>, relay=local, delay=2.3, delays=1.8/0.27/0/0.2, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file //Maildir/tmp/1219094781.P12958.Natsumi: Permission denied)
Aug 18 18:26:21 Natsumi postfix/local[12958]: 54EF0453B: to=<[hidden email]>, relay=local, delay=2.3, delays=1.8/0.47/0/0.01, dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file /var/spool/uucppublic/Maildir/tmp/1219094781.P12958.Natsumi: Permission denied)
Aug 18 18:26:21 Natsumi postfix/local[12959]: 54EF0453B: to=<[hidden email]>, relay=local, delay=2.3, delays=1.8/0.45/0/0.03, dsn=2.0.0, status=sent (delivered to maildir)
Aug 18 18:26:21 Natsumi postfix/local[12955]: 54EF0453B: to=<[hidden email]>, relay=local, delay=2.3, delays=1.8/0.07/0/0.45, dsn=2.0.0, status=sent (delivered to maildir)
Aug 18 18:26:21 Natsumi postfix/bounce[12960]: 54EF0453B: sender non-delivery notification: 6B26F4544
Aug 18 18:26:21 Natsumi postfix/qmgr[2661]: 54EF0453B: removed

If my understanding is correct, I am receiving SPAM with a forged source address. This SPAM is accepted by my valid mailboxes ([hidden email] above), and *bounced* (not not rejected!) by my invalid mailboxes (mail, uucp, ... above)

This bounce notification is then sent to the forged source address:

root@Natsumi:/home/root# cat /var/log/maillog* | grep 6B26F4544
Aug 18 18:26:21 Natsumi postfix/cleanup[12962]: 6B26F4544: message-id=<[hidden email]>
Aug 18 18:26:21 Natsumi postfix/qmgr[2661]: 6B26F4544: from=<>, size=3502, nrcpt=1 (queue active)
Aug 18 18:26:21 Natsumi postfix/bounce[12960]: 54EF0453B: sender non-delivery notification: 6B26F4544
Aug 18 18:26:25 Natsumi postfix/smtp[12944]: 6B26F4544: to=<[hidden email]>, relay=networkworld.com.s6a1.psmtp.com[64.18.5.10]:25, delay=4.1, delays=0.09/0/3.4/0.58, dsn=5.0.0, status=bounced (host networkworld.com.s6a1.psmtp.com[64.18.5.10] said: 550 No such user - psmtp (in reply to RCPT TO command))
Aug 18 18:26:26 Natsumi postfix/qmgr[2661]: 6B26F4544: removed

I am quite worried about this. Could anyone kindly help me figure out which postfix 2.5.1 configuration parameters can I use to prevent this type of abuse?

Thank you very much in advance,

Gaston DASSIEU-BLANCHET

Reply | Threaded
Open this post in threaded view
|

Re: Backscatter problem?

mouss-2
Gaston Dassieu Blanchet wrote:

> Dear All,
>
> I have found the below in my Postfix logs. I believe I have a backscatter
> problem, which seems to have gotten me in some SPAM black lists out there:
>
> root@Natsumi:/home/root# cat /var/log/maillog* | grep 54EF0453B
> Aug 18 18:26:19 Natsumi postfix/smtpd[12950]: 54EF0453B: client=
> c-68-44-19-67.hsd1.nj.comcast.net[68.44.19.67]
> Aug 18 18:26:20 Natsumi postfix/cleanup[12954]: 54EF0453B:
> message-id=18133201c901e5$edf450c0$43132c44@computer2007
> Aug 18 18:26:20 Natsumi postfix/qmgr[2661]: 54EF0453B: from=<
> [hidden email]>, size=1009, nrcpt=5 (queue
> active)
> Aug 18 18:26:21 Natsumi postfix/local[12959]: 54EF0453B: to=<
> [hidden email]>, relay=local, delay=2.3, delays=1.8/0.42/0/0.02,
> dsn=2.0.0, status=sent (delivered to maildir)
> Aug 18 18:26:21 Natsumi postfix/local[12958]: 54EF0453B: to=<
> [hidden email]>, relay=local, delay=2.3, delays=1.8/0.27/0/0.2,
> dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file
> //Maildir/tmp/1219094781.P12958.Natsumi: Permission denied)
> Aug 18 18:26:21 Natsumi postfix/local[12958]: 54EF0453B: to=<
> [hidden email]>, relay=local, delay=2.3, delays=1.8/0.47/0/0.01,
> dsn=5.2.0, status=bounced (maildir delivery failed: create maildir file
> /var/spool/uucppublic/Maildir/tmp/1219094781.P12958.Natsumi: Permission
> denied)
> Aug 18 18:26:21 Natsumi postfix/local[12959]: 54EF0453B: to=<
> [hidden email]>, relay=local, delay=2.3, delays=1.8/0.45/0/0.03,
> dsn=2.0.0, status=sent (delivered to maildir)
> Aug 18 18:26:21 Natsumi postfix/local[12955]: 54EF0453B: to=<
> [hidden email]>, relay=local, delay=2.3, delays=1.8/0.07/0/0.45,
> dsn=2.0.0, status=sent (delivered to maildir)
> Aug 18 18:26:21 Natsumi postfix/bounce[12960]: 54EF0453B: sender
> non-delivery notification: 6B26F4544
> Aug 18 18:26:21 Natsumi postfix/qmgr[2661]: 54EF0453B: removed
>
> If my understanding is correct, I am receiving SPAM with a forged source
> address. This SPAM is accepted by my valid mailboxes (
> [hidden email] above), and *bounced* (not not rejected!) by my
> invalid mailboxes (mail, uucp, ... above)
>
> This bounce notification is then sent to the forged source address:
>
> root@Natsumi:/home/root# cat /var/log/maillog* | grep 6B26F4544
> Aug 18 18:26:21 Natsumi postfix/cleanup[12962]: 6B26F4544: message-id=<
> [hidden email]>
> Aug 18 18:26:21 Natsumi postfix/qmgr[2661]: 6B26F4544: from=<>, size=3502,
> nrcpt=1 (queue active)
> Aug 18 18:26:21 Natsumi postfix/bounce[12960]: 54EF0453B: sender
> non-delivery notification: 6B26F4544
> Aug 18 18:26:25 Natsumi postfix/smtp[12944]: 6B26F4544: to=<
> [hidden email]>, relay=
> networkworld.com.s6a1.psmtp.com[64.18.5.10]:25, delay=4.1,
> delays=0.09/0/3.4/0.58, dsn=5.0.0, status=bounced (host
> networkworld.com.s6a1.psmtp.com[64.18.5.10] said: 550 No such user - psmtp
> (in reply to RCPT TO command))
> Aug 18 18:26:26 Natsumi postfix/qmgr[2661]: 6B26F4544: removed
>
> I am quite worried about this. Could anyone kindly help me figure out which
> postfix 2.5.1 configuration parameters can I use to prevent this type of
> abuse?
>
> Thank you very much in advance,

spammer is targetting well-known unix accounts. use
check_recipient_access to reject mail sent to "mail", "uucp", "apache",
"www", "ftp", ... (all unix accounts that are not supposed to receive
mail).

PS. be careful with accounts that are used to run cron jobs. in case of
errors, cron will send mail on bahalf of these users. if such mail is
sent to the mail server, it should not be rejected.

Reply | Threaded
Open this post in threaded view
|

Re: Backscatter problem?

Brian Evans - Postfix List
In reply to this post by Gaston Dassieu Blanchet
Gaston Dassieu Blanchet wrote:

> Dear All,
>
> I have found the below in my Postfix logs. I believe I have a
> backscatter problem, which seems to have gotten me in some SPAM black
> lists out there:
>
> root@Natsumi:/home/root# cat /var/log/maillog* | grep 54EF0453B
> Aug 18 18:26:19 Natsumi postfix/smtpd[12950]: 54EF0453B:
> client=c-68-44-19-67.hsd1.nj.comcast.net
> <http://c-68-44-19-67.hsd1.nj.comcast.net>[68.44.19.67
> <http://68.44.19.67>]
> Aug 18 18:26:20 Natsumi postfix/cleanup[12954]: 54EF0453B:
> message-id=18133201c901e5$edf450c0$43132c44@computer2007
> Aug 18 18:26:20 Natsumi postfix/qmgr[2661]: 54EF0453B:
> from=<[hidden email]
> <mailto:[hidden email]>>, size=1009,
> nrcpt=5 (queue active)
>
> Aug 18 18:26:21 Natsumi postfix/local[12958]: 54EF0453B:
> to=<[hidden email] <mailto:[hidden email]>>, relay=local,
> delay=2.3, delays=1.8/0.27/0/0.2, dsn=5.2.0, status=bounced (maildir
> delivery failed: create maildir file
> //Maildir/tmp/1219094781.P12958.Natsumi: Permission denied)
> Aug 18 18:26:21 Natsumi postfix/local[12958]: 54EF0453B:
> to=<[hidden email] <mailto:[hidden email]>>, relay=local,
> delay=2.3, delays=1.8/0.47/0/0.01, dsn=5.2.0, status=bounced (maildir
> delivery failed: create maildir file
> /var/spool/uucppublic/Maildir/tmp/1219094781.P12958.Natsumi:
> Permission denied)
>
> Aug 18 18:26:21 Natsumi postfix/bounce[12960]: 54EF0453B: sender
> non-delivery notification: 6B26F4544
> Aug 18 18:26:21 Natsumi postfix/qmgr[2661]: 54EF0453B: removed
>
> If my understanding is correct, I am receiving SPAM with a forged
> source address. This SPAM is accepted by my valid mailboxes
> ([hidden email] <mailto:[hidden email]> above),
> and *bounced* (not not rejected!) by my invalid mailboxes (mail, uucp,
> ... above)
>
> I am quite worried about this. Could anyone kindly help me figure out
> which postfix 2.5.1 configuration parameters can I use to prevent this
> type of abuse?

These are default users that are for services.  They are required,
however, do not have to receive mail as mouss has pointed out.

Without 'postconf -n', I can only give some general advice.
If you are not using RBLs, then please start.

Better:
Using a scoring system like postfwd or policyd-weight (development
currently paused).

Brian