Eliminating backscatter

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Eliminating backscatter

J Doe
Hi,

One of my mail servers (Postfix 3.1.0), is configured to perform virtual domain hosting.  It forwards mail to the virtual domain to mailboxes of users on Gmail.

I can see in my mail log that spam with forged origin addresses sometimes comes into my server that is addressed to virtual domain addresses.  My server rejects some of this spam and then generates a non-delivery e-mail to the origin address of the spam.  Of course, as some of those addresses are forged, my server is producing backscatter.

I read the “Backscatter Howto” [1] on the Postfix website, but from what I read this appears to address backscatter when someone is forging the origin address of spam to be from my server (resulting in accounts on my server getting the non-delivery e-mails).  I am looking to correct backscatter that my server generates.

I believe I read that non-delivery e-mails should be disabled and my server should generate a 5.x.x SMTP error code.  Is this correct ?  If so, how do I implement this in main.cf ?

Thanks,

- J

Sources:

[1] http://www.postfix.org/BACKSCATTER_README.html
Reply | Threaded
Open this post in threaded view
|

Re: Eliminating backscatter

Noel Jones-2
On 10/30/2017 2:52 PM, J Doe wrote:
> Hi,
>
> One of my mail servers (Postfix 3.1.0), is configured to perform virtual domain hosting.  It forwards mail to the virtual domain to mailboxes of users on Gmail.
>
> I can see in my mail log that spam with forged origin addresses sometimes comes into my server that is addressed to virtual domain addresses.  My server rejects some of this spam and then generates a non-delivery e-mail to the origin address of the spam.  Of course, as some of those addresses are forged, my server is producing backscatter.


Your mail server must have a list of valid recipients and reject
mail to unknown recipients.  Where to list the valid recipients
depends on how the domain is defined in postfix.  Most of what you
need can be found in
http://www.postfix.org/ADDRESS_CLASS_README.html

Avoid any wild-card domain rewrites since those disable recipient
validation.

If your mail server does after-queue spam scanning, it MUST NOT
generate a bounce for unwanted mail.  Either tag-and-deliver mail or
scan during SMTP so you can reject (not bounce) unwanted mail.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Eliminating backscatter

J Doe
Hi Noel,

> On Oct 30, 2017, at 4:07 PM, Noel Jones <[hidden email]> wrote:
>
>> On 10/30/2017 2:52 PM, J Doe wrote:
>> Hi,
>>
>> One of my mail servers (Postfix 3.1.0), is configured to perform virtual domain hosting.  It forwards mail to the virtual domain to mailboxes of users on Gmail.
>>
>> I can see in my mail log that spam with forged origin addresses sometimes comes into my server that is addressed to virtual domain addresses.  My server rejects some of this spam and then generates a non-delivery e-mail to the origin address of the spam.  Of course, as some of those addresses are forged, my server is producing backscatter.
>
>
> Your mail server must have a list of valid recipients and reject
> mail to unknown recipients.  Where to list the valid recipients
> depends on how the domain is defined in postfix.  Most of what you
> need can be found in
> http://www.postfix.org/ADDRESS_CLASS_README.html
>
> Avoid any wild-card domain rewrites since those disable recipient
> validation.
>
> If your mail server does after-queue spam scanning, it MUST NOT
> generate a bounce for unwanted mail.  Either tag-and-deliver mail or
> scan during SMTP so you can reject (not bounce) unwanted mail.

Thank you for your reply.  

Now that I think of it, I think I left out some necessary details about my server in my original e-mail.

In my case, with my server configured to do virtual domain hosting (let’s say for the domain example.com), mail addressed to a recipient on my server gets forwarded to the recipient’s corresponding Gmail account.

So for example:

    Spam —> [hidden email] —> [hidden email]

When spam is sent to [hidden email] my server then tries to forward that to [hidden email]. GMail’s spam filters detect spam and generate an SMTP error code.  My server then generates a non-delivery status e-mail.  Because the spam had a forged origin e-mail address, my server then generates backscatter to that forged address.

With regards to your reply, I am not having spam addressed to an unknown recipient at the virtual domain (such as [hidden email]) - this e-mail is addressed to a valid recipient that gets blocked by GMail and then generates backscatter.

I did read the link you provided and I also looked at “Rejecting Unknown Local Recipients with Postfix”, but from that document I was under the impression that I got blocking of unknown recipients automatically in Postfix 3.1.0:

    “As of Postfix version 2.0, the Postfix SMTP server rejects mail for unknown
    recipients in local_domains . . . This feature was optional with earlier Postfix
    versions” [1]

How do I stop backscatter generated from my server in response to the bounces from Gmail ?

Thanks again,

- J

Sources:

[1] http://www.postfix.org/LOCAL_RECIPIENT_README.html
Reply | Threaded
Open this post in threaded view
|

Re: Eliminating backscatter

Noel Jones-2
On 10/30/2017 5:07 PM, J Doe wrote:
>
> How do I stop backscatter generated from my server in response to the bounces from Gmail ?
>

This is a very difficult problem to solve.  Your choices are a)
don't accept spam, or b) don't forward to gmail.

There may be information on the web about disabling bounces in
postfix.  Those "solutions" that discard undeliverable mail are not
supported and not recommended, and won't be addressed here.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Eliminating backscatter

J Doe
Hi Noel,

>> On Oct 30, 2017, at 6:42 PM, Noel Jones <[hidden email]> wrote:
>>
>> On 10/30/2017 5:07 PM, J Doe wrote:
>>
>> How do I stop backscatter generated from my server in response to the bounces from Gmail ?
>
> This is a very difficult problem to solve.  Your choices are a)
> don't accept spam, or b) don't forward to gmail.
>
> There may be information on the web about disabling bounces in
> postfix.  Those "solutions" that discard undeliverable mail are not
> supported and not recommended, and won't be addressed here.

Thank you for your reply.

Two things:

1. For anyone following this thread in the future, I thought I’d note that I’ve been doing some more reading and it turns out that my supposition in my previous message that I get blocking of messages to non-existent recipients with Postfix 2.0 and above is correct, but for a different reason than I thought.

I was reading more about “Rejecting Unknown Local Recipients with Postfix” [1] and I realized that this document is referring to e-mail to unknown recipients in the *local domains*.  It goes on to specify that those are domains that match $mydestination, IP addresses in $inet_interfaces or interfaces listed in $proxy_interfaces.

Because my server is configured to perform virtual domain hosting, I have the following:

   /etc/postfix/main.cf
       mydestination = localhost

...but if a message is sent to a non-existent domain that I *virtually host* for:

    /etc/postfix/main.cf
        virtual_alias_domains = example.com
        virtual_alias_maps = hash:/etc/postfix/virtual

...it generates a NOQUEUE and terminates the SMTP conversation by default.  To catch mail that is addressed to non-existent recipients, I add the following to my virtual_alias_maps hash file:

    /etc/postfix/virtual

    @example.com ADDRESS_TO_SEND_TO

...where ADDRESS_TO_SEND_TO is the e-mail address to catch e-mails addressed to a non-existent domain.

2. Ok, I understand not wanting to talk about disabling bounce messages entirely, but I wondered if there was a more “nuanced” approach to that.

Is it possible to have conditional logic on SMTP error codes ?  Going through my logs I noticed that when Gmail detects that a message I forward to a Gmail recipient is missing DKIM information, it generates an SMTP error code of: 500-5.7.1.  Can I then configure bounce messages based on the following:

    IF SMTP error code = 5.7.1
        AND remote server = GMail
            DON’T generate a bounce message (my server)
    ELSE
        Generate bounce messages (my server)

Thanks,

- J

Sources:

[1] www.postfix.org/LOCAL_RECIPIENT_README.html
Reply | Threaded
Open this post in threaded view
|

Re: Eliminating backscatter

Matus UHLAR - fantomas
On 31.10.17 18:38, J Doe wrote:
>Because my server is configured to perform virtual domain hosting, I have
> the following:
>
>   /etc/postfix/main.cf
>       mydestination = localhost
>
>...but if a message is sent to a non-existent domain that I *virtually host* for:

you apparently mean, non-existent recipient within existent domain
(example.com)

>    /etc/postfix/main.cf
>        virtual_alias_domains = example.com
>        virtual_alias_maps = hash:/etc/postfix/virtual
>
>...it generates a NOQUEUE and terminates the SMTP conversation by default.

which is correct behaviour.

>To catch mail that is addressed to non-existent recipients, I add the
> following to my virtual_alias_maps hash file:
>
>    /etc/postfix/virtual
>
>    @example.com ADDRESS_TO_SEND_TO
>
>...where ADDRESS_TO_SEND_TO is the e-mail address to catch e-mails addressed to a non-existent domain.

Non-existent recipient, again. And this is exactly what causes backscatter.
Don't accept mail to non-existent recipients.  If you really must accept it
(why?), don't forward it, especially not to gmail.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #99999: Out of error messages.
Reply | Threaded
Open this post in threaded view
|

Re: Eliminating backscatter

Dirk Stöcker
In reply to this post by J Doe
Hello,

>    IF SMTP error code = 5.7.1
>        AND remote server = GMail
>            DON’T generate a bounce message (my server)
>    ELSE
>        Generate bounce messages (my server)

I use following approach for this problem, which not only affects GMail,
but also T-Online and any other service rejecting e-mails before or after
reception. The suggestion to not forward e-mail is useless in my eyes, as
this disables a very important feature of the e-mail system.

I use following settings in /etc/aliases

myuser:         whateveremailaddress@toforwardyouwant
owner-myuser:   postmaster

Postfix is told to deliver to "myuser" which is then forwarded. Any
bounces don't go to the original user, but to the postmaster instead which
in my case is a SPAM filtered mailbox.

This way you don't prevent bounce messages for the forwards, but instead
receive them yourself. If something goes wrong you will see it, but no
backscatter is going out.

In case of valid bounces (never really happens here) you need to inform
the sender manually.

Note that myuser should not be used otherwise or you will also get any
other bounces, not only the forwards.

There is probably also a documentation for that somewhere, but I wasn't
able to find it with a short search ;-)

Ciao
--
http://www.dstoecker.eu/ (PGP key available)