NDR when failed to forward mail to external address, now blacklisted on backscatterer

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

NDR when failed to forward mail to external address, now blacklisted on backscatterer

Claudio Kuenzler-2
Hello all,

A shared hosting web server of a customer (running a Postfix with local e-mail addresses and mailboxes) was blacklisted on backscatterer. The relevant information from the backscatterer page pointed me to a moment in time and I was able to check the logs from that given moment (+- 2mins).
I read through some backscatterer descriptions I found and verified that Postfix does not send NDR for non-existing addresses/mailboxes.

But this scenario is slightly different.
An e-mail was sent to destination e-mail address on that shared hosting server. The shared hosting customer decided to forward received e-mails to two external addresses.


The received mail was (probably) identified as spam on the external servers and both refused to accept it, sending it back to Postfix on the shared hosting server. This triggered the NDR to the sender which was (probably) a backscatterer trap.

Jun 23 19:29:09 server postfix/smtp[15870]: 409C11084BCF: to=<[hidden email]>, orig_to=<[hidden email]>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0c::1b]:25, delay=0.56, delays=0.04/0/0.26/0.26, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c0c::1b] said: 550-5.7.1 This message does not have authentication information or fails to pass 550-5.7.1 authentication checks. To best protect our users from spam, the 550-5.7.1 message has been blocked. Please visit 550-5.7.1  https://support.google.com/mail/answer/81126#authentication for more 550 5.7.1 information. t127si5908730wmg.169 - gsmtp (in reply to end of DATA command))
Jun 23 19:29:10 server postfix/smtp[15871]: 409C11084BCF: to=<[hidden email]>, orig_to=<[hidden email]>, relay=mail.protonmail.ch[185.70.40.103]:25, delay=1.4, delays=0.04/0/0.18/1.2, dsn=5.7.1, status=bounced (host mail.protonmail.ch[185.70.40.103] said: 550 5.7.1 Blocked by SpamAssassin (in reply to end of DATA command))
Jun 23 19:29:10 server postfix/bounce[15878]: 409C11084BCF: sender non-delivery notification: B6C9E1084BD0

My question now is: What is the correct/expected behaviour in such a situation?
The destination e-mail address exists but the mail didn't arrive at the external final destination(s), so sending a NDR to the sender seems legit.
Are there proper ways/configurations to deal with this situation?

thanks!
Reply | Threaded
Open this post in threaded view
|

Re: NDR when failed to forward mail to external address, now blacklisted on backscatterer

Matus UHLAR - fantomas
On 28.06.19 10:10, Claudio Kuenzler wrote:

>A shared hosting web server of a customer (running a Postfix with local
>e-mail addresses and mailboxes) was blacklisted on backscatterer. The
>relevant information from the backscatterer page pointed me to a moment in
>time and I was able to check the logs from that given moment (+- 2mins).
>I read through some backscatterer descriptions I found and verified that
>Postfix does not send NDR for non-existing addresses/mailboxes.
>
>But this scenario is slightly different.
>An e-mail was sent to destination e-mail address on that shared hosting
>server. The shared hosting customer decided to forward received e-mails to
>two external addresses.
>
>[hidden email] -> [hidden email] ->
>[hidden email]
>[hidden email] -> [hidden email] ->
>[hidden email]
>
>The received mail was (probably) identified as spam on the external servers
>and both refused to accept it, sending it back to Postfix on the shared
>hosting server. This triggered the NDR to the sender which was (probably) a
>backscatterer trap.
>
>Jun 23 19:29:09 server postfix/smtp[15870]: 409C11084BCF: to=<
>[hidden email]>, orig_to=<[hidden email]>, relay=
>gmail-smtp-in.l.google.com[2a00:1450:400c:c0c::1b]:25, delay=0.56,
>delays=0.04/0/0.26/0.26, dsn=5.7.1, status=bounced (host
>gmail-smtp-in.l.google.com[2a00:1450:400c:c0c::1b] said: 550-5.7.1 This
>message does not have authentication information or fails to pass 550-5.7.1
>authentication checks. To best protect our users from spam, the 550-5.7.1
>message has been blocked. Please visit 550-5.7.1
>https://support.google.com/mail/answer/81126#authentication for more 550
>5.7.1 information. t127si5908730wmg.169 - gsmtp (in reply to end of DATA
>command))
>Jun 23 19:29:10 server postfix/smtp[15871]: 409C11084BCF: to=<
>[hidden email]>, orig_to=<[hidden email]>, relay=
>mail.protonmail.ch[185.70.40.103]:25, delay=1.4, delays=0.04/0/0.18/1.2,
>dsn=5.7.1, status=bounced (host mail.protonmail.ch[185.70.40.103] said: 550
>5.7.1 Blocked by SpamAssassin (in reply to end of DATA command))
>Jun 23 19:29:10 server postfix/bounce[15878]: 409C11084BCF: sender
>non-delivery notification: B6C9E1084BD0
>
>My question now is: What is the correct/expected behaviour in such a
>situation?

you apparently should use SRS when forwarding mail. That will change sender
to your domain so the mail will pass SPF and should not be refused by google.

Also, you won't send backscater because any errors will be sent to
hosting.example.com postmaster (you?) which may know what to with them (e.g.
remove the forwarding)

>The destination e-mail address exists but the mail didn't arrive at the
>external final destination(s), so sending a NDR to the sender seems legit.
>Are there proper ways/configurations to deal with this situation?
>
>thanks!

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
Reply | Threaded
Open this post in threaded view
|

Re: NDR when failed to forward mail to external address, now blacklisted on backscatterer

Viktor Dukhovni
On Fri, Jun 28, 2019 at 10:26:20AM +0200, Matus UHLAR - fantomas wrote:

> >My question now is: What is the correct/expected behaviour in such a
> >situation?
>
> You apparently should use SRS when forwarding mail. That will change sender
> to your domain so the mail will pass SPF and should not be refused by google.

SRS is enough to avoid trouble with SPF, but not enough to avoid
trouble with DMARC.  Email forwarding has been irreparably broken
by DMARC.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: NDR when failed to forward mail to external address, now blacklisted on backscatterer

Dominic Raferd


On Fri, 28 Jun 2019 at 14:48, Viktor Dukhovni <[hidden email]> wrote:
On Fri, Jun 28, 2019 at 10:26:20AM +0200, Matus UHLAR - fantomas wrote:

> >My question now is: What is the correct/expected behaviour in such a
> >situation?
>
> You apparently should use SRS when forwarding mail. That will change sender
> to your domain so the mail will pass SPF and should not be refused by google.

SRS is enough to avoid trouble with SPF, but not enough to avoid
trouble with DMARC.  Email forwarding has been irreparably broken
by DMARC.

Where the original rejected-by-Gmail email appears good my approach (automated) is to attach it to a new email to the recipient (with Reply-To: set to the original From: header). The body of the new email is a short text explaining to recipient what has happened. And rewrite the [45]nn [45].n.n response from Gmail to 250 2.0.0 so that the sender isn't wrongly informed that the email couldn't be delivered. It's a kludge but it works well enough (and instances are pretty rare).
Reply | Threaded
Open this post in threaded view
|

Re: NDR when failed to forward mail to external address, now blacklisted on backscatterer

Viktor Dukhovni
On Fri, Jun 28, 2019 at 03:11:03PM +0100, Dominic Raferd wrote:

> > SRS is enough to avoid trouble with SPF, but not enough to avoid
> > trouble with DMARC.  Email forwarding has been irreparably broken
> > by DMARC.
>
> Where the original rejected-by-Gmail email appears good my approach
> (automated) is to attach it to a new email to the recipient (with Reply-To:
> set to the original From: header). The body of the new email is a short
> text explaining to recipient what has happened.

Yes, forwarding by encapsulation as an attachment works.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: NDR when failed to forward mail to external address, now blacklisted on backscatterer

Matus UHLAR - fantomas
In reply to this post by Viktor Dukhovni
>> >My question now is: What is the correct/expected behaviour in such a
>> >situation?

>On Fri, Jun 28, 2019 at 10:26:20AM +0200, Matus UHLAR - fantomas wrote:
>> You apparently should use SRS when forwarding mail. That will change sender
>> to your domain so the mail will pass SPF and should not be refused by google.

On 28.06.19 09:47, Viktor Dukhovni wrote:
>SRS is enough to avoid trouble with SPF, but not enough to avoid
>trouble with DMARC.  Email forwarding has been irreparably broken
>by DMARC.

Does anybody know about any simple dmarc-compatible forward tool available?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
Reply | Threaded
Open this post in threaded view
|

Re: NDR when failed to forward mail to external address, now blacklisted on backscatterer

Bill Cole-3
On 28 Jun 2019, at 10:25, Matus UHLAR - fantomas wrote:

>>> >My question now is: What is the correct/expected behaviour in such
>>> a
>>> >situation?
>
>> On Fri, Jun 28, 2019 at 10:26:20AM +0200, Matus UHLAR - fantomas
>> wrote:
>>> You apparently should use SRS when forwarding mail. That will change
>>> sender
>>> to your domain so the mail will pass SPF and should not be refused
>>> by google.
>
> On 28.06.19 09:47, Viktor Dukhovni wrote:
>> SRS is enough to avoid trouble with SPF, but not enough to avoid
>> trouble with DMARC.  Email forwarding has been irreparably broken
>> by DMARC.
>
> Does anybody know about any simple dmarc-compatible forward tool
> available?

Dictionary excerpt:

   irreparably | ˌi(r)ˈrep(ə)rəblē | adverb
     in a way that is impossible to rectify or repair: his eye had been
     damaged irreparably | our international image has been irreparably
     tarnished.

The solution is to repackage messages as attachments inside entirely new
messages, which isn't really forwarding but remailing.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: NDR when failed to forward mail to external address, now blacklisted on backscatterer

Tanstaafl
On 6/28/2019, 12:52:55 PM, Bill Cole
<[hidden email]> wrote:
> The solution is to repackage messages as attachments inside entirely new
> messages, which isn't really forwarding but remailing.

? Sounds like 'forward as attachment' to me...
Reply | Threaded
Open this post in threaded view
|

Re: NDR when failed to forward mail to external address, now blacklisted on backscatterer

Viktor Dukhovni
> On Jul 1, 2019, at 11:24 AM, Tanstaafl <[hidden email]> wrote:
>
> On 6/28/2019, 12:52:55 PM, Bill Cole
> <[hidden email]> wrote:
>> The solution is to repackage messages as attachments inside entirely new
>> messages, which isn't really forwarding but remailing.
>
> Sounds like 'forward as attachment' to me...

Yes, but the recipient loses message-threading, and does not see the
right From: address (which is the unfortunate point of DMARC).  So,
yes technically a form forwarding, but basic email "relaying" is
increasingly untenable.

--
        Viktor.