Hi there,
I've noticed that one of our servers is receiving a huge amount of unauthorized requests. User connects to our server and tries to send an email to any destination. Our servers denies the message because user is not authenticated. Then, a bounce is generated to the source address, which was fake and turns to be the final destination, so at the end, the email is actually sent as a bounce, proliferating lots of spam. Is there a way to avoid this? Thanks in advance. BR, Rafael |
Hi Rafael, quick thoughts. Do you have smtpd_recipient_restrictions = reject_unauth_destination in your main.cf? The request should be rejected and not be queued. Greets, Ludi Von: [hidden email] <[hidden email]> Im Auftrag von Rafael Azevedo Hi there, I've noticed that one of our servers is receiving a huge amount of unauthorized requests. User connects to our server and tries to send an email to any destination. Our servers denies the message because user is not authenticated. Then, a bounce is generated to the source address, which was fake and turns to be the final destination, so at the end, the email is actually sent as a bounce, proliferating lots of spam. Is there a way to avoid this? Thanks in advance. BR, Rafael |
In reply to this post by Rafael Azevedo-4
On 12/29/2020 7:37 AM, Rafael Azevedo wrote:
> Hi there, > > I've noticed that one of our servers is receiving a huge amount of > unauthorized requests. > > User connects to our server and tries to send an email to any > destination. Our servers denies the message because user is not > authenticated. Then, a bounce is generated to the source address, > which was fake and turns to be the final destination, so at the end, > the email is actually sent as a bounce, proliferating lots of spam. > > Is there a way to avoid this? Hi Rafael, This sounds like backscatter. To avoid it, you need to reject the email during the real-time SMTP dialog with the sender, i.e. during the connection from the sender, if it's an invalid recipient, reject with 5xx. This will cause you to tell the sending server and you don't generate a bounce. The question is: Why are you accepting the email, then determining it's invalid, and creating a bounce? I would typically look at some sort of architecture issue where you haven't done what we call promoted the valid users to the edge of your internet connection. Hope this helps and share more information for more guidance. Regards, KAM |
In reply to this post by ludicree
Hi there, Thanks for the reply. Yes I do: smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname, reject_unknown_sender_domain, reject_non_fqdn_recipient, reject_unauth_destination, #reject_unauth_pipelining, reject_unverified_recipient, reject_unknown_recipient_domain, #reject_invalid_hostname, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql_hold.cf Huge thanks Em ter., 29 de dez. de 2020 às 10:28, <[hidden email]> escreveu:
|
In reply to this post by Kevin A. McGrail
Hi Kevin, I think this might be related to a customized content filter after queue that we have. How should the content filter answer in case we don't want to accept the message neither for bounces or to the delivery queue? Huge thanks! Em ter., 29 de dez. de 2020 às 11:31, Kevin A. McGrail <[hidden email]> escreveu: On 12/29/2020 7:37 AM, Rafael Azevedo wrote: |
Rafael Azevedo:
> Hi Kevin, > I think this might be related to a customized content filter after queue > that we have. > How should the content filter answer in case we don't want to accept the > message neither for bounces or to the delivery queue? > Huge thanks! Options: - Run it as a before-queue filter (using smtpd_proxy_filter, see http://www.postfix.org/SMTPD_PROXY_README.html). - Run it as a before-queue filter (using the Milter API, see http://www.postfix.org/MILTER_README.html). There are several systems that can be used this way (spamassassin, amavis, to name a few). - Otherwise, quarantine, or file to spam folder (perhaps add a "SPAM" message header and use a Sieve rule). This is not as bad as silently discarding email. Wietse > Em ter., 29 de dez. de 2020 ?s 11:31, Kevin A. McGrail <[hidden email]> > escreveu: > > > On 12/29/2020 7:37 AM, Rafael Azevedo wrote: > > > Hi there, > > > > > > I've noticed that one of our servers is receiving a huge amount of > > > unauthorized requests. > > > > > > User connects to our server and tries to send an email to any > > > destination. Our servers denies the message because user is not > > > authenticated. Then, a bounce is generated to the source address, > > > which was fake and turns to be the final destination, so at the end, > > > the email is actually sent as a bounce, proliferating lots of spam. > > > > > > Is there a way to avoid this? > > > > Hi Rafael, This sounds like backscatter. To avoid it, you need to > > reject the email during the real-time SMTP dialog with the sender, i.e. > > during the connection from the sender, if it's an invalid recipient, > > reject with 5xx. This will cause you to tell the sending server and you > > don't generate a bounce. > > > > The question is: Why are you accepting the email, then determining it's > > invalid, and creating a bounce? I would typically look at some sort of > > architecture issue where you haven't done what we call promoted the > > valid users to the edge of your internet connection. > > > > Hope this helps and share more information for more guidance. > > > > > > Regards, > > KAM > > > > > > |
In reply to this post by Rafael Azevedo-4
Guys, According to this referente [1], one of the principal operations is to discard or quarantine the message. How should the MAIL FILTER respond to postfix so it could do such actions? Huge thanks, BR, Rafael Em ter., 29 de dez. de 2020 às 09:37, Rafael Azevedo <[hidden email]> escreveu:
|
In reply to this post by Wietse Venema
Hi Wietse, Thanks for the help ! I've just asked in another message about how to proceed in the "otherwise" option. I'm trying to quarantine the message and don't really know how to do it. Any help would be appreciated. Thanks once again. BR, Rafael Em ter., 29 de dez. de 2020 às 15:16, Wietse Venema <[hidden email]> escreveu: Rafael Azevedo: |
In reply to this post by Rafael Azevedo-4
Rafael Azevedo:
> Guys, > According to this referente [1], one of the principal operations is to > discard or quarantine the message. > How should the MAIL FILTER respond to postfix so it could do such actions? EHLO blah 250 ok MAIL FROM:<xxx> 250 ok RCPT TO:<xxx> 250 ok DATA 351 blah header body . 250 ok QUIT 220 blah But, consider the three options that I mentioned in my response. Wietse |
In reply to this post by Rafael Azevedo-4
Rafael Azevedo:
> Hi Wietse, > Thanks for the help ! > I've just asked in another message about how to proceed in the "otherwise" > option. > I'm trying to quarantine the message and don't really know how to do it. > Any help would be appreciated. Add a header that says this is spam, then use a mail filter rule (sieve, procmail, whatever) to file the message to a spam folder. Wietse |
Free forum by Nabble | Edit this page |