To block backscatter mail

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

To block backscatter mail

Carlos Alberto Bernat Orozco
Hi group

I'm writing to you as my only hope. I'm very dissapointed because I'm
black listed due to a misconfiguration that I haven't found where.

This is the problem. From a time, I've been watching my logs and this
is what I see:

Jul 14 23:48:21 server postfix/qmgr[11448]: A9044104A29: from=<>,
size=3613, nrcpt=1 (queue active)
Jul 14 23:48:21 server postfix/qmgr[11448]: 89CB2104C08:
from=<[hidden email]>, size=1734, nrcpt=4 (queue active)
Jul 14 23:48:21 server postfix/qmgr[11448]: 5C3651049D2: from=<>,
size=3197, nrcpt=1 (queue active)
Jul 14 23:48:21 server postfix/qmgr[11448]: 5F140104BF2:
from=<[hidden email]>, size=1799, nrcpt=4 (queue active)

A lot of this. It appears I'm sending backscatter email. The account
"ber" doesn't even exist and the "from=<>" is impossible to block
until moment. I read the next:

http://www.postfix.org/BACKSCATTER_README.html

But here is what I don't know why this happening.

How can I block this? I know I'm not an open relay. So why is this
happening? I send my postconf

# postconf -n
alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases
body_checks = regexp:/etc/postfix/regexp.body, regexp:/etc/postfix/body_checks
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/regexp.header,
regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix-2.2.5/html
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain $mydomain
mydomain = midominio.net.co
myhostname = server.midominio.net.co
mynetworks = 10.0.0.0/16 10.1.0.0/16 127.0.0.0/8 172.16.0.0/16
10.2.0.0/16 x.x.x.x/24
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.5/README_FILES
relay_domains = $mydestination
relayhost =
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandriva Linux)
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/access,       permit_mynetworks,
reject_unknown_client,      reject_rbl_client zen.spamhaus.org,
permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    check_helo_access
hash:/etc/postfix/helo.regexp,        reject_non_fqdn_hostname,
reject_invalid_hostname,        permit
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/client_checks,        check_sender_access
hash:/etc/postfix/sender_checks,     reject_invalid_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain,       reject_unknown_recipient_domain,
     permit_mynetworks,      reject_unauth_destination,
check_client_access hash:/etc/postfix/rbl_client_exceptions,
reject_rbl_client zen.spamhaus.org,     permit
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/sender_checks,        permit_mynetworks,
reject_non_fqdn_sender,     reject_unknown_sender_domain,   permit
strict_rfc821_envelopes = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554


Please I need some guidance because I don't know how to stop this

Thanks in advanced
Reply | Threaded
Open this post in threaded view
|

To block backscatter mail

Carlos Alberto Bernat Orozco
Hi group

I'm writing to you as my only hope. I'm very dissapointed because I'm
black listed due to a misconfiguration that I haven't found where.

This is the problem. From a time, I've been watching my logs and this
is what I see:

Jul 14 23:48:21 server postfix/qmgr[11448]: A9044104A29: from=<>,
size=3613, nrcpt=1 (queue active)
Jul 14 23:48:21 server postfix/qmgr[11448]: 89CB2104C08:
from=<[hidden email]>, size=1734, nrcpt=4 (queue active)
Jul 14 23:48:21 server postfix/qmgr[11448]: 5C3651049D2: from=<>,
size=3197, nrcpt=1 (queue active)
Jul 14 23:48:21 server postfix/qmgr[11448]: 5F140104BF2:
from=<[hidden email]>, size=1799, nrcpt=4 (queue active)

A lot of this. It appears I'm sending backscatter email. The account
"ber" doesn't even exist and the "from=<>" is impossible to block
until moment. I read the next:

http://www.postfix.org/BACKSCATTER_README.html

But here is what I don't know why this happening.

How can I block this? I know I'm not an open relay. So why is this
happening? I send my postconf

# postconf -n
alias_maps = hash:/etc/postfix/aliases, hash:/var/lib/mailman/data/aliases
body_checks = regexp:/etc/postfix/regexp.body, regexp:/etc/postfix/body_checks
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/regexp.header,
regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix-2.2.5/html
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail -Y -a $DOMAIN
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain $mydomain
mydomain = midominio.net.co
myhostname = server.midominio.net.co
mynetworks = 10.0.0.0/16 10.1.0.0/16 127.0.0.0/8 172.16.0.0/16
10.2.0.0/16 x.x.x.x/24
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.5/README_FILES
relay_domains = $mydestination
relayhost =
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Mandriva Linux)
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/access,       permit_mynetworks,
reject_unknown_client,      reject_rbl_client zen.spamhaus.org,
permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,    check_helo_access
hash:/etc/postfix/helo.regexp,        reject_non_fqdn_hostname,
reject_invalid_hostname,        permit
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/client_checks,        check_sender_access
hash:/etc/postfix/sender_checks,     reject_invalid_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain,       reject_unknown_recipient_domain,
    permit_mynetworks,      reject_unauth_destination,
check_client_access hash:/etc/postfix/rbl_client_exceptions,
reject_rbl_client zen.spamhaus.org,     permit
smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/sender_checks,        permit_mynetworks,
reject_non_fqdn_sender,     reject_unknown_sender_domain,   permit
strict_rfc821_envelopes = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554


Please I need some guidance because I don't know how to stop this

Thanks in advanced
Reply | Threaded
Open this post in threaded view
|

Re: To block backscatter mail

Zoltan Balogh
In reply to this post by Carlos Alberto Bernat Orozco
On Tue, Jul 29, 2008 at 5:49 AM, Carlos Alberto Bernat Orozco
<[hidden email]> wrote:

> A lot of this. It appears I'm sending backscatter email. The account
> "ber" doesn't even exist and the "from=<>" is impossible to block
> until moment. I read the next:
>
> http://www.postfix.org/BACKSCATTER_README.html
>
> But here is what I don't know why this happening.
>
> How can I block this? I know I'm not an open relay. So why is this
> happening? I send my postconf

The mails from the log you sent does not seem to be backscatter. In
case of backscatter you would get many undeliverable mail
notifications, exactly as described here:
http://www.postfix.org/BACKSCATTER_README.html#wtf

You do not mention what happens to the emails after they are queued.
If you are blacklisted I suppose these emails are delivered to their
destinations. Try to "grep" your mail log with some mail IDs to see
what is happening.

Do you have any web server running on the same box where your Postfix
is? If yes, it is possible that you have a badly implemented script
(PHP, CGI or other) which is used to generate spam. Try to check on
that.

Zoltan
Reply | Threaded
Open this post in threaded view
|

Re: To block backscatter mail

Brian Evans - Postfix List
In reply to this post by Carlos Alberto Bernat Orozco
Carlos Alberto Bernat Orozco wrote:

> Hi group
>
> I'm writing to you as my only hope. I'm very dissapointed because I'm
> black listed due to a misconfiguration that I haven't found where.
>
> This is the problem. From a time, I've been watching my logs and this
> is what I see:
>
> Jul 14 23:48:21 server postfix/qmgr[11448]: A9044104A29: from=<>,
> size=3613, nrcpt=1 (queue active)
> Jul 14 23:48:21 server postfix/qmgr[11448]: 89CB2104C08:
> from=<[hidden email]>, size=1734, nrcpt=4 (queue active)
> Jul 14 23:48:21 server postfix/qmgr[11448]: 5C3651049D2: from=<>,
> size=3197, nrcpt=1 (queue active)
> Jul 14 23:48:21 server postfix/qmgr[11448]: 5F140104BF2:
> from=<[hidden email]>, size=1799, nrcpt=4 (queue active)
>
> A lot of this. It appears I'm sending backscatter email. The account
> "ber" doesn't even exist and the "from=<>" is impossible to block
> until moment. I read the next:
>
> http://www.postfix.org/BACKSCATTER_README.html
>
> But here is what I don't know why this happening.
>
> How can I block this? I know I'm not an open relay. So why is this
> happening? I send my postconf
>
> # postconf -n
> smtpd_client_restrictions = check_client_access
> hash:/etc/postfix/access,       permit_mynetworks,
> reject_unknown_client,      reject_rbl_client zen.spamhaus.org,
> permit
>  
[...]

> smtpd_helo_restrictions = permit_mynetworks,    check_helo_access
> hash:/etc/postfix/helo.regexp,        reject_non_fqdn_hostname,
> reject_invalid_hostname,        permit
> smtpd_recipient_restrictions = check_client_access
> hash:/etc/postfix/client_checks,        check_sender_access
> hash:/etc/postfix/sender_checks,     reject_invalid_hostname,
> reject_non_fqdn_sender, reject_non_fqdn_recipient,
> reject_unknown_sender_domain,       reject_unknown_recipient_domain,
>      permit_mynetworks,      reject_unauth_destination,
> check_client_access hash:/etc/postfix/rbl_client_exceptions,
> reject_rbl_client zen.spamhaus.org,     permit
> smtpd_sender_restrictions = check_sender_access
> hash:/etc/postfix/sender_checks,        permit_mynetworks,
> reject_non_fqdn_sender,     reject_unknown_sender_domain,   permit
>
>  
First, what is in the following maps?
/etc/postfix/client_checks
/etc/postfix/sender_checks
/etc/postfix/access

It's a bit dangerous to list any OK in a map before
reject_unauth_destination if there are *global* or *wildcard* entries.
These can cause mail to be accepted where it may not be otherwise.

Second,
Get rid of any wildcard aliases in hash:/etc/postfix/aliases.  They
cause more problems then they are worth and let Backscatter clog your
server even more.

Third, you are repeating checks unnecessarily.
Because of this, /etc/postfix/rbl_client_exceptions is never checked
when you like to because all hosts were already blocked in
smtpd_client_restrictions.
Also, if /etc/postfix/rbl_client_exceptions is not a full IP, hash will
not work on networks, but a cidr table type may.

Try one (1) of the following instead.
Example 1 (using similar classes):

smtpd_client_restrictions = check_client_access
hash:/etc/postfix/access, check_client_access
hash:/etc/postfix/client_checks, permit_mynetworks,
reject_unknown_client, check_client_access
hash:/etc/postfix/rbl_client_exceptions, reject_rbl_client zen.spamhaus.org

smtpd_helo_restrictions = permit_mynetworks,  check_helo_access
hash:/etc/postfix/helo.regexp,  reject_non_fqdn_hostname,
reject_invalid_hostname

smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, reject_non_fqdn_recipient,
reject_unknown_recipient_domain

smtpd_sender_restrictions = check_sender_access
hash:/etc/postfix/sender_checks, permit_mynetworks,
reject_non_fqdn_sender, reject_unknown_sender_domain

Example 2(combined checks at RCPT time):
(delete smtpd_client_restrictions, smtpd_helo_restrictions and
smtpd_sender_restrictions)

smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/client_checks, check_sender_access
hash:/etc/postfix/sender_checks, check_client_access
hash:/etc/postfix/access, permit_mynetworks, reject_unauth_destination,
reject_unknown_client, check_helo_access hash:/etc/postfix/helo.regexp,
reject_invalid_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_unknown_recipient_domain, check_client_access
hash:/etc/postfix/rbl_client_exceptions, reject_rbl_client zen.spamhaus.org

(End examples)

Again, please check the maps before "permit_mynetworks,
reject_unauth_destination" carefully before allowing clients blindly.
Example 1 is less vulnerable to mistakes but slightly harder to read
through all the checks.

Brian
> Please I need some guidance because I don't know how to stop this
>
> Thanks in advanced
>