----- Original Message ----- From: "Ian Eiloart" <[email protected]> To: <[email protected]> Cc: <[email protected]> Sent: Monday, June 28, 2010 6:48 AM Subject: Re: [exim] listed at Backscatterer.org
> > > --On 25 June 2010 13:56:12 +0100 Ron White <[email protected]> wrote: > >> On Fri, 2010-06-25 at 11:28 +0100, Ian Eiloart wrote: >>> --On 24 June 2010 09:43:40 +0000 Kebba Foon <[email protected]> wrote: >>> >>> > >>> > Backscatterer - Why it is abusive and how to stop your system doing so >>> > >>> > Email servers should be configured to provide Non-Delivery Reports >>> > (bounces) to local users only. >>> > Unacceptable email from anywhere else should be rejected. >>> > >>> >>> This is silly advice. It should be quite acceptable to bounce email that >>> has an SPF pass, or that has a valid DKIM signature (provided the return >>> path domain matches a signed From header domain). In both cases, if >>> you're creating collateral spam, then that's the fault of the domain >>> operator. >>> >> There is probably a bit of a translation issue there as backscatter.org >> is part of Dirk & Claus 'UCEProtect' stable of blocklists. >> >> My personal opinion is you should never accept mail that you cannot >> deliver to a user and in such a scenario it should be rejected at SMTP >> time - not after a 250 is given and (any/the) MTA decides it does not >> want it for whatever reason. Exim is very flexible and its brilliant >> ACL's can pretty much reduce backscatter to zero if configured >> correctly. > > Well, the backscatter issue means that we have no choice but to try to do > that. But that's a bad thing. It would be a much better world in which we > were able to accept such messages, and then generate a bounce. Why? > Because > bounce messages have the potential to be more user-friendly. > > I believe that with improved email authentication (SPF, DKIM, etc), we'll > one day be able to revive the bounce message. > > > -- > Ian Eiloart > IT Services, University of Sussex > 01273-873148 x3148 > For new support requests, see http://www.sussex.ac.uk/its/help/ > > > > -- > ## List details at http://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > > Hi all, I was happy to see someone else start this thread :-) I have been researching and tinkering to no avail on the backscatter issue. Trying to make sure I am not the source, or the recipient of backscatter. backscatterer.org has not helped as occasionally my server have been listed. I am attaching a copy of my configure script hoping someone might have some suggestions as to how to curb/eliminate backscatter. My server is a virtual setup, domains listed in /etc/domains, real unix user mapped to domains through /etc/domains_users, virtual users (for each domain) listed in a password file in /etc/virtual/<domain>/passwd, aliases listed in /home/<domain>/mail/aliases. The server is still sending mail through the base server name (FQDNS) Also, feel free to crituque the whole config: ###################################################################### # MAIN CONFIGURATION SETTINGS # ###################################################################### primary_hostname = <mydomain> domainlist relay_to_domains = domainlist local_domains = /etc/virtual/domains domainlist filtered_domains = /etc/virtual/filtered_domains hostlist filtering_hosts = /etc/virtual/filtering_hosts hostlist relay_from_hosts = /etc/virtual/domains hostlist blacklisted_domains = /etc/virtual/blacklist hostlist spf_bypass = /etc/virtual/spf_bypass hostlist whitelist = /etc/virtual/whitelist acl_smtp_rcpt = acl_check_rcpt trusted_users = mailnull:root:webmail:www exim_user = mailnull exim_group = mail never_users = host_lookup = * rfc1413_hosts = * rfc1413_query_timeout = 5s ignore_bounce_errors_after = 0s timeout_frozen_after = 0s auto_thaw = 6h return_path_remove untrusted_set_sender = * helo_allow_chars = _ daemon_smtp_ports = 25 : 109 : 587 bounce_message_file = /usr/local/etc/exim/bounce_message_file warn_message_file = /usr/local/etc/exim/warn_message_file return_size_limit = 10000 bounce_return_message = true bounce_return_size_limit = 1000 delay_warning = 72h smtp_accept_max = 100 smtp_accept_max_per_host = 10 smtp_return_error_details = yes log_selector = +incoming_interface +deliver_time +delivery_size +received_sender \ +received_recipients +sender_on_delivery +subject +address_rewrite +all_parents # log_selector = +all message_logs = false # # My Attempt at greylisting # hide mysql_servers = localhost/exim_db/<exim_db>/<passwd>: GREYLIST_TEST = SELECT IF(NOW() > block_expires, 2, 1) \ FROM exim_greylist \ WHERE relay_ip = '${quote_mysql:$sender_host_address}' \ AND from_domain = '${quote_mysql:$sender_address_domain}' \ AND record_expires > NOW() GREYLIST_ADD = INSERT INTO exim_greylist \ SET relay_ip = '${quote_mysql:$sender_host_address}', \ from_domain = '${quote_mysql:$sender_address_domain}', \ block_expires = DATE_ADD(NOW(), INTERVAL 1 MINUTE), \ record_expires = DATE_ADD(NOW(), INTERVAL 14 DAY), \ origin_type = 'AUTO', \ create_time = NOW() GREYLIST_UPDATE = UPDATE exim_greylist \ SET record_expires = DATE_ADD(now(), INTERVAL 14 DAY) \ WHERE relay_ip = '${quote_mysql:$sender_host_address}' \ AND from_domain = '${quote_mysql:$sender_address_domain}' \ AND record_expires > NOW() ###################################################################### # ACL CONFIGURATION # # Specifies access control lists for incoming SMTP mail # ###################################################################### begin acl acl_check_rcpt: accept hosts = : logwrite = ACL - ACCEPTED (EMPTY LIST) deny local_parts = ^...@%!/|] : ^\\. log_message = ACL - DENIED (LOCAL PART SYNTAX) accept authenticated = * logwrite = ACL - ACCEPTED (AUTHENTICATED) endpass accept hosts = +relay_from_hosts logwrite = ACL - ACCEPTED (RELAY FROM HOST LIST) endpass ###################################################################### # Hello checks added November 1 2009. ###################################################################### # If the remote host greets with an IP address, then reject the mail. deny message = RATWARE - IP address. log_message = ACL - DENIED - RATWARE remote host used IP address \ in HELO/EHLOgreeting condition = ${if isip {$sender_helo_name}{true}{false}} # Likewise if the peer greets with one of our own names deny message = RATWARE - Fake HELO Domain log_message = ACL - DENIED - RATWARE remote host used our name in \ HELO/EHLO greeting. condition = ${if match_domain{$sender_helo_name}\ {$primary_hostname:+local_domains:+relay_to_domains}\ {true}{false}} deny message = RATWARE - No HELO log_message = ACL - DENIED - RATWARE remote host did not present \ HELO/EHLO greeting. condition = ${if def:sender_helo_name {false}{true}} # If HELO verification fails, we add a X-HELO-Warning: header in the message. warn message = X-HELO-Warning: Remote host $sender_host_address \ ${if def:sender_host_name {($sender_host_name) }}\ incorrectly presented itself as $sender_helo_name log_message = ACL - WARN - UNVERIFIABLE HELO/EHLO greeting. !verify = helo ####################################################################### # Mail is being rejected on some hosts because the mail MX is only set to Reflexion # and our server is rejecting it because some mail servers see the lesser priorty # MX and try to oour server directly instead of going though Reflexion. # UPDATE: All secondary MXs removed from DNS zones. Reenabled monday Oct 5 2009. accept domains = +filtered_domains hosts = +filtering_hosts verify = recipient log_message = ACL - ACCEPTED - MXTEXT deny message = Please use the public MX server for the domain $domain domains = +filtered_domains hosts = !+filtering_hosts log_message = ACL - DENIED - MXTEST ###################################################################### ###################################################################### # DNS checks ###################################################################### # The results of these checks are cached, so multiple recipients # does not translate into multiple DNS lookups. # # If the connecting host is in one of a select few DNSbls, then # reject the message. Be careful when selecting these lists; many # would cause a large number of false postives, and/or have no # clear removal policy. # # deny dnslists = dnsbl.sorbs.net : \ # dnsbl.njabl.org : \ # cbl.abuseat.org : \ # bl.spamcop.net # message = RBL - $sender_host_address is listed in $dnslist_domain\ # ${if def:dnslist_text { ($dnslist_text)}} ##################################################################### deny senders = : condition = ${if > {$recipients_count}{2}{1}} message = Bounces must have only a single recipient log_message = ACL - DENIED - BACKSCATTER - RECIPIENTS $recipients_count deny message = rejected because $sender_host_address was \ found in our blacklist hosts = +blacklisted_domains log_message = ACL - DENIED - BLACKLISTED DOMAIN FOUND IN $blacklisted_domains deny ! condition = ${lookup dnsdb{defer_never,ptr=$sender_host_address}{yes}} log_message = ACL - DENIED - NO PTR [rDNS] FOUND FOR $sender_host_address message = We do not accept mail from hosts with missing \ or incorrect rDNS. deny senders = : ! hosts = +whitelist ! domains = +local_domains dnslists = ips.backscatterer.org message = This message looks like a bounce, and your server is listed at \ ips.backscatterer.org, so I assume that this is "backscatter". \ Please configure your mail server to not send "backscatter \ spam". \ For advice, try http://www.dontbouncespam.org/ log_message = ACL - DENIED - BACKSCATTER - INCOMING warn set acl_m2 = ${lookup mysql{GREYLIST_TEST}{$value}{0}} defer ! hosts = +whitelist ! hosts = +relay_from_hosts ! authenticated = * condition = ${if eq{$acl_m2}{0}{yes}} condition = ${lookup mysql{GREYLIST_ADD}{yes}{no}} message = Now greylisted - please try again in 1 minute. log_message = ACL - DEFERED - ADDING TO GREYLIST defer ! hosts = +whitelist ! hosts = +relay_from_hosts ! authenticated = * condition = ${if eq{$acl_m2}{1}{yes}} message = Still greylisted - please try again in 1 minute. log_message = ACL - DEFERED - STILL GREYLISTED defer ! hosts = +whitelist ! hosts = +relay_from_hosts ! authenticated = * condition = ${lookup mysql{GREYLIST_UPDATE}{no}{no}} message = Greylist update failed log_message = ACL - DEFERED - GREYLIST UPDATE FAILED require verify = sender accept hosts = +spf_bypass spf = fail logwrite = SPF - REFLEXION $sender_host_address is OK for \ $sender_address_domain deny message = SPF - INCOMING $sender_host_address \ is not allowed to send mail from $sender_address_domain spf = fail log_message = ACL - DENIED - SPF Mismatch accept domains = +local_domains endpass message = unknown user verify = recipient accept domains = +relay_to_domains endpass message = unrouteable address verify = recipient ###################################################################### # ROUTERS CONFIGURATION # # Specifies how addresses are handled # ###################################################################### # THE ORDER IN WHICH THE ROUTERS ARE DEFINED IS IMPORTANT! # # An address is passed to each router in turn until it is accepted. # ###################################################################### begin routers dnslookup_owm_www: driver = dnslookup domains = ! +local_domains condition = ${if eq {$sender_host_address}{127.0.0.1} {yes}{no}} transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 no_more dnslookup_local: driver = dnslookup domains = ! +local_domains condition = ${lookup {$sender_address_domain} lsearch {/etc/virtual/domains} {yes}{no}} transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 no_more dnslookup_bounce: driver = dnslookup domains = ! +local_domains condition = ${if eq {$sender_address_local_part}{} {yes}{no}} transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 no_more dnslookup_alias: driver = dnslookup domains = ! +local_domains transport = remote_smtp ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 no_more spamcheck_router: driver = accept no_verify condition = "${if and { {!def:h_X-Spam-Flag:} {!eq {$received_protocol}\ {spam-scanned}}} {1}{0}}" transport = spamcheck virtual_alias: driver = redirect allow_defer allow_fail data = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases}} domains = /etc/virtual/domains require_files = /home/$domain/mail/aliases condition = ${lookup {$local_part} lsearch {/home/$domain/mail/aliases} {yes}{no}} qualify_preserve_domain retry_use_local_part check_ancestor one_time file_transport = address_file pipe_transport = address_pipe reply_transport = address_reply autoreply_router: driver = accept require_files = /home/$domain/mail/auto-replies/$local_part transport = autoreply_transport no_verify unseen virtual_localuser: driver = accept require_files = /etc/virtual/$domain/passwd domains = /etc/virtual/domains condition = ${lookup {$local_part} lsearch {/etc/virtual/$domain/passwd}{$value}} transport = virtual_localdelivery virtual_catchall: driver = redirect allow_defer allow_fail data = ${lookup {catchall} lsearch {/home/$domain/mail/aliases}} domains = /etc/virtual/domains require_files = /home/$domain/mail/aliases condition = ${lookup {catchall}lsearch{/home/$domain/mail/aliases} {yes}{no}} qualify_preserve_domain retry_use_local_part check_ancestor one_time file_transport = address_file pipe_transport = address_pipe reply_transport = address_reply localuser: driver = accept check_local_user condition = ${lookup {$sender_helo_name} lsearch {/etc/virtual/domains}{YES}{NO}} transport = local_delivery ###################################################################### # TRANSPORTS CONFIGURATION # ###################################################################### # ORDER DOES NOT MATTER # # Only one appropriate transport is called for each delivery. # ###################################################################### begin transports remote_smtp: driver = smtp return_path_add = true autoreply_transport: driver = pipe command = /usr/local/bin/autoreply.pl /home/$domain/mail/auto-replies/$local_part spamcheck: driver = pipe command = /usr/local/sbin/exim -oMr spam-scanned -bS use_bsmtp = true transport_filter = /usr/local/bin/spamc -u ${lookup{$domain}lsearch{/etc/virtual/domains_users}} home_directory = "/tmp" current_directory = "/tmp" # must use a privileged user to set $received_protocol on the way back in! user = mailnull group = mailnull log_output = true return_fail_output = false return_path_add message_prefix = message_suffix = virtual_localdelivery: driver = appendfile create_directory = true directory_mode = 700 file = /var/spool/virtual/${domain}/${local_part} headers_remove = "Bcc" return_path_add user = ${lookup{$domain}lsearch{/etc/virtual/domains_users}} group = mail mode = 660 local_delivery: driver = appendfile file = /$home/mail/$local_part delivery_date_add envelope_to_add return_path_add user = mailnull group = mail mode = 0660 address_pipe: driver = pipe return_output user = <user> address_file: driver = appendfile delivery_date_add envelope_to_add return_path_add address_reply: driver = autoreply ###################################################################### # RETRY CONFIGURATION # ###################################################################### begin retry # Domain Error Retries # ------ ----- ------- * quota_7d * quota F,72h,1h; * * F,30m,1m; F,90m,5m; F,22h,30m; F,144h,60m ###################################################################### # REWRITE CONFIGURATION # ###################################################################### # There are no rewriting specifications in this default configuration file. begin rewrite ###################################################################### # AUTHENTICATION CONFIGURATION # ###################################################################### # There are no authenticator specifications in this default configuration file. begin authenticators # For Netscape/Mozilla plain: driver = plaintext public_name = PLAIN server_condition = "${if and{ {!eq{$2}{}}{!eq{$3}{}} \ {crypteq {$3} {${lookup {${local_part:$2}} lsearch \ {/etc/virtual/${domain:$2}/passwd}\ {$value} {*:*}}}} } {1}{0}}" server_set_id = $2 # For Outlook/Outlook Express login: driver = plaintext public_name = LOGIN server_prompts = "Username:: : Password::" server_condition = "${if and{ {!eq{$1}{}}{!eq{$2}{}} \ {crypteq {$2} {${lookup {${local_part:$1}} lsearch \ {/etc/virtual/${domain:$1}/passwd}\ {$value} {*:*}}}} } {1}{0}}" server_set_id = $1 # End of Exim configuration file -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
