Re: Backscatter being generated from mail aliased to other servers.
Jim Lang: OK here is the scenario. Spammer sends mail to: u...@myclientsdomain.com from forged address vic...@randomdomain.com If u...@myclientsdomain.com is delivered locally, not a problem, if the address is invalid, postix rejects the mail during the smtp connection. But if u...@myclientsdomain.com is an alias to mycli...@otherserver.com, postfix accepts the mail as deliverable and forwards it to hotmail.com. But if mycli...@otherserver.com can for whatever reason not be delivered, otherserver.com does what it is supposed to do and rejects the mail during the smtp connection, which causes postfix to send out a non-delivery report to vic...@randomdomain.com -- backscatter. Is there a way to stop this? Yes. Don't forward SPAM. Wietse
Re: Backscatter being generated from mail aliased to other servers.
Wietse Venema wrote: Jim Lang: OK here is the scenario. Spammer sends mail to: u...@myclientsdomain.com from forged address vic...@randomdomain.com If u...@myclientsdomain.com is delivered locally, not a problem, if the address is invalid, postix rejects the mail during the smtp connection. But if u...@myclientsdomain.com is an alias to mycli...@otherserver.com, postfix accepts the mail as deliverable and forwards it to hotmail.com. But if mycli...@otherserver.com can for whatever reason not be delivered, otherserver.com does what it is supposed to do and rejects the mail during the smtp connection, which causes postfix to send out a non-delivery report to vic...@randomdomain.com -- backscatter. Is there a way to stop this? Yes. Don't forward SPAM. Wietse And how do I do that in this scenario?
Re: Backscatter being generated from mail aliased to other servers.
On Mon, 16 Nov 2009 13:00:26 -0700 Jim Lang post...@guscreek.com wrote: Wietse Venema wrote: Jim Lang: OK here is the scenario. Spammer sends mail to: u...@myclientsdomain.com from forged address vic...@randomdomain.com If u...@myclientsdomain.com is delivered locally, not a problem, if the address is invalid, postix rejects the mail during the smtp connection. But if u...@myclientsdomain.com is an alias to mycli...@otherserver.com, postfix accepts the mail as deliverable and forwards it to hotmail.com. But if mycli...@otherserver.com can for whatever reason not be delivered, otherserver.com does what it is supposed to do and rejects the mail during the smtp connection, which causes postfix to send out a non-delivery report to vic...@randomdomain.com -- backscatter. Is there a way to stop this? Yes. Don't forward SPAM. Wietse And how do I do that in this scenario? You use recipient verification. -- John
Re: Backscatter being generated from mail aliased to other servers.
John Peach wrote: On Mon, 16 Nov 2009 13:00:26 -0700 Jim Lang post...@guscreek.com wrote: Wietse Venema wrote: Jim Lang: OK here is the scenario. Spammer sends mail to: u...@myclientsdomain.com from forged address vic...@randomdomain.com If u...@myclientsdomain.com is delivered locally, not a problem, if the address is invalid, postix rejects the mail during the smtp connection. But if u...@myclientsdomain.com is an alias to mycli...@otherserver.com, postfix accepts the mail as deliverable and forwards it to hotmail.com. But if mycli...@otherserver.com can for whatever reason not be delivered, otherserver.com does what it is supposed to do and rejects the mail during the smtp connection, which causes postfix to send out a non-delivery report to vic...@randomdomain.com -- backscatter. Is there a way to stop this? Yes. Don't forward SPAM. Wietse And how do I do that in this scenario? You use recipient verification. I must have been really inarticulate when I wrote out the scenario. I do use recipient verification on my server. How is it that that is not clear? Do I need to rewrite this post?
Re: Backscatter being generated from mail aliased to other servers.
On Mon, Nov 16, 2009 at 12:53:14PM -0700, Jim Lang wrote: OK here is the scenario. Spammer sends mail to: u...@myclientsdomain.com from forged address vic...@randomdomain.com If u...@myclientsdomain.com is delivered locally, not a problem, if the address is invalid, postix rejects the mail during the smtp connection. But if u...@myclientsdomain.com is an alias to mycli...@otherserver.com, postfix accepts the mail as deliverable and forwards it to hotmail.com. But if mycli...@otherserver.com can for whatever reason not be delivered, otherserver.com does what it is supposed to do and rejects the mail during the smtp connection, which causes postfix to send out a non-delivery report to vic...@randomdomain.com -- backscatter. Is there a way to stop this? Some backscatter is unavoidable, you can keep the volume low by removing local aliases to no-longer-valid external addresses, and by rejecting mail from spam sources, using good blacklists, ... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Backscatter being generated from mail aliased to other servers.
On Mon, 16 Nov 2009 13:07:05 -0700 Jim Lang post...@guscreek.com wrote: John Peach wrote: On Mon, 16 Nov 2009 13:00:26 -0700 Jim Lang post...@guscreek.com wrote: Wietse Venema wrote: Jim Lang: OK here is the scenario. Spammer sends mail to: u...@myclientsdomain.com from forged address vic...@randomdomain.com If u...@myclientsdomain.com is delivered locally, not a problem, if the address is invalid, postix rejects the mail during the smtp connection. But if u...@myclientsdomain.com is an alias to mycli...@otherserver.com, postfix accepts the mail as deliverable and forwards it to hotmail.com. But if mycli...@otherserver.com can for whatever reason not be delivered, otherserver.com does what it is supposed to do and rejects the mail during the smtp connection, which causes postfix to send out a non-delivery report to vic...@randomdomain.com -- backscatter. Is there a way to stop this? Yes. Don't forward SPAM. Wietse And how do I do that in this scenario? You use recipient verification. I must have been really inarticulate when I wrote out the scenario. I do use recipient verification on my server. How is it that that is not clear? Do I need to rewrite this post? Clearly, you are *NOT* doing recipient verification, or myotherserver.com would not be rejecting it. Never accept mail which cannot be delivered. -- John
Re: Backscatter being generated from mail aliased to other servers.
Stan Hoeppner wrote: Jim Lang put forth on 11/16/2009 2:00 PM: Wietse Venema wrote: Jim Lang: OK here is the scenario. Spammer sends mail to: u...@myclientsdomain.com from forged address vic...@randomdomain.com If u...@myclientsdomain.com is delivered locally, not a problem, if the address is invalid, postix rejects the mail during the smtp connection. But if u...@myclientsdomain.com is an alias to mycli...@otherserver.com, postfix accepts the mail as deliverable and forwards it to hotmail.com. But if mycli...@otherserver.com can for whatever reason not be delivered, otherserver.com does what it is supposed to do and rejects the mail during the smtp connection, which causes postfix to send out a non-delivery report to vic...@randomdomain.com -- backscatter. Is there a way to stop this? Yes. Don't forward SPAM. Wietse And how do I do that in this scenario? You don't do it in this scenario. You set up comprehensive spam rejection techniques, one of which is identifying forged email, and reject spam when it hits your MX. Dozens of books have been written, and dozens of email lists are maintained, specifically for fighting spam. The answer to your scenario isn't a simple one paragraph response on postfix-users. What are you doing up to this point to reject spam at your border MX(s)? I'm doing many, many things. And I certainly don't have the time to enumerate them all simply to prove my bona fides. No one responding to this post seems to have actually bothered to read it. Generic, rtfm responses such as don't forward spam may be emotionally satisfying but they are really a waste of everyone's time. As was asking for advice at this list. I'll figure it out for myself.
Re: Backscatter being generated from mail aliased to other servers.
John Peach wrote: On Mon, 16 Nov 2009 13:07:05 -0700 Jim Lang post...@guscreek.com wrote: John Peach wrote: On Mon, 16 Nov 2009 13:00:26 -0700 Jim Lang post...@guscreek.com wrote: Wietse Venema wrote: Jim Lang: OK here is the scenario. Spammer sends mail to: u...@myclientsdomain.com from forged address vic...@randomdomain.com If u...@myclientsdomain.com is delivered locally, not a problem, if the address is invalid, postix rejects the mail during the smtp connection. But if u...@myclientsdomain.com is an alias to mycli...@otherserver.com, postfix accepts the mail as deliverable and forwards it to hotmail.com. But if mycli...@otherserver.com can for whatever reason not be delivered, otherserver.com does what it is supposed to do and rejects the mail during the smtp connection, which causes postfix to send out a non-delivery report to vic...@randomdomain.com -- backscatter. Is there a way to stop this? Yes. Don't forward SPAM. Wietse And how do I do that in this scenario? You use recipient verification. I must have been really inarticulate when I wrote out the scenario. I do use recipient verification on my server. How is it that that is not clear? Do I need to rewrite this post? Clearly, you are *NOT* doing recipient verification, or myotherserver.com would not be rejecting it. Never accept mail which cannot be delivered. Except no 'myotherserver.com' appeared in my scenario, nimrod. otherserver.com in the scenario is a server not under my control. unsubcribing to this useless list
Re: Backscatter being generated from mail aliased to other servers.
Jim Lang pisze: John Peach wrote: On Mon, 16 Nov 2009 13:07:05 -0700 Jim Lang post...@guscreek.com wrote: John Peach wrote: On Mon, 16 Nov 2009 13:00:26 -0700 Jim Lang post...@guscreek.com wrote: Wietse Venema wrote: Jim Lang: OK here is the scenario. Spammer sends mail to: u...@myclientsdomain.com from forged address vic...@randomdomain.com If u...@myclientsdomain.com is delivered locally, not a problem, if the address is invalid, postix rejects the mail during the smtp connection. But if u...@myclientsdomain.com is an alias to mycli...@otherserver.com, postfix accepts the mail as deliverable and forwards it to hotmail.com. But if mycli...@otherserver.com can for whatever reason not be delivered, otherserver.com does what it is supposed to do and rejects the mail during the smtp connection, which causes postfix to send out a non-delivery report to vic...@randomdomain.com -- backscatter. Is there a way to stop this? Yes. Don't forward SPAM. Wietse And how do I do that in this scenario? You use recipient verification. I must have been really inarticulate when I wrote out the scenario. I do use recipient verification on my server. How is it that that is not clear? Do I need to rewrite this post? Clearly, you are *NOT* doing recipient verification, or myotherserver.com would not be rejecting it. Never accept mail which cannot be delivered. Except no 'myotherserver.com' appeared in my scenario, nimrod. otherserver.com in the scenario is a server not under my control. unsubcribing to this useless list But server which is out of your control should not accept messages for example to non-existant user. So if you're doing verification even when spammer connects to your server should recieve an ansewer from REMOTE SERVER user not known or something similar. I've got similar situation as I had to smart host for a lot of domains and connection, but let's say I know people on that remote site, or even if not I've got any contact details like email addres so simply... I'm trying to explain people that if they will not protect the end server I will block them in the smart host as I can't take a risk of block. So generally you should use reject_unverified_recipient and additionally you can build a database... you can limit connections, check RBLs, CBLs, there is really a lot of things but first of all you would need to check which hosts on the other end couses a problem and find out what you can do more to prevent spam coming through. I know that it's impossible to block all SPAM without being too harsh, but there is always something what you can do to prevent it. Regards, Jarek
Re: Backscatter being generated from mail aliased to other servers.
Jaroslaw Grzabel schrieb: Jim Lang pisze: John Peach wrote: On Mon, 16 Nov 2009 13:07:05 -0700 Jim Lang post...@guscreek.com wrote: John Peach wrote: On Mon, 16 Nov 2009 13:00:26 -0700 Jim Lang post...@guscreek.com wrote: Wietse Venema wrote: Jim Lang: OK here is the scenario. Spammer sends mail to: u...@myclientsdomain.com from forged address vic...@randomdomain.com If u...@myclientsdomain.com is delivered locally, not a problem, if the address is invalid, postix rejects the mail during the smtp connection. But if u...@myclientsdomain.com is an alias to mycli...@otherserver.com, postfix accepts the mail as deliverable and forwards it to hotmail.com. But if mycli...@otherserver.com can for whatever reason not be delivered, otherserver.com does what it is supposed to do and rejects the mail during the smtp connection, which causes postfix to send out a non-delivery report to vic...@randomdomain.com -- backscatter. Is there a way to stop this? Yes. Don't forward SPAM. Wietse And how do I do that in this scenario? You use recipient verification. I must have been really inarticulate when I wrote out the scenario. I do use recipient verification on my server. How is it that that is not clear? Do I need to rewrite this post? Clearly, you are *NOT* doing recipient verification, or myotherserver.com would not be rejecting it. Never accept mail which cannot be delivered. Except no 'myotherserver.com' appeared in my scenario, nimrod. otherserver.com in the scenario is a server not under my control. unsubcribing to this useless list But server which is out of your control should not accept messages for example to non-existant user. So if you're doing verification even when spammer connects to your server should recieve an ansewer from REMOTE SERVER user not known or something similar. I've got similar situation as I had to smart host for a lot of domains and connection, but let's say I know people on that remote site, or even if not I've got any contact details like email addres so simply... I'm trying to explain people that if they will not protect the end server I will block them in the smart host as I can't take a risk of block. So generally you should use reject_unverified_recipient and additionally you can build a database... you can limit connections, check RBLs, CBLs, there is really a lot of things but first of all you would need to check which hosts on the other end couses a problem and find out what you can do more to prevent spam coming through. I know that it's impossible to block all SPAM without being too harsh, but there is always something what you can do to prevent it. Regards, Jarek This page (http://www.postfix.org/ADDRESS_VERIFICATION_README.html) looks like it describes part of your problem. Could be the solution Regards tobi
Re: Backscatter being generated from mail aliased to other servers.
This page (http://www.postfix.org/ADDRESS_VERIFICATION_README.html) looks like it describes part of your problem. Could be the solution Regards tobi I had had a lot of troubles with verification database. For example... new customer is added to SMTP relay, changed MX record to point my server, but end user misconfigured something on the server for example... user john wasn't configured and after a couple of days it turned out john is missing. So John was added to the remote server, run some tests and what ? My server still says No such user why ? Because it remembers that in the database. After that I have had to remove the database and restart daemon, finally I completely got rid of verify.db and did verification without db. Regards, Jarek
Re: Backscatter being generated from mail aliased to other servers.
Jim Lang: But if mycli...@otherserver.com can for whatever reason not be delivered, otherserver.com does what it is supposed to do and rejects the mail during the smtp connection, which causes postfix to send out a non-delivery report to vic...@randomdomain.com -- backscatter. Is there a way to stop this? Yes. Don't forward SPAM. Wietse And how do I do that in this scenario? You use recipient verification. I must have been really inarticulate when I wrote out the scenario. I do use recipient verification on my server. How is it that that is not clear? Do I need to rewrite this post? Recipient verification does not expand a local alias (imagine what would have to be done to verify with addresses in .forward files, or in a mail distribution list). So the best option is to avoid forwarding SPAM, including Victor's suggestion to not forward mail indefinitely for legacy user accounts. Other options get ugly quickly (such as replacing the return address). Wietse
Re: Backscatter being generated from mail aliased to other servers.
Wietse Venema wrote: Recipient verification does not expand a local alias (imagine what would have to be done to verify with addresses in .forward files, or in a mail distribution list). Maybe I'm dense, but what would be the problem with verifying addresses in .forward files? For list managers, it's a different story - the list manager needs NDNs in order to identify and remove bad addresses. -- In theory, there is no difference between theory and practice. In practice, there is. Yogi Berra
Re: Backscatter being generated from mail aliased to other servers.
Miles Fidelman: Wietse Venema wrote: Recipient verification does not expand a local alias (imagine what would have to be done to verify with addresses in .forward files, or in a mail distribution list). Maybe I'm dense, but what would be the problem with verifying addresses in .forward files? Basically, the problem is the same as with other mechanisms, namely that the expansion may produce multiple results. Address verification would be a lot more complicated if it had do deal with forks and recursion. For list managers, it's a different story - the list manager needs NDNs in order to identify and remove bad addresses. Not all local aliases do or must replace the envelope sender. Wietse
Re: Backscatter being generated from mail aliased to other servers.
Folks, it seems to me that there has been some misunderstanding of Jim's setup and situation. Clearly, you are *NOT* doing recipient verification, or myotherserver.com would not be rejecting it. Never accept mail which cannot be delivered. What he describes is that the final destination - after forward expansion - rejects the forwarded message NOT because of the recipient addresse, but because of its contents or whatever else. The most effective way to conquer that sort of backscatter would be, as Victor pointed out, to avoid forwarding spam. For specific scenarios it might also be possible to set up some sort of before-queue-forwarding and make the MTA an SMTP proxy? -hannes
