Re: email account bombarded with SPAM error bounces - what to do?
On 7/9/2010 16:13, Administrator Beckspaced.com wrote: On 7/9/2010 14:40, Ram wrote: On Fri, 2010-07-09 at 13:35 +0200, Administrator Beckspaced.com wrote: On 7/9/2010 13:27, Robert Schetterer wrote: Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? Usually you can do very little to prevent forging your domain and sending spam. Some months ago one client of ours too had the same issue, but the issue is very temporary. The short term solution , as someone suggested, will be to temporarily defer all NDR's with a sender check regex file like //450Try Later ( The RFC's say you cant do this .. but sometimes you must be practical :-) ) From my personal experience I found that if , for your regular mailing you use some sender authentication mechanism like SPF then these NDR's significantly reduce. For eg many servers reject forged messages based on SPF checks so you dont get NDR's from them at least. I guess , spammers ( the more intelligent ones ... I mean ) too would be less inclined to forge a domain that uses sender authentication Because that will reduce the deliverability of their spams Thanks Ram hello again robert ram thanks again for your ideas ... so i had another search in google about that backscatter topic and sort of found a nice, simple also quick solution? SAFE MODE with Postfix: Edit /etc/postfix/main.cf: smtpd_recipient_restrictions = ... check_sender_access dbm:/etc/postfix/check_backscatterer ... Create new file:/etc/postfix/check_backscatterer: reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org well ... had to change the postfix dbm lookup to hash and do a postmap on the file ... but now this seems to work as it already rejected a few emails according to the mail log ... more info can be found here - http://www.backscatterer.org does anyone have any experience with that list? is this a good longterm solution? best regards becki hello again ram, robert postfix users ;-) already posted yesterday about the backscatterer.org ... but was a bit too skeptical to do the check on ALL NDR's for ALL email accounts on my mail server ... so i had a look around to do the check ONLY for that specific email account. it's actually quite easy with smtpd_restriction_classes i thought i will write a short 'todo' as it might help some other mail server administrators out there ... who knows? so first thing is to setup a restriction class in main.cf - smtpd_restriction_classes = reject_ndr_class reject_ndr_class = check_sender_access hash:/etc/postfix/backscatter_check now create the backscatter_check file in /etc/postfix/ touch /etc/postfix/backscatter_check and fill in this data reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org MAILER-DAEMON reject_rbl_client ips.backscatterer.org do a postmap /etc/postfix/backscatter_check on that file to generate the .db file next create a file called backscatter_recipient with touch /etc/postfix/backscatter_recipient fill in u...@domain.comreject_ndr_class do a postmap /etc/postfix/backscatter_recipient which will generate the backscatter_recipient.db file then in main.cf under the smtpd_recipient_restrictions add the following line - check_recipient_access hash:/etc/postfix/backscatter_recipient and then a postfix reload ... restart and all should be fine as only the email address listed in backscatter_recipient will be checked! also only if the sender address is empty postmaster or MAILER-DAEMON exactly how i wanted it ... well ... i'm aware that this is just a short and quick fix ... but so far it filtered out about 95% of those annoying error bounces ... and only for that email address as defined in backscatter_check ... all other mailbox won't get this check ... hopefully this might help someone looking for a quick fix for the error bounce emails ... but ... i will shortly look into BATV as it sounds like a better solution ;-) http://babel.de/art20080306a.html so ... thanks again for all your help tips have a nice day lots of fun greetings becki
Re: email account bombarded with SPAM error bounces - what to do?
On Sat, 2010-07-10 at 14:15 +0200, Administrator Beckspaced.com wrote: On 7/9/2010 16:13, Administrator Beckspaced.com wrote: On 7/9/2010 14:40, Ram wrote: On Fri, 2010-07-09 at 13:35 +0200, Administrator Beckspaced.com wrote: On 7/9/2010 13:27, Robert Schetterer wrote: Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? Usually you can do very little to prevent forging your domain and sending spam. Some months ago one client of ours too had the same issue, but the issue is very temporary. The short term solution , as someone suggested, will be to temporarily defer all NDR's with a sender check regex file like //450Try Later ( The RFC's say you cant do this .. but sometimes you must be practical :-) ) From my personal experience I found that if , for your regular mailing you use some sender authentication mechanism like SPF then these NDR's significantly reduce. For eg many servers reject forged messages based on SPF checks so you dont get NDR's from them at least. I guess , spammers ( the more intelligent ones ... I mean ) too would be less inclined to forge a domain that uses sender authentication Because that will reduce the deliverability of their spams Thanks Ram hello again robert ram thanks again for your ideas ... so i had another search in google about that backscatter topic and sort of found a nice, simple also quick solution? SAFE MODE with Postfix: Edit /etc/postfix/main.cf: smtpd_recipient_restrictions = ... check_sender_access dbm:/etc/postfix/check_backscatterer ... Create new file:/etc/postfix/check_backscatterer: reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org well ... had to change the postfix dbm lookup to hash and do a postmap on the file ... but now this seems to work as it already rejected a few emails according to the mail log ... more info can be found here - http://www.backscatterer.org does anyone have any experience with that list? is this a good longterm solution? best regards becki hello again ram, robert postfix users ;-) already posted yesterday about the backscatterer.org ... but was a bit too skeptical to do the check on ALL NDR's for ALL email accounts on my mail server ... so i had a look around to do the check ONLY for that specific email account. it's actually quite easy with smtpd_restriction_classes i thought i will write a short 'todo' as it might help some other mail server administrators out there ... who knows? so first thing is to setup a restriction class in main.cf - smtpd_restriction_classes = reject_ndr_class reject_ndr_class = check_sender_access hash:/etc/postfix/backscatter_check now create the backscatter_check file in /etc/postfix/ touch /etc/postfix/backscatter_check and fill in this data reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org MAILER-DAEMON reject_rbl_client ips.backscatterer.org use a regexp: file I dont think is supported in a hash: file //reject_rbl_client ips.backscatterer.org /^postmaster/ reject_rbl_client ips.backscatterer.org
Re: email account bombarded with SPAM error bounces - what to do?
Ram: I dont think is supported in a hash: file It is a special pattern for SMTPD access maps (i.e. this is implemented in the Postfix access map code, not in the code that implements hash or other databases). smtpd_null_access_lookup_key (default: ) The lookup key to be used in SMTP access(5) tables instead of the null sender address. Wietse
Re: email account bombarded with SPAM error bounces - what to do?
On 2010-07-09 Administrator Beckspaced.com wrote: since a few weeks one of my email accounts gets bombarded with thousands of SPAM mailer daemon error bounces. could not deliver message ... bla bla bla ... it's getting really annoying as there are thousands of error bounces coming in every single day. looks like that the email address ended up on some SPAM mailing lists ... adn now the mailbox receives all this error message junk so ... what's the best strategy to get rid off this problem? already had a quick look ... and the error bounces come in with an empty from address ... which seems to be standard for this ... and by default postfix doesn't block empty from addresses so what's the best thing to do to get rid of those thousand error email bounces? thing is that the customer urgently needs this email account as it is signed up at many service providers. could i do a header check for this single email account and reject the empty from address for that email account only? what are my options? what's the smartest thing to do?? I don't know about best strategy, but if you can route your outbound mail through one server, you could try the proxy filter I wrote a while ago to take care of this problem. http://www.planetcobalt.net/sdb/backscatter.shtml WFM, but beware that it's not tested on (and probably not suitable for) high-volume servers. /shameless-plug Regards Ansgar Wiechers -- Abstractions save us time working, but they don't save us time learning. --Joel Spolsky
email account bombarded with SPAM error bounces - what to do?
hello there, i'm running a postfix 2.4.6 on a opensuse box. postfix has amawis-new with spamassasin installed ... since a few weeks one of my email accounts gets bombarded with thousands of SPAM mailer daemon error bounces. could not deliver message ... bla bla bla ... it's getting really annoying as there are thousands of error bounces coming in every single day. looks like that the email address ended up on some SPAM mailing lists ... adn now the mailbox receives all this error message junk so ... what's the best strategy to get rid off this problem? already had a quick look ... and the error bounces come in with an empty from address ... which seems to be standard for this ... and by default postfix doesn't block empty from addresses so what's the best thing to do to get rid of those thousand error email bounces? thing is that the customer urgently needs this email account as it is signed up at many service providers. could i do a header check for this single email account and reject the empty from address for that email account only? what are my options? what's the smartest thing to do?? thanks a lot for your help service with best regards becki
Re: email account bombarded with SPAM error bounces - what to do?
Am 09.07.2010 12:35, schrieb Administrator Beckspaced.com: hello there, i'm running a postfix 2.4.6 on a opensuse box. postfix has amawis-new with spamassasin installed ... since a few weeks one of my email accounts gets bombarded with thousands of SPAM mailer daemon error bounces. could not deliver message ... bla bla bla ... it's getting really annoying as there are thousands of error bounces coming in every single day. looks like that the email address ended up on some SPAM mailing lists ... adn now the mailbox receives all this error message junk so ... what's the best strategy to get rid off this problem? already had a quick look ... and the error bounces come in with an empty from address ... which seems to be standard for this ... and by default postfix doesn't block empty from addresses so what's the best thing to do to get rid of those thousand error email bounces? thing is that the customer urgently needs this email account as it is signed up at many service providers. could i do a header check for this single email account and reject the empty from address for that email account only? what are my options? what's the smartest thing to do?? thanks a lot for your help service with best regards becki if it always the same host sending backscatter simple block the host by access list and/or firewall lets see some logs, there are many way to deal with backscatter -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: email account bombarded with SPAM error bounces - what to do?
hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? thanks for your help fun becki below some logs you requested ... change the real email account to spamu...@domain.com - Jul 8 12:20:27 gehirn postfix/smtpd[19857]: NOQUEUE: reject: RCPT from crusty.hosts.net.nz[210.48.108.195]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=crusty.hosts.net.nz Jul 8 12:22:08 gehirn postfix/smtpd[19859]: NOQUEUE: reject: RCPT from mailx.nlabs.de[92.79.50.220]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=mailx.nlabs.de Jul 8 12:22:48 gehirn postfix/smtpd[19854]: warning: 222.254.188.229: address not listed for hostname localhost Jul 8 12:23:28 gehirn postfix/smtpd[18358]: NOQUEUE: reject: RCPT from port-87-234-220-121.static.qsc.de[87.234.220.121]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=mforward Jul 8 12:26:22 gehirn postfix/smtpd[19854]: setting up TLS connection from mail.aydin.edu.tr[212.174.169.8] Jul 8 12:26:22 gehirn postfix/smtpd[19854]: TLS connection established from mail.aydin.edu.tr[212.174.169.8]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jul 8 12:26:22 gehirn postfix/smtpd[19854]: NOQUEUE: reject: RCPT from mail.aydin.edu.tr[212.174.169.8]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=ESMTP helo=Mailsrv.aydin.edu.tr Jul 8 12:27:57 gehirn postfix/smtpd[19850]: NOQUEUE: reject: RCPT from svhqgtw02.ethiopianairlines.com[213.55.83.14]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=svhqgtw02.ethiopianairlines.com Jul 8 12:27:58 gehirn postfix/smtpd[18899]: NOQUEUE: reject: RCPT from svhqgtw02.ethiopianairlines.com[213.55.83.14]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=svhqgtw02.ethiopianairlines.com Jul 8 12:28:27 gehirn postfix/smtpd[18358]: A565C150A7D: client=relay02.is.co.za[196.35.6.70] Jul 8 12:28:31 gehirn postfix/smtpd[20525]: 78BEC150A7F: client=localhost[127.0.0.1] Jul 8 12:28:35 gehirn postfix/smtpd[18899]: NOQUEUE: reject: RCPT from mx2.lost-oasis.net[80.67.160.52]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=mx2.lost-oasis.net Jul 8 12:29:23 gehirn postfix/smtpd[18899]: NOQUEUE: reject: RCPT from defer114.ocn.ad.jp[122.28.15.169]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=ESMTP helo=defer114.ocn.ad.jp Jul 8 12:29:49 gehirn postfix/smtpd[19850]: E4B86150AE9: client=unknown[184.154.34.69] Jul 8 12:29:56 gehirn postfix/smtpd[20525]: 8B7F4150AF6: client=localhost[127.0.0.1] Jul 8 12:30:43 gehirn postfix/smtpd[19854]: NOQUEUE: reject: RCPT from post.vrus.de[85.182.133.62]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= On 7/9/2010 12:42, Robert Schetterer wrote: Am 09.07.2010 12:35, schrieb Administrator Beckspaced.com: hello there, i'm running a postfix 2.4.6 on a opensuse box. postfix has amawis-new with spamassasin installed ... since a few weeks one of my email accounts gets bombarded with thousands of SPAM mailer daemon error bounces. could not deliver message ... bla bla bla ... it's getting really annoying as there are thousands of error bounces coming in every single day. looks like that the email address ended up on some SPAM mailing lists ... adn now the mailbox receives all this error message junk so ... what's the best strategy to get rid off this problem? already had a quick look ... and the error bounces come in with an empty from address ... which seems to be standard for this ... and by default postfix doesn't block empty from addresses so what's the best thing to do to get rid of those thousand error email bounces? thing is that the customer urgently needs this email account as it is signed up at many service providers. could i do a header check for this single email account and reject the empty from address for that email account only? what are my options? what's the smartest thing to do?? thanks a lot for your help service with best regards becki if it always the same host sending backscatter simple block the host by access list and/or firewall lets see some logs, there are many way to deal with backscatter
RE: email account bombarded with SPAM error bounces - what to do?
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Administrator Beckspaced.com Sent: Friday, July 09, 2010 12:52 PM To: Robert Schetterer Cc: postfix-users@postfix.org Subject: Re: email account bombarded with SPAM error bounces - what to do? hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? thanks for your help fun becki Hi Robert, Not sure if its related to your issue. But there is a big spam/virus attack going on, where messages look like NDR's but they aren't. Various big anti spam vendors are having serious issues stopping this. Marco van Kammen Springer Science+Business Media System Manager Postmaster van Godewijckstraat 30 | 3311 GX Office Number: 05E21 Dordrecht The Netherlands www.springer.com
Re: email account bombarded with SPAM error bounces - what to do?
In an older episode (Friday, 9. July 2010), Kammen van, Marco, Springer SBM NL wrote: But there is a big spam/virus attack going on, where messages look like NDR's but they aren't. Various big anti spam vendors are having serious issues stopping this. Could you provide a URL where more details are available? Regards, wolfgang
Re: email account bombarded with SPAM error bounces - what to do?
Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? thanks for your help fun becki below some logs you requested ... change the real email account to spamu...@domain.com - Jul 8 12:20:27 gehirn postfix/smtpd[19857]: NOQUEUE: reject: RCPT from crusty.hosts.net.nz[210.48.108.195]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=crusty.hosts.net.nz Jul 8 12:22:08 gehirn postfix/smtpd[19859]: NOQUEUE: reject: RCPT from mailx.nlabs.de[92.79.50.220]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=mailx.nlabs.de Jul 8 12:22:48 gehirn postfix/smtpd[19854]: warning: 222.254.188.229: address not listed for hostname localhost Jul 8 12:23:28 gehirn postfix/smtpd[18358]: NOQUEUE: reject: RCPT from port-87-234-220-121.static.qsc.de[87.234.220.121]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=mforward Jul 8 12:26:22 gehirn postfix/smtpd[19854]: setting up TLS connection from mail.aydin.edu.tr[212.174.169.8] Jul 8 12:26:22 gehirn postfix/smtpd[19854]: TLS connection established from mail.aydin.edu.tr[212.174.169.8]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jul 8 12:26:22 gehirn postfix/smtpd[19854]: NOQUEUE: reject: RCPT from mail.aydin.edu.tr[212.174.169.8]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=ESMTP helo=Mailsrv.aydin.edu.tr Jul 8 12:27:57 gehirn postfix/smtpd[19850]: NOQUEUE: reject: RCPT from svhqgtw02.ethiopianairlines.com[213.55.83.14]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=svhqgtw02.ethiopianairlines.com Jul 8 12:27:58 gehirn postfix/smtpd[18899]: NOQUEUE: reject: RCPT from svhqgtw02.ethiopianairlines.com[213.55.83.14]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=svhqgtw02.ethiopianairlines.com Jul 8 12:28:27 gehirn postfix/smtpd[18358]: A565C150A7D: client=relay02.is.co.za[196.35.6.70] Jul 8 12:28:31 gehirn postfix/smtpd[20525]: 78BEC150A7F: client=localhost[127.0.0.1] Jul 8 12:28:35 gehirn postfix/smtpd[18899]: NOQUEUE: reject: RCPT from mx2.lost-oasis.net[80.67.160.52]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=mx2.lost-oasis.net Jul 8 12:29:23 gehirn postfix/smtpd[18899]: NOQUEUE: reject: RCPT from defer114.ocn.ad.jp[122.28.15.169]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=ESMTP helo=defer114.ocn.ad.jp Jul 8 12:29:49 gehirn postfix/smtpd[19850]: E4B86150AE9: client=unknown[184.154.34.69] Jul 8 12:29:56 gehirn postfix/smtpd[20525]: 8B7F4150AF6: client=localhost[127.0.0.1] Jul 8 12:30:43 gehirn postfix/smtpd[19854]: NOQUEUE: reject: RCPT from post.vrus.de[85.182.133.62]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= On 7/9/2010 12:42, Robert Schetterer wrote: Am 09.07.2010 12:35, schrieb Administrator Beckspaced.com: hello there, i'm running a postfix 2.4.6 on a opensuse box. postfix has amawis-new with spamassasin installed ... since a few weeks one of my email accounts gets bombarded with thousands of SPAM mailer daemon error bounces. could not deliver message ... bla bla bla ... it's getting really annoying as there are thousands of error bounces coming in every single day. looks like that the email address ended up on some SPAM mailing lists ... adn now the mailbox receives all this error message junk so ... what's the best strategy to get rid off this problem? already had a quick look ... and the error bounces come in with an empty from address ... which seems to be standard for this ... and by default postfix doesn't block empty from addresses so what's the best thing to do to get rid of those thousand error email bounces? thing is that the customer urgently needs this email account as it is signed up at many service providers. could i do a header check for this single email account and reject the empty from address for that email account only? what are my options? what's the smartest thing to do?? thanks a lot for your help service with best regards becki if it always the same host sending backscatter simple block the host by access list and/or firewall lets see some logs, there are many way to deal with backscatter please dont top post, do they have always the same body ? or equal bodies which might can be matched with
Re: email account bombarded with SPAM error bounces - what to do?
Am 09.07.2010 13:00, schrieb Kammen van, Marco, Springer SBM NL: From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Administrator Beckspaced.com Sent: Friday, July 09, 2010 12:52 PM To: Robert Schetterer Cc: postfix-users@postfix.org Subject: Re: email account bombarded with SPAM error bounces - what to do? hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? thanks for your help fun becki Hi Robert, Not sure if its related to your issue. But there is a big spam/virus attack going on, where messages look like NDR's but they aren't. Various big anti spam vendors are having serious issues stopping this. Marco van Kammen Springer Science+Business Media System Manager Postmaster van Godewijckstraat 30 | 3311 GX Office Number: 05E21 Dordrecht The Netherlands www.springer.com not my issue i dont see rising backscatter recent but i have always high rates -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: email account bombarded with SPAM error bounces - what to do?
On 7/9/2010 13:27, Robert Schetterer wrote: Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? thanks for your help fun becki below some logs you requested ... change the real email account to spamu...@domain.com - Jul 8 12:20:27 gehirn postfix/smtpd[19857]: NOQUEUE: reject: RCPT from crusty.hosts.net.nz[210.48.108.195]: 554 5.7.1spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=crusty.hosts.net.nz Jul 8 12:22:08 gehirn postfix/smtpd[19859]: NOQUEUE: reject: RCPT from mailx.nlabs.de[92.79.50.220]: 554 5.7.1spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=mailx.nlabs.de Jul 8 12:22:48 gehirn postfix/smtpd[19854]: warning: 222.254.188.229: address not listed for hostname localhost Jul 8 12:23:28 gehirn postfix/smtpd[18358]: NOQUEUE: reject: RCPT from port-87-234-220-121.static.qsc.de[87.234.220.121]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=mforward Jul 8 12:26:22 gehirn postfix/smtpd[19854]: setting up TLS connection from mail.aydin.edu.tr[212.174.169.8] Jul 8 12:26:22 gehirn postfix/smtpd[19854]: TLS connection established from mail.aydin.edu.tr[212.174.169.8]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jul 8 12:26:22 gehirn postfix/smtpd[19854]: NOQUEUE: reject: RCPT from mail.aydin.edu.tr[212.174.169.8]: 554 5.7.1spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=ESMTP helo=Mailsrv.aydin.edu.tr Jul 8 12:27:57 gehirn postfix/smtpd[19850]: NOQUEUE: reject: RCPT from svhqgtw02.ethiopianairlines.com[213.55.83.14]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=svhqgtw02.ethiopianairlines.com Jul 8 12:27:58 gehirn postfix/smtpd[18899]: NOQUEUE: reject: RCPT from svhqgtw02.ethiopianairlines.com[213.55.83.14]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=svhqgtw02.ethiopianairlines.com Jul 8 12:28:27 gehirn postfix/smtpd[18358]: A565C150A7D: client=relay02.is.co.za[196.35.6.70] Jul 8 12:28:31 gehirn postfix/smtpd[20525]: 78BEC150A7F: client=localhost[127.0.0.1] Jul 8 12:28:35 gehirn postfix/smtpd[18899]: NOQUEUE: reject: RCPT from mx2.lost-oasis.net[80.67.160.52]: 554 5.7.1spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=mx2.lost-oasis.net Jul 8 12:29:23 gehirn postfix/smtpd[18899]: NOQUEUE: reject: RCPT from defer114.ocn.ad.jp[122.28.15.169]: 554 5.7.1spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=ESMTP helo=defer114.ocn.ad.jp Jul 8 12:29:49 gehirn postfix/smtpd[19850]: E4B86150AE9: client=unknown[184.154.34.69] Jul 8 12:29:56 gehirn postfix/smtpd[20525]: 8B7F4150AF6: client=localhost[127.0.0.1] Jul 8 12:30:43 gehirn postfix/smtpd[19854]: NOQUEUE: reject: RCPT from post.vrus.de[85.182.133.62]: 554 5.7.1spamu...@domain.com: Recipient address rejected: Access denied; from= On 7/9/2010 12:42, Robert Schetterer wrote: Am 09.07.2010 12:35, schrieb Administrator Beckspaced.com: hello there, i'm running a postfix 2.4.6 on a opensuse box. postfix has amawis-new with spamassasin installed ... since a few weeks one of my email accounts gets bombarded with thousands of SPAM mailer daemon error bounces. could not deliver message ... bla bla bla ... it's getting really annoying as there are thousands of error bounces coming in every single day. looks like that the email address ended up on some SPAM mailing lists ... adn now the mailbox receives all this error message junk so ... what's the best strategy to get rid off this problem? already had a quick look ... and the error bounces come in with an empty from address ... which seems to be standard for this ... and by default postfix doesn't block empty from addresses so what's the best thing to do to get rid of those thousand error email bounces? thing is that the customer urgently needs this email account as it is signed up at many service providers. could i do a header check for this single email account and reject the empty from address for that email account only? what are my options? what's the smartest thing to do?? thanks a lot for your help service with best regards becki if it always the same host sending backscatter simple block the host by access list and/or firewall lets see some logs, there are many way to deal with backscatter please dont top post, do they have always the same body ? or equal bodies which might can be matched with some body_checks something like
RE: email account bombarded with SPAM error bounces - what to do?
-Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of wolfgang Sent: Friday, July 09, 2010 1:11 PM To: postfix-users@postfix.org Subject: Re: email account bombarded with SPAM error bounces - what to do? In an older episode (Friday, 9. July 2010), Kammen van, Marco, Springer SBM NL wrote: But there is a big spam/virus attack going on, where messages look like NDR's but they aren't. Various big anti spam vendors are having serious issues stopping this. Could you provide a URL where more details are available? Regards, wolfgang Hi Wolfgang, It's a restricted site for customers only but I can give you this: July 05, 2010 @ 02:30 am PDT - We have received reports of new variants of Delivery Notification messages with HTML files that redirects to malware sites bypassing our filters. We are currently investigating the issue with Antivirus vendors and will post an update as soon as information becomes available. July 03, 2010 @ 11:10 am PDT - We have released an update to resolve this issue. The info of the update can be found in the Filter Status Dashboard. We continue monitor the situation and release necessary filter updates. July 03, 2010 @ 09:40 am PDT - We have received reports of new variants of Delivery Notification messages with an HTML file bypassing our filters. We are currently investigating the issue with Antivirus vendors and will post an update as soon as information becomes available. July 02, 2010 @ 08:31 pm PDT - Updated anti virus signatures are now detecting the JS/Agent.ME variant. This has effectively resolved the issue. We apologize for the inconvenience and thank you for your patience and continued support. July 02, 2010 @ 07:00pm PDT - We have received reports of Delivery Notification messages with an HTML file bypassing our filters. We are currently investigating the issue and will post an update as soon as information becomes available. And it seems as of today a new variant is out with a new subject and new garbage in the body... Gotta love those spam people!
Re: email account bombarded with SPAM error bounces - what to do?
Am 09.07.2010 13:35, schrieb Administrator Beckspaced.com: On 7/9/2010 13:27, Robert Schetterer wrote: Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? thanks for your help fun becki below some logs you requested ... change the real email account to spamu...@domain.com - Jul 8 12:20:27 gehirn postfix/smtpd[19857]: NOQUEUE: reject: RCPT from crusty.hosts.net.nz[210.48.108.195]: 554 5.7.1spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=crusty.hosts.net.nz Jul 8 12:22:08 gehirn postfix/smtpd[19859]: NOQUEUE: reject: RCPT from mailx.nlabs.de[92.79.50.220]: 554 5.7.1spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=mailx.nlabs.de Jul 8 12:22:48 gehirn postfix/smtpd[19854]: warning: 222.254.188.229: address not listed for hostname localhost Jul 8 12:23:28 gehirn postfix/smtpd[18358]: NOQUEUE: reject: RCPT from port-87-234-220-121.static.qsc.de[87.234.220.121]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=mforward Jul 8 12:26:22 gehirn postfix/smtpd[19854]: setting up TLS connection from mail.aydin.edu.tr[212.174.169.8] Jul 8 12:26:22 gehirn postfix/smtpd[19854]: TLS connection established from mail.aydin.edu.tr[212.174.169.8]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jul 8 12:26:22 gehirn postfix/smtpd[19854]: NOQUEUE: reject: RCPT from mail.aydin.edu.tr[212.174.169.8]: 554 5.7.1spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=ESMTP helo=Mailsrv.aydin.edu.tr Jul 8 12:27:57 gehirn postfix/smtpd[19850]: NOQUEUE: reject: RCPT from svhqgtw02.ethiopianairlines.com[213.55.83.14]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=svhqgtw02.ethiopianairlines.com Jul 8 12:27:58 gehirn postfix/smtpd[18899]: NOQUEUE: reject: RCPT from svhqgtw02.ethiopianairlines.com[213.55.83.14]: 554 5.7.1 spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=svhqgtw02.ethiopianairlines.com Jul 8 12:28:27 gehirn postfix/smtpd[18358]: A565C150A7D: client=relay02.is.co.za[196.35.6.70] Jul 8 12:28:31 gehirn postfix/smtpd[20525]: 78BEC150A7F: client=localhost[127.0.0.1] Jul 8 12:28:35 gehirn postfix/smtpd[18899]: NOQUEUE: reject: RCPT from mx2.lost-oasis.net[80.67.160.52]: 554 5.7.1spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=SMTP helo=mx2.lost-oasis.net Jul 8 12:29:23 gehirn postfix/smtpd[18899]: NOQUEUE: reject: RCPT from defer114.ocn.ad.jp[122.28.15.169]: 554 5.7.1spamu...@domain.com: Recipient address rejected: Access denied; from= to=spamu...@domain.com proto=ESMTP helo=defer114.ocn.ad.jp Jul 8 12:29:49 gehirn postfix/smtpd[19850]: E4B86150AE9: client=unknown[184.154.34.69] Jul 8 12:29:56 gehirn postfix/smtpd[20525]: 8B7F4150AF6: client=localhost[127.0.0.1] Jul 8 12:30:43 gehirn postfix/smtpd[19854]: NOQUEUE: reject: RCPT from post.vrus.de[85.182.133.62]: 554 5.7.1spamu...@domain.com: Recipient address rejected: Access denied; from= On 7/9/2010 12:42, Robert Schetterer wrote: Am 09.07.2010 12:35, schrieb Administrator Beckspaced.com: hello there, i'm running a postfix 2.4.6 on a opensuse box. postfix has amawis-new with spamassasin installed ... since a few weeks one of my email accounts gets bombarded with thousands of SPAM mailer daemon error bounces. could not deliver message ... bla bla bla ... it's getting really annoying as there are thousands of error bounces coming in every single day. looks like that the email address ended up on some SPAM mailing lists ... adn now the mailbox receives all this error message junk so ... what's the best strategy to get rid off this problem? already had a quick look ... and the error bounces come in with an empty from address ... which seems to be standard for this ... and by default postfix doesn't block empty from addresses so what's the best thing to do to get rid of those thousand error email bounces? thing is that the customer urgently needs this email account as it is signed up at many service providers. could i do a header check for this single email account and reject the empty from address for that email account only? what are my options? what's the smartest thing to do?? thanks a lot for your help service with best regards becki if it always the same host sending backscatter simple block the host by access list and/or firewall lets see some logs, there are many way to deal with
Re: email account bombarded with SPAM error bounces - what to do?
On Fri, 2010-07-09 at 13:35 +0200, Administrator Beckspaced.com wrote: On 7/9/2010 13:27, Robert Schetterer wrote: Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? Usually you can do very little to prevent forging your domain and sending spam. Some months ago one client of ours too had the same issue, but the issue is very temporary. The short term solution , as someone suggested, will be to temporarily defer all NDR's with a sender check regex file like //450 Try Later ( The RFC's say you cant do this .. but sometimes you must be practical :-) ) From my personal experience I found that if , for your regular mailing you use some sender authentication mechanism like SPF then these NDR's significantly reduce. For eg many servers reject forged messages based on SPF checks so you dont get NDR's from them at least. I guess , spammers ( the more intelligent ones ... I mean ) too would be less inclined to forge a domain that uses sender authentication Because that will reduce the deliverability of their spams Thanks Ram
Re: email account bombarded with SPAM error bounces - what to do?
On 7/9/2010 14:40, Ram wrote: On Fri, 2010-07-09 at 13:35 +0200, Administrator Beckspaced.com wrote: On 7/9/2010 13:27, Robert Schetterer wrote: Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? Usually you can do very little to prevent forging your domain and sending spam. Some months ago one client of ours too had the same issue, but the issue is very temporary. The short term solution , as someone suggested, will be to temporarily defer all NDR's with a sender check regex file like // 450 Try Later ( The RFC's say you cant do this .. but sometimes you must be practical :-) ) From my personal experience I found that if , for your regular mailing you use some sender authentication mechanism like SPF then these NDR's significantly reduce. For eg many servers reject forged messages based on SPF checks so you dont get NDR's from them at least. I guess , spammers ( the more intelligent ones ... I mean ) too would be less inclined to forge a domain that uses sender authentication Because that will reduce the deliverability of their spams Thanks Ram hello again robert ram thanks again for your ideas ... so i had another search in google about that backscatter topic and sort of found a nice, simple also quick solution? SAFE MODE with Postfix: Edit /etc/postfix/main.cf: smtpd_recipient_restrictions = ... check_sender_access dbm:/etc/postfix/check_backscatterer ... Create new file:/etc/postfix/check_backscatterer: reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org well ... had to change the postfix dbm lookup to hash and do a postmap on the file ... but now this seems to work as it already rejected a few emails according to the mail log ... more info can be found here - http://www.backscatterer.org does anyone have any experience with that list? is this a good longterm solution? best regards becki -- Beckspaced.com - WebDesign, Hosting Solutions CEO Becki Beckmann Marienplatz 9 97353 Wiesentheid Germany Phone: 09383-425 P.O. Box 15 Thongsala 84280 Koh Phangan Suratthani / Thailand Phone: 077-377 733 Mobile: 087-2828826 -- Optimism is only a lack of information! -- WebDesign Hosting - http://beckspaced.com - Are You Beckspaced? Phangan Independent News - http://kohphangannews.org - The Awful Truth!
Re: email account bombarded with SPAM error bounces - what to do?
Kammen van, Marco, Springer SBM NL put forth on 7/9/2010 6:00 AM: Not sure if its related to your issue. But there is a big spam/virus attack going on, where messages look like NDR's but they aren't. Various big anti spam vendors are having serious issues stopping this. Some of my trap addresses are being hit with this fake NDR spam but I've not seen it make it into any inboxen (yet). My A/S measures are strictly home grown stuff plus a couple of Spamhaus dnsbl checks. I guess I'm just lucky so far. (knocks on wood) -- Stan
Re: email account bombarded with SPAM error bounces - what to do?
Am 09.07.2010 16:13, schrieb Administrator Beckspaced.com: On 7/9/2010 14:40, Ram wrote: On Fri, 2010-07-09 at 13:35 +0200, Administrator Beckspaced.com wrote: On 7/9/2010 13:27, Robert Schetterer wrote: Am 09.07.2010 12:51, schrieb Administrator Beckspaced.com: hello robert, thanks a lot for your quick reply ... actually it is not always the same IP or host sending the error bounces ... the bounces are sent from hundred of different IP addresses ... any more idea? Usually you can do very little to prevent forging your domain and sending spam. Some months ago one client of ours too had the same issue, but the issue is very temporary. The short term solution , as someone suggested, will be to temporarily defer all NDR's with a sender check regex file like //450Try Later ( The RFC's say you cant do this .. but sometimes you must be practical :-) ) From my personal experience I found that if , for your regular mailing you use some sender authentication mechanism like SPF then these NDR's significantly reduce. For eg many servers reject forged messages based on SPF checks so you dont get NDR's from them at least. I guess , spammers ( the more intelligent ones ... I mean ) too would be less inclined to forge a domain that uses sender authentication Because that will reduce the deliverability of their spams Thanks Ram hello again robert ram thanks again for your ideas ... so i had another search in google about that backscatter topic and sort of found a nice, simple also quick solution? SAFE MODE with Postfix: Edit /etc/postfix/main.cf: smtpd_recipient_restrictions = ... check_sender_access dbm:/etc/postfix/check_backscatterer ... Create new file:/etc/postfix/check_backscatterer: reject_rbl_client ips.backscatterer.org postmaster reject_rbl_client ips.backscatterer.org well ... had to change the postfix dbm lookup to hash and do a postmap on the file ... but now this seems to work as it already rejected a few emails according to the mail log ... more info can be found here - http://www.backscatterer.org does anyone have any experience with that list? is this a good longterm solution? best regards becki in your case it may be a short/quick/easy solution but dont use this rbl on long time it has nearly every big mailhost in it you will loose legitime bounces you may additional only use this rbl for your backscatterered reciept and not for your whole server -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
