Re: how to protect MTAs from mass mails
On Aug 20, 2014, at 3:56 AM, ml ml mliebher...@googlemail.com wrote: rom time to time i get hit by mass mail with fake sender addresses. By default my postfix accepted those mails until it found out that the recipent does not exists. Then postfix tries to send back that 550 User Unknown error mail. However, the sender is fake. Therefore the mails get stuck on my postfix mta. Why are you accepting mail for non-existent recipients? That is NOT the default Postfix behavior. If the recipient does not exist, by default, Postfix will reject the mail. To get the “accept and then bounce” behavior you seem to have, you have changed something. But since you have provided no information on your configuration, anything further is merely guessing. -- Larry Stone lston...@stonejongleux.com http://www.stonejongleux.com/ smime.p7s Description: S/MIME cryptographic signature
Re: how to protect MTAs from mass mails
On 20/08/2014 10:56, ml ml wrote: By default my postfix accepted those mails until it found out that the recipent does not exists. Then postfix tries to send back that 550 User Unknown error mail. I doubt that Postfix by default accepts mail for users it does not know about, but anyway... However, the sender is fake. Therefore the mails get stuck on my postfix mta. I now enabled recipient address verification. In that case my postfix mta will reject the mails already in the rcpt to stream. Which is great. However, i now got blacklisted by backscatterer: I'm not surprised. The source of this problem seem to be the emtpy address verify probes/mails. In this case this no spam or mass mails or anything. Just a lot of mails and empty from sender addresses and a lot of mail traffic. The reason why you are blacklisted is the backscatter caused by your late rejection of incoming messages, NOT the recipient verify probes. And if you need to use recipient verify for domains that are not under your control, you are definitely doing something wrong: why do you accept mail from external sources directed to domains you do not control? This smells like an open relay to me. Cheers, Daniele
Re: how to protect MTAs from mass mails
On 08/20/2014 07:44 AM, Daniele Nicolodi wrote: On 20/08/2014 10:56, ml ml wrote: By default my postfix accepted those mails until it found out that the recipent does not exists. Then postfix tries to send back that 550 User Unknown error mail. I doubt that Postfix by default accepts mail for users it does not know about, but anyway... However, the sender is fake. Therefore the mails get stuck on my postfix mta. I now enabled recipient address verification. In that case my postfix mta will reject the mails already in the rcpt to stream. Which is great. However, i now got blacklisted by backscatterer: I'm not surprised. The source of this problem seem to be the emtpy address verify probes/mails. In this case this no spam or mass mails or anything. Just a lot of mails and empty from sender addresses and a lot of mail traffic. The reason why you are blacklisted is the backscatter caused by your late rejection of incoming messages, NOT the recipient verify probes. And if you need to use recipient verify for domains that are not under your control, you are definitely doing something wrong: why do you accept mail from external sources directed to domains you do not control? This smells like an open relay to me. Cheers, Daniele You're right that he probably has open relays and other security/leak problems. He has most likely studied his logs and other items and tried to fix these things on his own and how has the problems that you and Larry are describing. He's stuck and trying to get the best resolution to fix the gaps. Without support from people in the know, he'd probably dig himself in a deeper hole. -- L. James -- L. D. James lja...@apollo3.com www.apollo3.com/~ljames
Re: how to protect MTAs from mass mails
Try using the relay_recipient_maps feature which will only accept mails in that list. -- L. James -- L. D. James lja...@apollo3.com www.apollo3.com/~ljames On 08/20/2014 04:56 AM, ml ml wrote: Hello list, from time to time i get hit by mass mail with fake sender addresses. By default my postfix accepted those mails until it found out that the recipent does not exists. Then postfix tries to send back that 550 User Unknown error mail. However, the sender is fake. Therefore the mails get stuck on my postfix mta. I now enabled recipient address verification. In that case my postfix mta will reject the mails already in the rcpt to stream. Which is great. However, i now got blacklisted by backscatterer: --- This IP IS CURRENTLY LISTED in our Database. Please note that this listing does NOT mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques. This kind of abuse is known as BACKSCATTER (Misdirected Bounces or Misdirected Autoresponders or Sender Callouts). Click the links above to get clue how and why to stop that kind of abuse. To track down what happened investigate your smtplogs near 20.08.2014 09:19 CEST +/-1 minute. You will either find that your system tried to send misdirected bounces or misdirected autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time. So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM. Reading your logs carefully it shouldn't be a big deal to figure out what caused or renewed your listing. This IP is temporary listed. The listing will expire automatically and free of charge 4 weeks after the last abuse is seen from that IP. The source of this problem seem to be the emtpy address verify probes/mails. In this case this no spam or mass mails or anything. Just a lot of mails and empty from sender addresses and a lot of mail traffic. I already asked about this in http://archives.neohapsis.com/archives/postfix/2014-08/0282.html But i am not sure if i am doing it right in genereal. Does anyone have the same problem? Is reject_unverified_recipient the wrong way to go? Thanks a lot, Mario
Re: how to protect MTAs from mass mails
This setup is not very unusual if you have a lager network. Then you have multiple mailout servers for send/deliver the mails. How could i possibly control recipients that do not belong to me?! This is my config: -- postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all inet_protocols = ipv4 mailbox_size_limit = 0 mydestination = myhostname = mailout9.example.net mynetworks = 127.0.0.0/8 xxx.xxx.132.35 xxx.xxx.131.219 195.4.248.13 xxx.xxx.132.51 xxx.xxx.132.36 xxx.xxx.131.181 xxx.xxx.131.201 xxx.xxx.131.205 xxx.xxx.130.99 xxx.xxx.132.56 xxx.xxx.132.73 xxx.xxx.130.98 xxx.xxx.154.100 xxx.xxx.132.57 xxx.xxx.146.241 xxx.xxx.138.85 myorigin = /etc/mailname readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = reject_unknown_client_hostname reject_unknown_reverse_client_hostname smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination smtpd_sender_restrictions = reject_non_fqdn_sender reject_unknown_sender_domain smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = no transport_maps = hash:/etc/postfix/transport unverified_recipient_reject_code = 550 Looking at it now, mynetwork seems to be the reason my mta accepts all mails (which it does not by default). Here is a little ugly diagram: http://www.sumoware.com/images/temp/xztxkmqojbcmrerp.png I tried using reject_unverified_recipient to avoid that the mailout server accept mails it wont be able to deliver. What am i doing wrong? Or: HOW should i do it? Thanks, Mario On Wed, Aug 20, 2014 at 1:44 PM, Daniele Nicolodi dani...@grinta.net wrote: On 20/08/2014 10:56, ml ml wrote: By default my postfix accepted those mails until it found out that the recipent does not exists. Then postfix tries to send back that 550 User Unknown error mail. I doubt that Postfix by default accepts mail for users it does not know about, but anyway... However, the sender is fake. Therefore the mails get stuck on my postfix mta. I now enabled recipient address verification. In that case my postfix mta will reject the mails already in the rcpt to stream. Which is great. However, i now got blacklisted by backscatterer: I'm not surprised. The source of this problem seem to be the emtpy address verify probes/mails. In this case this no spam or mass mails or anything. Just a lot of mails and empty from sender addresses and a lot of mail traffic. The reason why you are blacklisted is the backscatter caused by your late rejection of incoming messages, NOT the recipient verify probes. And if you need to use recipient verify for domains that are not under your control, you are definitely doing something wrong: why do you accept mail from external sources directed to domains you do not control? This smells like an open relay to me. Cheers, Daniele
Re: how to protect MTAs from mass mails
ml ml: This setup is not very unusual if you have a lager network. Then you have multiple mailout servers for send/deliver the mails. How could i possibly control recipients that do not belong to me?! If your MTA is an outbound relay for an internal network, then you could certainly require with check_sender_access that the SMTP sender is an internal email address (or ). Then, an infected internal machine cannot send out junk with a fake external sender address, and your MTA will not be blacklisted for sending backscatter email. Wietse
Re: how to protect MTAs from mass mails
On Wed, 20 Aug 2014, ml ml wrote: This setup is not very unusual if you have a lager network. Then you have multiple mailout servers for send/deliver the mails. How could i possibly control recipients that do not belong to me?! You failed to adequately describe the problem. We assumed you were talking about inbound mail, not outbound mail. If outbound mail is being abused, you need to deal with whatever user(s) are abusing your server. IMHO, the real problem is you have local users (users sending from an address in mynetworks) who are spamming with fake sender addresses. The backscatter problem is a symptom of the bigger problem of your users abusing your server. Fix the real problem, not the symptom. -- Larry Stone lston...@stonejongleux.com