postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: RE: Fighting Backscatter

RE: Fighting Backscatter

From: Steve Jenkins <steve_at_nospam>
Date: Fri Oct 15 2010 - 19:00:57 GMT
To: "Postfix users" <postfix-users@postfix.org>

There are a few entries in there that seem to match the "<>" bill, but I'm
not sure I'm understanding what they're saying, or even what I should be
looking for to troubleshoot.

For some background, this is my personal server that I run my family's mail
on. There are a few local IMAP/POP accounts for my immediate family members
(they are also allowed to relay mail using SMTP-AUTH), but most of the valid
destination addresses on this box are virtual aliases that forward
"firstname@familyname.com" to everyone's respective gmail, aol, cox.net
addresses, etc.

Back to the logfile, here are some examples when I grep for <> (any
references to my users and/or hosts have been replaced with myhost,
mydomain, and myuser).

I have a bunch like these that appear harmless (although I'm not sure):

Oct 10 03:30:24 carbonfiber postfix/qmgr[18644]: BA1AE10423D2: from=<>,
size=4951, nrcpt=1 (queue active)
Oct 10 03:30:24 carbonfiber postfix/qmgr[18644]: 9A025104245A: from=<>,
size=8497, nrcpt=1 (queue active)
Oct 10 03:30:24 carbonfiber postfix/qmgr[18644]: 3B9EF10423F1:
from=<AngelaNabritt@dslextreme.com>, size=2790, nrcpt=67 (queue active)
Oct 10 03:30:24 carbonfiber postfix/qmgr[18644]: 526E71042420: from=<>,
size=8237, nrcpt=1 (queue active)
Oct 10 03:30:24 carbonfiber postfix/qmgr[18644]: 69B3B1042410: from=<>,
size=8472, nrcpt=1 (queue active)
Oct 10 03:30:24 carbonfiber postfix/qmgr[18644]: A929010423A9: from=<>,
size=8471, nrcpt=1 (queue active)

I've got a few like this, which looks more suspicious:

Oct 10 03:31:50 carbonfiber postfix/cleanup[3313]: 6B3BD104243D:
message-id=<20101010103150.6B3BD104243D@myhost.mydomain.com
Oct 10 03:31:50 carbonfiber postfix/bounce[3825]: 2164C10423F3: sender
non-delivery notification: 6B3BD104243D
Oct 10 03:31:50 carbonfiber postfix/qmgr[18644]: 6B3BD104243D: from=<>,
size=3876, nrcpt=1 (queue active)
Oct 10 03:31:51 carbonfiber postfix/smtp[3811]: certificate verification
failed for mx1.utc.iphmx.com[68.232.135.212]:25: self-signed certificate
Oct 10 03:31:51 carbonfiber postfix/smtp[3811]: 6B3BD104243D:
to=<0-ka@otis.com>, relay=mx1.utc.iphmx.com[68.232.135.212]:25, delay=0.87,
delays=0.03/0/0.71/0.13, dsn=2.0.0, status=sent (250 ok: Message 65223
accepted)
Oct 10 03:31:51 carbonfiber postfix/qmgr[18644]: 6B3BD104243D: removed

Also, should I be looking for any time that "postfix/bounce" appears in my
maillog? There seem to be a few of those, too, such as:

Oct 15 11:39:14 carbonfiber postfix/smtpd[21509]: 1E9E510423D3:
client=unknown[190.80.137.175]
Oct 15 11:39:14 carbonfiber postfix/cleanup[22200]: 1E9E510423D3:
message-id=<000d01cb6c98$3284e4b0$6400a8c0@idealistically7>
Oct 15 11:39:14 carbonfiber opendkim[5750]: 1E9E510423D3: [190.80.137.175]
[190.80.137.175] not internal
Oct 15 11:39:14 carbonfiber opendkim[5750]: 1E9E510423D3: not authenticated
Oct 15 11:39:14 carbonfiber opendkim[5750]: 1E9E510423D3: no signature data
Oct 15 11:39:14 carbonfiber postfix/qmgr[18644]: 1E9E510423D3:
from=<idealistically7@rjsjute.com>, size=854, nrcpt=1 (queue active)
Oct 15 11:39:20 carbonfiber postfix/smtp[22201]: 1E9E510423D3:
to=<myuser@myhost.net>, orig_to=<myuser@mydomain.com>,
relay=mx.east.cox.net[68.1.17.3]:25, delay=6.5, delays=0.81/0/5.3/0.34,
dsn=5.2.0, status=bounced (host mx.east.cox.net[68.1.17.3] said: 552 5.2.0
K6fE1f05J30Aua0016fLJA Message Rejected - Error Code: URLBL011 - Refer to
Error Codes section at
http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more
information. (in reply to end of DATA command))
Oct 15 11:39:20 carbonfiber postfix/bounce[22258]: 1E9E510423D3: sender
non-delivery notification: 7BC6710423FC
Oct 15 11:39:20 carbonfiber postfix/qmgr[18644]: 1E9E510423D3: removed

Sorry if I'm coming off as a n00b, but I'm still learning. :)

Thanks in advance for any guidance,

Steve

-----Original Message-----
From: owner-postfix-users@postfix.org
[mailto:owner-postfix-users@postfix.org] On Behalf Of Wietse Venema
Sent: Friday, October 15, 2010 8:28 AM
To: Postfix users
Subject: Re: Fighting Backscatter

Steve Jenkins:
> I've read through the readme at:
>
> http://www.postfix.org/BACKSCATTER_README.html
>
> and thought I was doing everything right. but my personal mail server is
> still getting listed at Backscatterer.org. :(

Have you looked in your logfile for mail from <>, that is sent by
your Postfix machine?

        Wietse