postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: RE: Fighting Backscatter

RE: Fighting Backscatter

From: Steve Jenkins <steve_at_nospam>
Date: Tue Oct 19 2010 - 01:58:40 GMT
To: "Postfix users" <postfix-users@postfix.org>

Gotit. Thanks again for helping me out. I'm still learning.

So it seems I need to figure out how to stop the backscatter process at step
6 and NOT return the bounce to the original sender.
 
I went through my log looking for an entire process like you described. I
think I found one:

Oct 18 18:22:36 carbonfiber postfix/smtpd[16152]: connect from
unknown[117.199.192.62]
Oct 18 18:22:39 carbonfiber postfix/smtpd[16152]: 7B3CC1042340:
client=unknown[117.199.192.62]
Oct 18 18:22:41 carbonfiber postfix/cleanup[16169]: 7B3CC1042340:
message-id=<000701cb6f2c$2b3e2bd0$42c5b402@procom.ca>
Oct 18 18:22:41 carbonfiber postfix/qmgr[18644]: 7B3CC1042340:
from=<genevievegentryya@procom.ca>, size=969, nrcpt=1 (queue active)
Oct 18 18:22:42 carbonfiber postfix/smtpd[16152]: disconnect from
unknown[117.199.192.62]
Oct 18 18:22:42 carbonfiber postfix/smtp[16187]: 7B3CC1042340:
to=<myauntsaccount@cox.net>, orig_to=<myaunt@familyname.com>,
relay=mx.east.cox.net[68.1.17.3]:25, delay=4.5, delays=2.9/0/1.3/0.33,
dsn=5.2.0, status=bounced (host mx.east.cox.net[68.1.17.3] said: 552 5.2.0
LRNh1f01430Aua001RNica Message Rejected - Error Code: URLBL011 - Refer to
Error Codes section at
http://postmaster.cox.net/confluence/display/postmaster/Error+Codes for more
information. (in reply to end of DATA command))
Oct 18 18:22:42 carbonfiber postfix/cleanup[16195]: EC17E10423F3:
message-id=<20101019012242.EC17E10423F3@carbonfiber.familyname.com>
Oct 18 18:22:42 carbonfiber postfix/bounce[16214]: 7B3CC1042340: sender
non-delivery notification: EC17E10423F3
Oct 18 18:22:42 carbonfiber postfix/qmgr[18644]: EC17E10423F3: from=<>,
size=3479, nrcpt=1 (queue active)
Oct 18 18:22:42 carbonfiber postfix/qmgr[18644]: 7B3CC1042340: removed
Oct 18 18:22:43 carbonfiber postfix/smtp[16185]: certificate verification
failed for procommail.procom.ca[216.138.225.134]:25: untrusted issuer
/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
Oct 18 18:22:43 carbonfiber postfix/smtp[16185]: EC17E10423F3:
to=<genevievegentryya@procom.ca>,
relay=procommail.procom.ca[216.138.225.134]:25, delay=1,
delays=0.03/0/0.68/0.3, dsn=5.0.0, status=bounced (host
procommail.procom.ca[216.138.225.134] said: 550 No such user
(genevievegentryya@procom.ca) (in reply to RCPT TO command))
Oct 18 18:22:44 carbonfiber postfix/qmgr[18644]: EC17E10423F3: removed

The instructions at http://www.postfix.org/BACKSCATTER_README.html seem to
only address what to do if MY server is the one being forged. In the above
example, it seems that procom.ca is being forged. How should I configure my
Postfix installation so that I'm not sending the spam back to the innocent
sender? Let me know if you need me to post my postconf -n again.

Thanks,

Steve

-----Original Message-----
From: owner-postfix-users@postfix.org
[mailto:owner-postfix-users@postfix.org] On Behalf Of Wietse Venema
Sent: Monday, October 18, 2010 12:07 PM
To: Postfix users
Subject: Re: Fighting Backscatter

> 1) SpamCo forges a message from innocent@victim.com and sends it to
> myaunt@familyname.com
>
> 2) My server (familyname.com) accepts the message because
> myaunt@familyname is a valid recipient that appears in my virtual
> aliases file, then forwards the message (based on the info in that
> virtual aliases file) to my aunt's actual email address of
> auntiemildredloveskitties@cox.net

3) YOUR SERVER tries to forward the SPAM to Cox.

4) Cox rejects the SPAM.

5) The SPAM is still on YOUR SERVER.

6) YOUR SERVER "returns" the SPAM to an innocent person.

7) YOUR SERVER is blacklisted because it sends backscatter.

        Wietse