postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: postfix doubling emails and spam!

Re: postfix doubling emails and spam!

From: Al Zick <al_at_nospam>
Date: Wed Oct 27 2010 - 21:44:54 GMT
To: postfix users <postfix-users@postfix.org>

Hi,

On Oct 27, 2010, at 12:38 PM, Noel Jones wrote:

> On 10/27/2010 10:37 AM, Al Zick wrote:
>> Hi,
>>
>> I hope that someone can help me. Last night I had a strange
>> problem. Every email that came in was there twice. Emails that
>> I would normally get 2 copies of, I received 4 copies of. Any
>> ideas on what could cause this?
>
> Careful examination of the logs will probably enlighten you. With
> no information, speculation is pointless.

I have been looking at the logs.

I have never seen this before:
Oct 27 15:10:03 agnus postfix[27341]: dict_eval: expand $myhostname,
$mydomain, localhost.$mydomain -> agnus.datazap.net, datazap.net,
localhost.datazap.net
Oct 27 15:10:03 agnus postfix[27341]: dict_eval: expand
$mydestination -> agnus.datazap.net, datazap.net, localhost.datazap.net
Oct 27 15:10:03 agnus postfix[27341]: dict_eval: expand
$relay_domains -> agnus.datazap.net, datazap.net, localhost.datazap.net

Also, it seems to have rejected almost double what it delivered to
command: /usr/local/bin/procmail.

There also seems to be a very large number of "lost connection after
RCPT from unknown". I don't think it would be possible for all of
these to be port scans with just how many there are and the log only
goes back to 5 pm last night. I think mostly what an mta has to deal
with is stupid crap!

>> Also, it seemed to be working correctly this morning, but for
>> hours it duplicated messages. I think it is because of some
>> spammer attempting to relay or send me spam.
>
> Not likely. A broken alias is the first guess. What did you change?

I didn't change anything and I can't find any duplicates in the log.
I have to wonder if the problem didn't occur after it was delivered
to procmail.

I restarted postfix.

>> I then have postfix pass the email to procmail where it is
>> filtered with bogofilter. I keep giving bogofilter more spam
>> to look at, but it doesn't seem to block all the spam anymore,
>> although it blocks some spam. When I first installed it,
>> bogofilter worked very well.
>
> Sounds as if bogofilter is poorly trained. Ask for help on a
> bogofilter forum, or just delete the database and start over.

I have deleted the database many times and started over. If I delete
the older spam and the spam that is out of order being sorted by date
it will work again for a while.

>
>>
>> The other thing that is very disturbing to me is that twice
>> last week my mail server went down. I guess from all the
>> repeated attempts to use it as an open relay. From everything
>> I have seen in the logs, postfix successfully stops all relay
>> attempts.
>
> A crash is an indication that something is broken. Normally-
> operating postfix (even under extreme loads) will not cause a
> crash. Rejecting relay attempts or unknown recipients places very
> little load on the computer; even a small server can easily reject
> hundreds of attempts per second with little load.
>
> Examine your logs (not just the mail log) for hints of what caused
> the crash; ask for help on a forum for your operating system.
>
> Make sure that security patches for your OS are applied.

I looked at all the logs. I really don't see anything that could have
caused the problem. I guess that I am making an assumption that I
shouldn't be, but it seems like all of my problems lately have been
with email. I feel like I need to get postfix to stop using so much cpu.

I don't think there are any security patches that I haven't applied.
Although, I did look at the what is installed too. I had postfix 2.4
installed. I am now compiling a newer version. One thing that
bothered me is that when I was trying to use header checks in postfix
to block some of the spam, it would work for a while, but would then
stop working and would work just like the header checks were not even
configured.

>> The other thing that I see in the log is attempts to send
>> emails to email addresses that never existed. For example:
>> admin@datazap.net is a valid email address. Why do I 10,000's
>> of attempts to send email to adminDD@datazap.net in my log?
>> This has never been a valid email address.
>
> These should be quickly rejected by postfix and cause very little
> load. Spammers send to all kind of non-existent addresses.

The problem is that a dozen different mail servers with dozens of
different non-existing addresses are all doing it at once, each mail
server sending 100's of emails. When I used to use postgray (I gave
that up years ago), postgray would use all the cpu.

>
>>
>> I was using other rbls. This was a mistake, way too many false
>> positives, does anyone have a list of good rbl_clients?
>
> zen.spamhaus.org is widely recommended as safe and very effective.
> If you're too large for the free service, the paid service is well
> worth the price.
> http://www.spamhaus.org/organization/dnsblusage.html
>
> If you have a fairly recent postfix you should also use
> reject_rhsbl_* dbl.spamhaus.org
> http://www.postfix.org/postconf.5.html#reject_rhsbl_client
> http://www.postfix.org/postconf.5.html#reject_rhsbl_sender
> http://www.postfix.org/postconf.5.html#reject_rhsbl_reverse_client

Ok!

>> One thing that I don't like it is that postfix reject all the
>> emails. I think this is a mistake, because I am telling the
>> spammers that it didn't work. I think it would be best to put
>> those emails into a spam folder. I did install rblcheck, but I
>> can't find documentation for using it with Postfix/procmail.
>
> Bad idea. There is no evidence the spammers check their rejects.
> There *is* some evidence that sites that accept any old crap are
> spam attractors and tend to get much more spam that others.

The problem is these same emails continue to be bounced by my mail
server. If I just let them be delivered then it does lower the amount
of mail attempted to be sent to it by like 90%. I would have never
though of this idea, but I read an ariticle online on how to stop
fighting the battle on spam and winning the war. This is one of the
things they recommend. I did remove this from the server because it
basically just transfered the problem over to bogofilter and I really
wasn't sure if it was a good idea anyway, but it really did lower
postfix load.

>> Also, I had tried to setup Postfix so that it would just
>> accept all emails. I configured it to not use it's recipient
>> table and would just accept emails. I also added
>> *@familysafeinternet.com for example and I did this for all my
>
> Very bad idea. Reject mail you don't intend to deliver.

I thought that someone would say that and really I am not sure how to
deal with the over flow of spam. Although, I can see how just letting
it go through and not fighting it only to have a filter look at it
later may work.

> This might help:
> http://www.postfix.org/STRESS_README.html

I have taken a look at this and this is one of the reasons that I
decided to upgrade my install of postfix.

I would really like to filter email after the mail server passes it
to procmail, because I have noticed email that is forwarded from
another mail server the filtering in Postfix doesn't seem to do
anything for it, it may just as well immediately give it to procmail
for filtering. Also, I have considered using something like fetchmail
to get the mail from other mail servers and then passing it through
procmail for filtering. The forwarded emails seem to be one of the
reasons that I am losing the war on spam. Even though the other mail
servers that forward their mail to my mail server (I think) has some
kind of spam filtering (I really don't know because I don't own
them), they seem to forward a lot of spam.

Sincerely,
Al

>
> -- Noel Jones