postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: postfix doubling emails and spam!

Re: postfix doubling emails and spam!

From: Noel Jones <njones_at_nospam>
Date: Wed Oct 27 2010 - 17:38:37 GMT
To: postfix-users@postfix.org

On 10/27/2010 10:37 AM, Al Zick wrote:
> Hi,
>
> I hope that someone can help me. Last night I had a strange
> problem. Every email that came in was there twice. Emails that
> I would normally get 2 copies of, I received 4 copies of. Any
> ideas on what could cause this?

Careful examination of the logs will probably enlighten you.
With no information, speculation is pointless.

> Also, it seemed to be working correctly this morning, but for
> hours it duplicated messages. I think it is because of some
> spammer attempting to relay or send me spam.

Not likely. A broken alias is the first guess. What did you
change?

> I then have postfix pass the email to procmail where it is
> filtered with bogofilter. I keep giving bogofilter more spam
> to look at, but it doesn't seem to block all the spam anymore,
> although it blocks some spam. When I first installed it,
> bogofilter worked very well.

Sounds as if bogofilter is poorly trained. Ask for help on a
bogofilter forum, or just delete the database and start over.

>
> The other thing that is very disturbing to me is that twice
> last week my mail server went down. I guess from all the
> repeated attempts to use it as an open relay. From everything
> I have seen in the logs, postfix successfully stops all relay
> attempts.

A crash is an indication that something is broken.
Normally-operating postfix (even under extreme loads) will not
cause a crash. Rejecting relay attempts or unknown recipients
places very little load on the computer; even a small server
can easily reject hundreds of attempts per second with little
load.

Examine your logs (not just the mail log) for hints of what
caused the crash; ask for help on a forum for your operating
system.

Make sure that security patches for your OS are applied.

> The other thing that I see in the log is attempts to send
> emails to email addresses that never existed. For example:
> admin@datazap.net is a valid email address. Why do I 10,000's
> of attempts to send email to adminDD@datazap.net in my log?
> This has never been a valid email address.

These should be quickly rejected by postfix and cause very
little load. Spammers send to all kind of non-existent addresses.

>
> I was using other rbls. This was a mistake, way too many false
> positives, does anyone have a list of good rbl_clients?

zen.spamhaus.org is widely recommended as safe and very
effective. If you're too large for the free service, the paid
service is well worth the price.
http://www.spamhaus.org/organization/dnsblusage.html

If you have a fairly recent postfix you should also use
reject_rhsbl_* dbl.spamhaus.org
http://www.postfix.org/postconf.5.html#reject_rhsbl_client
http://www.postfix.org/postconf.5.html#reject_rhsbl_sender
http://www.postfix.org/postconf.5.html#reject_rhsbl_reverse_client

> One thing that I don't like it is that postfix reject all the
> emails. I think this is a mistake, because I am telling the
> spammers that it didn't work. I think it would be best to put
> those emails into a spam folder. I did install rblcheck, but I
> can't find documentation for using it with Postfix/procmail.

Bad idea. There is no evidence the spammers check their
rejects. There *is* some evidence that sites that accept any
old crap are spam attractors and tend to get much more spam
that others.

> Also, I had tried to setup Postfix so that it would just
> accept all emails. I configured it to not use it's recipient
> table and would just accept emails. I also added
> *@familysafeinternet.com for example and I did this for all my

Very bad idea. Reject mail you don't intend to deliver.

This might help:
http://www.postfix.org/STRESS_README.html

   -- Noel Jones