> On Jun 4, 2026, at 5:29 PM, Wietse Venema via Postfix-users > <[email protected]> wrote: > > Charles Sprickman via Postfix-users: >> Hi all, >> >> This is a really basic question, and this should probably be >> obvious, but I've been seeing spam/phishing come through that looks >> like this: >> >> From MAILER-DAEMON Tue Dec 02 13:31:02 2025 >> Return-Path: <> >> Delivered-To: [email protected] (an anonymized valid address, >> also postfix is fronting qmail here) >> >> [...] >> >> Is the short answer that this is valid because if we didn't accept >> empty "mail from:" (envelope from), we'd never be accepting >> legitimate bounce/error messages? > > The null sender address is used for legitimate auto-generated > messages such as non-delivery notifications, message disposition > notifications, out-of-office, and so on. You would lose that if you > reject bounces. > > To reject false bounces you would need deeper inspection that what > is built into Postfix.
Thanks - I think empty envelope-from plus (other indicators I haven't figured out) could go into some kind of spamassassin rule. > It may be built into Gmail because they are drinking from a firehose > and can do analyses that would not be possible with a small-site > mail server. Oh, I don't mean inbound (to gmail), I mean this is sourced via google and I'm kind of curious what they're *not* doing to prevent this and if it's something I should be doing on my own servers to prevent being used by spammers/scammers this way... > Many forms of abuse can be stopped with a reputation service like > spamhaus.org which is free for small sites. It can be used with > smtpd_mumble_restrictions, or better, with Postfix's postscreen. Of note, it is *insanely* expensive for even small sites if you hit their "free" threshold, and hitting the threshold is really easy if you run spamassassin, which is doing a query on every IP and hostname it finds in the email. And postscreen adds a query, but that's so minimal compared to spamass. Plus they (spamhaus) use a *1 second* TTL on their RBLs/URIBLs which certainly does drive the query count up. If you have a small site and your domain is not too old and does not have an account that is published on the internet it's probably very easy to stay under the limit, but you're kind of punished for having a spam-magnet account or domain, which is annoying. I do have free Abusix running in a few places and they seem to do a very good job - when I first see a spam campaign and hit something like https://multirbl.valli.org/ to see if the IP is listed I generally see it in both Abusix and SpamHaus and often a few other paid blacklists. And if you do have to pay, it's less than 4 figures a month, which is nice. :) Charles > Wietse > _______________________________________________ > Postfix-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
