On Wed, Nov 28, 2012 at 04:02:57PM -0600, Noel Jones wrote: > On 11/28/2012 1:17 PM, Will Yardley wrote:
> > I'm having a problem where messages are accepted but then seem to > > generate a mail forwarding loop. It seems to happen a lot with mail > > from a particular spammer. > > There was a discussion earlier this month about some spammer including > a Delivered-To: header in their spam. Postfix local(8) uses this > header to detect loops and will bounce messages with a Delivered-To: > header equal to the current recipient. Thanks. I was tearing my hair out about this one, and couldn't see anything really obviously weird in the raw message, but this explanation makes sense. I will poke through the archives and see if any of the nasty solutions might help, now that I have an idea of what to look for. Our architecture is fairly simple, so may be able to just unset $nested_header_checks and define a header check to block these. You are right that the messages have 'Delivered-To' headers set to the user's address, and I can reproduce this behavior with later Postfix versions as well. > > The To: header in the raw email as viewed in postcat looks like this: > > To: f...@example.edu <f...@example.edu> > > Postfix doesn't use To: headers for delivery, only envelope information. Right, I understand that, and could see that the env recipient looked correct in the logs -- it just stood out, esp. since Postfix does seems to rewrite it before delivering it if I send a test message with similar headers. > > Nov 27 05:05:47 hostname postfix/smtpd[32160]: 0C18B32807B: > > client=ajaxkottely.info[93.115.135.15] > > This client is listed in the zen and barracudacentral RBLs today, > maybe they weren't listed yet yesterday. You are using some RBLs? Just an example, but yes, we do use some RBLs, including Zen. We have classes which allow users to choose a more or less restrictive policy (or no blocking), but this user does have our recommended class. At this time, I'm seeing this particular source in zen [from one of our SMTP servers this morning]: $ dig 15.135.115.93.zen.spamhaus.org +sh 127.0.0.3 However, my guess is that they've already started sending from other IPs that aren't blocked in major blocklists - don't see any new mail from that source today. Also have some messages from back on 31.14.46.16 (also listed) from back on Tues. w
