Stopping backscatter spam to a specific domain
I have recently come under a backscatter spam attack from one specific domain. This domain has blacklisted my server’s IP address, and so bounce replies sent to this domain are piling up in my mail queue and I have to go through periodically and manually delete them. I don’t want to disable bounce messages in general because I don’t want incoming messages with typos in the destination address to just vanish into the cosmic void. Is there a way to disable bounce replies for a specific domain? Thanks, rg
Re: Stopping backscatter spam to a specific domain
Ron Garret: > I have recently come under a backscatter spam attack from one > specific domain. This domain has blacklisted my server?s IP > address, and so bounce replies sent to this domain are piling up > in my mail queue and I have to go through periodically and manually > delete them. I don?t want to disable bounce messages in general > because I don?t want incoming messages with typos in the destination > address to just vanish into the cosmic void. Is there a way to > disable bounce replies for a specific domain? Why is your server sending bounces (or any other email) to that domain? Postfix does not generate messages spontaneously. Wietse
Re: Stopping backscatter spam to a specific domain
On Jul 11, 2021, at 9:58 AM, Wietse Venema wrote: > Ron Garret: >> I have recently come under a backscatter spam attack from one >> specific domain. This domain has blacklisted my server?s IP >> address, and so bounce replies sent to this domain are piling up >> in my mail queue and I have to go through periodically and manually >> delete them. I don?t want to disable bounce messages in general >> because I don?t want incoming messages with typos in the destination >> address to just vanish into the cosmic void. Is there a way to >> disable bounce replies for a specific domain? > > Why is your server sending bounces (or any other email) to that > domain? Because spammers are sending messages with forged return-path headers to invalid addresses on my server. It’s called backscatter: https://en.wikipedia.org/wiki/Backscatter_(email) It’s actually possible that I’m sending backscatter spam to other domains, but only one has blacklisted me so far. rg
Re: Stopping backscatter spam to a specific domain
Ron Garret: [ Charset windows-1252 converted... ] > > On Jul 11, 2021, at 9:58 AM, Wietse Venema wrote: > > > Ron Garret: > >> I have recently come under a backscatter spam attack from one > >> specific domain. This domain has blacklisted my server?s IP > >> address, and so bounce replies sent to this domain are piling up > >> in my mail queue and I have to go through periodically and manually > >> delete them. I don?t want to disable bounce messages in general > >> because I don?t want incoming messages with typos in the destination > >> address to just vanish into the cosmic void. Is there a way to > >> disable bounce replies for a specific domain? > > > > Why is your server sending bounces (or any other email) to that > > domain? > > Because spammers are sending messages with forged return-path headers to > invalid addresses on my server. It?s called backscatter: You must reject mail for invalid recipient addresses. Otherwise, you deserve by 100% the problem that you experience. Wietse
Re: Stopping backscatter spam to a specific domain
This might help: http://www.postfix.org/BACKSCATTER_README.html Cheers, K. On Jul 11, 2021, at 9:58 AM, Wietse Venema wrote: Ron Garret: I have recently come under a backscatter spam attack from one specific domain. This domain has blacklisted my server?s IP address, and so bounce replies sent to this domain are piling up in my mail queue and I have to go through periodically and manually delete them. I don?t want to disable bounce messages in general because I don?t want incoming messages with typos in the destination address to just vanish into the cosmic void. Is there a way to disable bounce replies for a specific domain? Why is your server sending bounces (or any other email) to that domain? Because spammers are sending messages with forged return-path headers to invalid addresses on my server. It’s called backscatter: https://en.wikipedia.org/wiki/Backscatter_(email) It’s actually possible that I’m sending backscatter spam to other domains, but only one has blacklisted me so far. rg
Re: Stopping backscatter spam to a specific domain
On Jul 11, 2021, at 10:12 AM, Wietse Venema wrote: > Ron Garret: > [ Charset windows-1252 converted... ] >> >> On Jul 11, 2021, at 9:58 AM, Wietse Venema wrote: >> >>> Ron Garret: I have recently come under a backscatter spam attack from one specific domain. This domain has blacklisted my server?s IP address, and so bounce replies sent to this domain are piling up in my mail queue and I have to go through periodically and manually delete them. I don?t want to disable bounce messages in general because I don?t want incoming messages with typos in the destination address to just vanish into the cosmic void. Is there a way to disable bounce replies for a specific domain? >>> >>> Why is your server sending bounces (or any other email) to that >>> domain? >> >> Because spammers are sending messages with forged return-path headers to >> invalid addresses on my server. It?s called backscatter: > > You must reject mail for invalid recipient addresses. Otherwise, > you deserve by 100% the problem that you experience. AFAIK, I am: smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit The problem is that a rejected recipient produces a mailer-daemon reply. rg
Re: Stopping backscatter spam to a specific domain
Yes, I looked at that, but AFAICT that is all about blocking INBOUND backscatter spam, not stopping outbound messages. On Jul 11, 2021, at 10:15 AM, Kevin N. wrote: > This might help: http://www.postfix.org/BACKSCATTER_README.html > > Cheers, > > K. > > >> On Jul 11, 2021, at 9:58 AM, Wietse Venema wrote: >>> Ron Garret: I have recently come under a backscatter spam attack from one specific domain. This domain has blacklisted my server?s IP address, and so bounce replies sent to this domain are piling up in my mail queue and I have to go through periodically and manually delete them. I don?t want to disable bounce messages in general because I don?t want incoming messages with typos in the destination address to just vanish into the cosmic void. Is there a way to disable bounce replies for a specific domain? >>> >>> Why is your server sending bounces (or any other email) to that >>> domain? >> Because spammers are sending messages with forged return-path headers to >> invalid addresses on my server. It’s called backscatter: >> https://en.wikipedia.org/wiki/Backscatter_(email) >> It’s actually possible that I’m sending backscatter spam to other domains, >> but only one has blacklisted me so far. >> rg
Re: Stopping backscatter spam to a specific domain
See http://www.postfix.org/DEBUG_README.html#mail, which describes how best to get useful help here. Actual log excerpts, sample messages related to that logging, and 'postconf -n' output would help a great deal in understanding your problem. In general, you only can fully fix backscatter (i.e. bounce emails) that your mail system generates. If you never reject mail after you have accepted it in SMTP, you will never generate backscatter. If you are not verifying forward deliverability at SMTP RCPT time or are doing content filtering asynchronously rather than before sending the end-of-data reply, you will generate backscatter that you will suffer for an should fix before the damage becomes worse than just one domain shunning you. On 2021-07-11 at 14:35:11 UTC-0400 (Sun, 11 Jul 2021 11:35:11 -0700) Ron Garret is rumored to have said: On Jul 11, 2021, at 10:12 AM, Wietse Venema wrote: Ron Garret: [ Charset windows-1252 converted... ] On Jul 11, 2021, at 9:58 AM, Wietse Venema wrote: Ron Garret: I have recently come under a backscatter spam attack from one specific domain. This domain has blacklisted my server?s IP address, and so bounce replies sent to this domain are piling up in my mail queue and I have to go through periodically and manually delete them. I don?t want to disable bounce messages in general because I don?t want incoming messages with typos in the destination address to just vanish into the cosmic void. Is there a way to disable bounce replies for a specific domain? Why is your server sending bounces (or any other email) to that domain? Because spammers are sending messages with forged return-path headers to invalid addresses on my server. It?s called backscatter: You must reject mail for invalid recipient addresses. Otherwise, you deserve by 100% the problem that you experience. AFAIK, I am: smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit The problem is that a rejected recipient produces a mailer-daemon reply. rg -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
Re: Stopping backscatter spam to a specific domain
Hi, The problem is that a rejected recipient produces a mailer-daemon reply. You need to get rid of them. My approach is to reject them in smtp dialogue. I generate a list of valid recipient addresses by script automatically and use this (hashed) list in smtpd_recipient_restrictions: ... check_recipient_access hash:/etc/postfix/known_users, ... Format of the file is one address per line with DUNNO to accept or an smtp error code to reject: h...@example.comDUNNO wu...@example.com 554 Benutzer unbekannt - User unknown. If your users are in an ldap you can query that to check if the recipient address is valid or not. Hope this helps ;-) Groetjes Claus -- Claus R. Wickinghoff, Dipl.-Ing. using Linux since 1994 and still happy... :-)
Re: Stopping backscatter spam to a specific domain
Ron Garret: I have recently come under a backscatter spam attack from one specific domain. This domain has blacklisted my server?s IP address, and so bounce replies sent to this domain are piling up in my mail queue and I have to go through periodically and manually delete them. I don?t want to disable bounce messages in general because I don?t want incoming messages with typos in the destination address to just vanish into the cosmic void. Is there a way to disable bounce replies for a specific domain? On Jul 11, 2021, at 9:58 AM, Wietse Venema wrote: Why is your server sending bounces (or any other email) to that domain? Ron Garret: Because spammers are sending messages with forged return-path headers to invalid addresses on my server. It?s called backscatter: On Jul 11, 2021, at 10:12 AM, Wietse Venema wrote: You must reject mail for invalid recipient addresses. Otherwise, you deserve by 100% the problem that you experience. On 11.07.21 11:35, Ron Garret wrote: AFAIK, I am: smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, try adding "reject_unlisted_recipient", although smtpd_reject_unlisted_recipient=yes (default) shoult take care of that. permit The problem is that a rejected recipient produces a mailer-daemon reply. only if you accept mail for such recipient. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: Stopping backscatter spam to a specific domain
On Jul 11, 2021, at 12:22 PM, Matus UHLAR - fantomas wrote: > >> The problem is that a rejected recipient produces a mailer-daemon reply. > > only if you accept mail for such recipient. Ah. That may be my problem then. I’m using Dovecot via LMTP for local delivery. I thought that postfix would receive information about non-existent users via that protocol, but I guess it doesn’t and ends up just accepting everything. So… is dovecot actually the thing that is generating the emails from mailer-daemon? Is there a way to get this setup to do the Right Thing? If not, why is LMTP even supported, because it seems to me that anyone who uses it will have this problem. (FYI, the reason I want to use LMTP is that I’m using sqlite for my user db, but postfix does not play well with sqlite when other programs are trying to access the same DB. I didn’t want to duplicate the user DB (I’m a big believer in the DRY principle) so I wanted to localize DB access to a single process, and that process has to be Dovecot.) rg
Re: Stopping backscatter spam to a specific domain
Hi, I thought that postfix would receive information about non-existent users via that protocol, but I guess it doesn’t and ends up just accepting everything. These are two different things: 1. postfix gets the e-mail from the internet via smtp and puts in his queue. From this point on postfix is in charge for the proper delivery. 2. postfix connects via lmtp to dovecot and tries to deliver the e-mail there. If dovecot rejects it, it's still postfix task to produce a non delivery notification. The only way is to reject it in step 1 during the connection from the outside by asking any backend for verification. I think this can be achieved with reject_unverified_recipient to query dovecot via lmtp but I've no practical experience with this. Probably you've to do some googling... Groetjes Claus -- Claus R. Wickinghoff, Dipl.-Ing. using Linux since 1994 and still happy... :-)
Re: Stopping backscatter spam to a specific domain
Ron Garret: [ Charset windows-1252 converted... ] > > On Jul 11, 2021, at 12:22 PM, Matus UHLAR - fantomas > wrote: > > > > >> The problem is that a rejected recipient produces a mailer-daemon reply. > > > > only if you accept mail for such recipient. > > Ah. That may be my problem then. I?m using Dovecot via LMTP for > local delivery. I thought that postfix would receive information > about non-existent users via that protocol, but I guess it doesn?t > and ends up just accepting everything. That depends on how you configured things. Just put reject_unverified_recipient in smtpd_recipient_restrictions before any 'permit'-like thing. Wietse
Re: Stopping backscatter spam to a specific domain
On 2021-07-11 at 15:46:45 UTC-0400 (Sun, 11 Jul 2021 12:46:45 -0700)
Ron Garret
is rumored to have said:
On Jul 11, 2021, at 12:22 PM, Matus UHLAR - fantomas
wrote:
The problem is that a rejected recipient produces a mailer-daemon
reply.
only if you accept mail for such recipient.
Ah. That may be my problem then. I’m using Dovecot via LMTP for
local delivery. I thought that postfix would receive information
about non-existent users via that protocol, but I guess it doesn’t
and ends up just accepting everything.
Postfix doesn't know about non-existent users that are relayed via LMTP
until it has queued and accepted the message. Postfix's SMTP/LMTP client
program picks up the queued message, tries to deliver it to Dovecot's
LMTP server, and fails. That's when the Postfix bounce daemon takes
over, constructing and queueing a bounce message.
So… is dovecot actually the thing that is generating the emails from
mailer-daemon?
No. Dovecot is the thing telling Postfix that the address is bad.
Is there a way to get this setup to do the Right Thing? If not, why
is LMTP even supported, because it seems to me that anyone who uses it
will have this problem.
1. Use {local,relay}_recipient_maps and/or virtual_{mailbox,alias}_maps
and reject_unlisted_recipients. You can either talk directly to the DB
for the map or at smaller scales you could just periodically generate a
static list for Postfix to check at SMTP time.
2. Use reject_unverified_recipients. This is a generally bad idea on
submission servers (port 465/587) unless you do something to limit it to
recipients in local, virtual, and relay classes. Since that's all you
should be seeing on a true SMTP (port 25) server, it's fine to apply it
to all messages on your inbound mail stream.
(FYI, the reason I want to use LMTP is that I’m using sqlite for my
user db, but postfix does not play well with sqlite when other
programs are trying to access the same DB. I didn’t want to
duplicate the user DB (I’m a big believer in the DRY principle) so I
wanted to localize DB access to a single process, and that process has
to be Dovecot.)
I'm not sure what the problem is with Postfix and sqlite, but extracting
a suitable static map from the DB periodically should be a SMOP with one
SELECT and some trivial formatting, if you don't want Postfix contending
with Dovecot synchronously.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Stopping backscatter spam to a specific domain
On 7/11/21 3:46 PM, Ron Garret wrote: Ah. That may be my problem then. I’m using Dovecot via LMTP for local delivery. I thought that postfix would receive information about non-existent users via that protocol, but I guess it doesn’t and ends up just accepting everything. So… is dovecot actually the thing that is generating the emails from mailer-daemon? Is there a way to get this setup to do the Right Thing? If not, why is LMTP even supported, because it seems to me that anyone who uses it will have this problem. (FYI, the reason I want to use LMTP is that I’m using sqlite for my user db, but postfix does not play well with sqlite when other programs are trying to access the same DB. I didn’t want to duplicate the user DB (I’m a big believer in the DRY principle) so I wanted to localize DB access to a single process, and that process has to be Dovecot.) You've an additional option. RECIPIENT ADDRESS VERIFICATION read-up @ http://www.postfix.org/ADDRESS_VERIFICATION_README.html http://www.postfix.org/verify.8.html http://www.postfix.org/postconf.5.html#relay_recipient_maps http://www.postfix.org/ADDRESS_CLASS_README.html e.g., I run an external instance of postfix that smtp relays mail that passes all my 'heavy' filtering (postscreen, spam, virus, other milters, etc) to a lightweight internal instance of postfix+dovecot over a non-public , secure connection. The internal postfix/dovecot instances share an sqlite3 DB, managed via postfixadmin (https://postfixadmin.sourceforge.io) Postfixadmin's DB contains only valid addresses; both postfix and dovecot on that instance 'see' the same list. This DB is local only, no user DB (other than postfix cache) exists on the external DB. I.e., single process DB access, and no DB duplication, and that process is Dovecot(+ the internal postfix instance) By leaving blank, in main.cf on the external instance relay_recipient_maps = "the Postfix SMTP server accepts all recipients for domains listed with the relay_domains parameter". Once that criterion is met, an address verification probe is then exec'd 'by' the external instance 'against' the internal postfix instance's recipient list, fed by that shared DB list. no matching entry? not a valid recipient. internal instance notifies external instance, which rejects accordingly. Not everyone's cup-of-tea, but works perfectly for me.
Re: Optimum Queue Size
On Sat, Jul 10, 2021 at 07:34:15AM -0700, Greg Sims wrote: > I am tuning the performance of our mail server.We collect > information in our logs every 10 seconds including qshape, iostat, > free and mpstat. It seems that the maxproc parameter in master.cf is > important for us as we can see the size of the queues decrease as we > increase maxproc -- as expected. Running "qshape" every 10s does seem rather excessive. Two employers and over a decade ago I had a "qshaped" that kept state between scans avoiding rereading the same queue file twice, and would generate a nalert if some age bucket exceeded a threshold occupancy. I never released "qshaped" to the world at large. If you are running "qshape" to measure queue size, use "qshape -s" to count senders, so that messages with many recipients don't distort the numbers. My take is that what matters is latency and so long as most messages leave the queue quickly the queue size is not a problem. I don't typically raise max_proc across board, but rather only raise the process limits for smtpd(8) and perhaps smtp(8) (given sufficient network capacity). Delivery via local(8) and pipe(8) tends to be CPU-intensive, and I don't want high process counts there. > We are currently running with qshape showing 1,000 emails in the > incoming/active queue maximum -- all less than 5 minutes. That state of affairs Sounds fine. Rather than monitoring queue size, it may be better to monitor smoothed running averages of the "b", "c" and "d", times in: delays=a/b/c/d -- Viktor.
Re: Stopping backscatter spam to a specific domain
Thanks, that was very helpful.
This has me wondering: if a message is sent to multiple recipients and some are
valid and others are not, what is the Right Thing to do?
rg
P.S. Just FYI:
> I'm not sure what the problem is with Postfix and sqlite
See
http://postfix.1071664.n5.nabble.com/What-is-the-right-way-to-update-a-postfix-sqlite-database-td109636.html#a109659
if you really want to know. The TL;DR is that postfix does not set a non-zero
value for pragma busy_timeout and so any simultaneous access results in an
immediate fatal error in postfix.
On Jul 11, 2021, at 1:54 PM, Bill Cole
wrote:
> On 2021-07-11 at 15:46:45 UTC-0400 (Sun, 11 Jul 2021 12:46:45 -0700)
> Ron Garret
> is rumored to have said:
>
>> On Jul 11, 2021, at 12:22 PM, Matus UHLAR - fantomas
>> wrote:
>>
>>>
The problem is that a rejected recipient produces a mailer-daemon reply.
>>>
>>> only if you accept mail for such recipient.
>>
>> Ah. That may be my problem then. I’m using Dovecot via LMTP for local
>> delivery. I thought that postfix would receive information about
>> non-existent users via that protocol, but I guess it doesn’t and ends up
>> just accepting everything.
>
> Postfix doesn't know about non-existent users that are relayed via LMTP until
> it has queued and accepted the message. Postfix's SMTP/LMTP client program
> picks up the queued message, tries to deliver it to Dovecot's LMTP server,
> and fails. That's when the Postfix bounce daemon takes over, constructing and
> queueing a bounce message.
>
>> So… is dovecot actually the thing that is generating the emails from
>> mailer-daemon?
>
> No. Dovecot is the thing telling Postfix that the address is bad.
>
>> Is there a way to get this setup to do the Right Thing? If not, why is LMTP
>> even supported, because it seems to me that anyone who uses it will have
>> this problem.
>
> 1. Use {local,relay}_recipient_maps and/or virtual_{mailbox,alias}_maps and
> reject_unlisted_recipients. You can either talk directly to the DB for the
> map or at smaller scales you could just periodically generate a static list
> for Postfix to check at SMTP time.
>
> 2. Use reject_unverified_recipients. This is a generally bad idea on
> submission servers (port 465/587) unless you do something to limit it to
> recipients in local, virtual, and relay classes. Since that's all you should
> be seeing on a true SMTP (port 25) server, it's fine to apply it to all
> messages on your inbound mail stream.
>
>> (FYI, the reason I want to use LMTP is that I’m using sqlite for my user db,
>> but postfix does not play well with sqlite when other programs are trying to
>> access the same DB. I didn’t want to duplicate the user DB (I’m a big
>> believer in the DRY principle) so I wanted to localize DB access to a single
>> process, and that process has to be Dovecot.)
>
> I'm not sure what the problem is with Postfix and sqlite, but extracting a
> suitable static map from the DB periodically should be a SMOP with one SELECT
> and some trivial formatting, if you don't want Postfix contending with
> Dovecot synchronously.
>
>
> --
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Not Currently Available For Hire
