Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net
Course Of The Month
Become a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Postfix backscatter ongoing problem
Posted on 2007-12-05
Our incoming mail server queue is constantly under backscatter attack. I have searched and searched for ways of blocking this and, I thought I had solved it, but when I run a "qshape deferred", literally every deferred mail listed is from a backscatter attack. As a result, we are being blacklisted and all our real mail is getting delayed.
Please please could someone point out what the problem might be...
Here is an excerpt from qshape deferred:
T 5 10 20 40 80 160 320 640 1280 1280+
TOTAL 326 0 0 0 0 0 0 2 6 31 287
intomart.nl 20 0 0 0 0 0 0 0 0 0 20
qile.net 13 0 0 0 0 0 0 0 0 0 13
pharmcomm.com 13 0 0 0 0 0 0 0 0 0 13
rs.nic.or.kr 11 0 0 0 0 0 0 0 0 0 11
kdtm.com 8 0 0 0 0 0 0 0 0 0 8
hitemp.com 8 0 0 0 0 0 0 0 0 0 8
Here is a view of the mailq of one of the mails from the top of the prev list:
88D835866C 6294 Fri Nov 30 17:54:14 MAILER-DAEMON
(connect to intomart.nl[193.173.46.196
jrainsnn@intomart.nl
This is an excerpt from the mail header information of one of these backscatter mails:
From "Mariano Bauer" <Mariano@intomart.nl>
To "Garth Rivers" <200403240249.i2o2nj728922
Date Fri, 30 Nov 2007 17:54:40 +0200
Subject The volume of your male meat is absolutely essential!
I see what they're doing. They're sending a mail to a fictitious address on our server. Our server is accepting this mail, thinking it's for one of our users, only to find that the user does not exist. Then our server is attempting to bounce the mail, which is actually addressed to some other email address where the spam is aimed (in this case, mariano@intomart.nl).
It makes more sense to me for our mail server refuse the mail in the first place as it should know that this user does not exist?
Sorry for being morons!! We are happy to try anything :) thanks so so so much!!
Please please could someone point out what the problem might be...
Here is an excerpt from qshape deferred:
T 5 10 20 40 80 160 320 640 1280 1280+
TOTAL 326 0 0 0 0 0 0 2 6 31 287
intomart.nl 20 0 0 0 0 0 0 0 0 0 20
qile.net 13 0 0 0 0 0 0 0 0 0 13
pharmcomm.com 13 0 0 0 0 0 0 0 0 0 13
rs.nic.or.kr 11 0 0 0 0 0 0 0 0 0 11
kdtm.com 8 0 0 0 0 0 0 0 0 0 8
hitemp.com 8 0 0 0 0 0 0 0 0 0 8
Here is a view of the mailq of one of the mails from the top of the prev list:
88D835866C 6294 Fri Nov 30 17:54:14 MAILER-DAEMON
(connect to intomart.nl[193.173.46.196
jrainsnn@intomart.nl
This is an excerpt from the mail header information of one of these backscatter mails:
From "Mariano Bauer" <Mariano@intomart.nl>
To "Garth Rivers" <200403240249.i2o2nj728922
Date Fri, 30 Nov 2007 17:54:40 +0200
Subject The volume of your male meat is absolutely essential!
I see what they're doing. They're sending a mail to a fictitious address on our server. Our server is accepting this mail, thinking it's for one of our users, only to find that the user does not exist. Then our server is attempting to bounce the mail, which is actually addressed to some other email address where the spam is aimed (in this case, mariano@intomart.nl).
It makes more sense to me for our mail server refuse the mail in the first place as it should know that this user does not exist?
Sorry for being morons!! We are happy to try anything :) thanks so so so much!!
In case it helps, here is a copy of our /etc/postfix/main.cf:
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mail.m2north.com
mydomain = m2north.com
myorigin = m2north.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#myorigin = /etc/mailname
mydestination = m2north.com, localhost.localdomain, localhost.localdomain, localhost, mail.m2north.com, m2north.net, mail.m2north.net, m2north.co.za, mail.m2north.co.za, m2north.ca, mail.m2north.ca
#ijl 4/10/7 to remove backscatter
#local_recipient_maps =
unknown_local_recipient_reject_code = 550
#relayhost =
mynetworks = 127.0.0.0/8
#mynetworks = 10.0.1.0/24, 10.0.10.0/24, 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
luser_relay = m2split
################Added from http://www.howtoforge.com/virtual_postfix_antispam
### Checks to remove badly formed email
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
disable_vrfy_command = yes
unknown_address_reject_code = 554
unknown_hostname_reject_code = 554
unknown_client_reject_code = 554
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit
### When changing sender_checks, this file must be regenerated
### using postmap <file>, to generate a Berkeley DB
smtpd_recipient_restrictions =
check_client_access hash:/etc/postfix/helo_client_exceptions
check_sender_access hash:/etc/postfix/sender_checks,
reject_invalid_hostname,
### Can cause issues with Auth SMTP, so be weary!
## reject_non_fqdn_hostname,
##################################
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
### Add RBL exceptions here, when changing rbl_client_exceptions,
### this file must be regenerated using postmap <file>,
### to generate a Berkeley DB
check_client_access hash:/etc/postfix/rbl_client_exceptions,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rhsbl_sender dsn.rfc-ignorant.org,
###IJL research greylisting and switch on here
#check_policy_service inet:127.0.0.1:60000
permit
qmqpd_authorized_clients = $mynetworks
qmqpd_error_delay = 5s
qmqpd_timeout = 300s
####IJ added this to help prevent lost connection errors
connection_cache_ttl_limit=20s
smtp_connection_cache_time_limit=$connection_cache_ttl_limit
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
9
5
- +1
16 Comments
Is your postfix install accepting the mail for a local user or is it relaying it onto another box?
Can you post the output of 'postconf -n' as its easier to read.
Can you post the output of 'postconf -n' as its easier to read.
Thanks for the speedy response, grblades: this postfix is accepting the mail for a local user
The output of postconf -n:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
connection_cache_ttl_limit = 20s
disable_vrfy_command = yes
inet_interfaces = all
luser_relay = m2split
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = m2north.com, localhost.localdomain, localhost.localdomain, localhost, mail.m2north.com, m2north.net, mail.m2north.net, m2north.co.za, mail.m2north.co.za, m2north.ca, mail.m2north.ca
mydomain = m2north.com
myhostname = mail.m2north.com
mynetworks = 127.0.0.0/8
myorigin = m2north.com
qmqpd_authorized_clients = $mynetworks
qmqpd_error_delay = 5s
qmqpd_timeout = 300s
recipient_delimiter = +
smtp_connection_cache_time_limit = $connection_cache_ttl_limit
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/helo_client_exceptions check_sender_access hash:/etc/postfix/sender_checks, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, check_client_access hash:/etc/postfix/rbl_client_exceptions, reject_rbl_client cbl.abuseat.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rhsbl_sender dsn.rfc-ignorant.org, permit
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
I dont see a local recipient map defined. Have a look at :-
http://www.postfix.org/LOCAL_RECIPIENT_README.html
http://www.postfix.org/LOCAL_RECIPIENT_README.html
Thanks a lot! I've made the change and will test it out in the next hour and a bit and get back to you.
Please don't forget to inclde these RegEx checks too:
http://www.postfix.org/BACKSCATTER_README.html
http://www.postfix.org/BACKSCATTER_README.html
grblades: wow, thanks, it looks good so far, i'm just doing the last phase of testing this morning and then will award the points. i hope that's ok.
kereme: thanks for the additional help!! those examples only include one domain (porcupine.org), but we have multiple domains. i'm sorry, but i'm not sure exactly how to modify them for multiple domains. i will have a look at the backscatter levels over the next few weeks and figure out how to apply those regEx checks, should the need arise. thanks so so much for your help!
kereme: thanks for the additional help!! those examples only include one domain (porcupine.org), but we have multiple domains. i'm sorry, but i'm not sure exactly how to modify them for multiple domains. i will have a look at the backscatter levels over the next few weeks and figure out how to apply those regEx checks, should the need arise. thanks so so much for your help!
grblades: I cleared out all the backscatter and see that new backscatter is still arriving. darn. I have attached an excerpt from a backscatter mail.
Somehow our server is not refusing the mail in the first place. Would it be helpful if I include my updated main.cf?
Sorry to mess you around so much on this one, the help is hugely appreciated.
Somehow our server is not refusing the mail in the first place. Would it be helpful if I include my updated main.cf?
Sorry to mess you around so much on this one, the help is hugely appreciated.
From MAILER-DAEMON@m2north.com (Mail Delivery System)
To ajay@mailexcite.com
Date Thu, 6 Dec 2007 10:34:15 +0200 (SAST)
Subject Undelivered Mail Returned to Sender
This is the mail system at host mail.m2north.com.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<200309170248.h8h2mgk06866@za-jnb-001.m2north.com>: mail for
za-jnb-001.m2north.com loops back to myself
(And then this mail has 2 attachments:
message/delivery-status
Viagra email)
Here is the updated postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
connection_cache_ttl_limit = 20s
disable_vrfy_command = yes
inet_interfaces = all
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
luser_relay = m2split
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mydestination = m2north.com, localhost.localdomain, localhost.localdomain, localhost, mail.m2north.com, m2north.net, mail.m2north.net, m2north.co.za, mail.m2north.co.za, m2north.ca, mail.m2north.ca
mydomain = m2north.com
myhostname = mail.m2north.com
mynetworks = 127.0.0.0/8
myorigin = m2north.com
qmqpd_authorized_clients = $mynetworks
qmqpd_error_delay = 5s
qmqpd_timeout = 300s
recipient_delimiter = +
smtp_connection_cache_time_limit = $connection_cache_ttl_limit
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit
smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/helo_client_exceptions check_sender_access hash:/etc/postfix/sender_checks, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination, check_client_access hash:/etc/postfix/rbl_client_exceptions, reject_rbl_client cbl.abuseat.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rhsbl_sender dsn.rfc-ignorant.org, permit
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
That returned mail is complaining about mail looping back to itself. Your mail server is oviously configured to allow relaying for that domain (za-jnb-001.m2north.com) but has not been told where to sent it on to. It therefore looks at the DNS and finds the primary entry pointing to itself and it generates that error.
You will need to either stop relaying for that domain or configure postfix to forward it onto the correct machine which is the final destination for that domain.
You will need to either stop relaying for that domain or configure postfix to forward it onto the correct machine which is the final destination for that domain.
We are not meaning to be relaying. is there something in the main.cf that is causing relaying that you can see? sorry.
This is not a fancy implementation of postfix, so if anything looks that way, please feel free to suggest a change.
Sorry to keep this issue going for so long. It has caused a lot of pressure for us.
Thanks a lot
Justin
This is not a fancy implementation of postfix, so if anything looks that way, please feel free to suggest a change.
Sorry to keep this issue going for so long. It has caused a lot of pressure for us.
Thanks a lot
Justin
Thank you so much grblades! I hope this will be the end of our backscatter contribution to spam bandwidth loss.
Hi grblades... this stil hasn't solved the problem, somehow.... i've attached a snippet from my qshape deferred and you'll see piles of backscatter mail still... if you have any suggestions, i'd really appreciate it, thanks
za-jnb-002:~# qshape deferred
T 5 10 20 40 80 160 320 640 1280 1280+
TOTAL 484 0 0 0 1 5 6 3 4 224 241
ing-im.com 186 0 0 0 0 0 0 0 0 186 0
hds-online.com 165 0 0 0 0 0 0 0 0 0 165
characterlink.net 15 0 0 0 0 0 0 0 0 0 15
pacpipe.com 13 0 0 0 0 0 0 0 0 0 13
owenscroning.com 8 0 0 0 0 0 0 0 0 0 8
3yoonksa.com 6 0 0 0 0 0 0 0 0 6 0
epilot.com 5 0 0 0 0 0 0 0 0 0 5
welt-weit.de 4 0 0 0 0 4 0 0 0 0 0
4japanesespares.com 4 0 0 0 0 0 4 0 0 0 0
crofters.commission.org.uk 4 0 0 0 0 0 0 0 0 0 4
Ok, we've finally closed the last hole we needed to have
relay_domains =
(just like that. we were relaying backscatter)
man, these spam guys waste a lot of man hours.
thanks to everyone for their help!!
relay_domains =
(just like that. we were relaying backscatter)
man, these spam guys waste a lot of man hours.
thanks to everyone for their help!!
I had the same problem (Open Relay) on our SBS2003 Exchange Server. 189,000 Virtual connectors had been created each containing 1000's of SPAM relay mails.
I added SPAMHOUS and SPAM COP to the exchange, Created a temporary virtual SMTP connector and routed everything through it. This was a long job to clear out the mails but the SPAM filtering houses stopped the bad mail coming in. Now we have been clear for 2 weeks - I checked on whitelist.org for proof.
Read the rules on SPAMHOUS and SPAM COP website - they are free to use if you are not a commercial business (making money from emails) and your mail exchange process less than a certian number a day. Our organisation is part of EU and have the max 75 users on the domain and remote.
Good luck
I added SPAMHOUS and SPAM COP to the exchange, Created a temporary virtual SMTP connector and routed everything through it. This was a long job to clear out the mails but the SPAM filtering houses stopped the bad mail coming in. Now we have been clear for 2 weeks - I checked on whitelist.org for proof.
Read the rules on SPAMHOUS and SPAM COP website - they are free to use if you are not a commercial business (making money from emails) and your mail exchange process less than a certian number a day. Our organisation is part of EU and have the max 75 users on the domain and remote.
Good luck
Featured Post
![[Live Webinar] The Cloud Skills Gap](https://filedb.experts-exchange.com/files/public/2017/5/29/3249c5dc-214e-4f8f-afab-ef354630e19f.png)
As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.
Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years. You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
This Micro Tutorial will demonstrate the easy use of Gmail embedding images in your email so the recipient of your email can view them in context.
Internet Business Fax to Email Made Easy -
With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number.
You'll receive secure faxes in your email, fr…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month6 days, 5 hours left to enroll
626 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.