Our incoming mail server queue is constantly under backscatter attack. I have searched and searched for ways of blocking this and, I thought I had solved it, but when I run a "qshape deferred", literally every deferred mail listed is from a backscatter attack. As a result, we are being blacklisted and all our real mail is getting delayed.
Please please could someone point out what the problem might be...
Here is a view of the mailq of one of the mails from the top of the prev list:
88D835866C 6294 Fri Nov 30 17:54:14 MAILER-DAEMON
(connect to intomart.nl[193.173.46.196]: Connection timed out)
jrainsnn@intomart.nl
This is an excerpt from the mail header information of one of these backscatter mails:
From "Mariano Bauer" <Mariano@intomart.nl>
To "Garth Rivers" <200403240249.i2o2nj728922@za-jnb-001.m2north.com>
Date Fri, 30 Nov 2007 17:54:40 +0200
Subject The volume of your male meat is absolutely essential!
I see what they're doing. They're sending a mail to a fictitious address on our server. Our server is accepting this mail, thinking it's for one of our users, only to find that the user does not exist. Then our server is attempting to bounce the mail, which is actually addressed to some other email address where the spam is aimed (in this case, mariano@intomart.nl).
It makes more sense to me for our mail server refuse the mail in the first place as it should know that this user does not exist?
Sorry for being morons!! We are happy to try anything :) thanks so so so much!!
In case it helps, here is a copy of our /etc/postfix/main.cf:# Debian specific: Specifying a file name will cause the first# line of that file to be used as the name. The Debian default# is /etc/mailname.#myorigin = /etc/mailnamesmtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)biff = no# appending .domain is the MUA's job.append_dot_mydomain = no# Uncomment the next line to generate "delayed mail" warnings#delay_warning_time = 4h# TLS parameterssmtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pemsmtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.keysmtpd_use_tls=yessmtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scachesmtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for# information on enabling SSL in the smtp client.myhostname = mail.m2north.commydomain = m2north.commyorigin = m2north.comalias_maps = hash:/etc/aliasesalias_database = hash:/etc/aliases#myorigin = /etc/mailnamemydestination = m2north.com, localhost.localdomain, localhost.localdomain, localhost, mail.m2north.com, m2north.net, mail.m2north.net, m2north.co.za, mail.m2north.co.za, m2north.ca, mail.m2north.ca#ijl 4/10/7 to remove backscatter#local_recipient_maps =unknown_local_recipient_reject_code = 550#relayhost =mynetworks = 127.0.0.0/8#mynetworks = 10.0.1.0/24, 10.0.10.0/24, 127.0.0.0/8mailbox_command = procmail -a "$EXTENSION"mailbox_size_limit = 0recipient_delimiter = +inet_interfaces = allluser_relay = m2split################Added from http://www.howtoforge.com/virtual_postfix_antispam### Checks to remove badly formed emailsmtpd_helo_required = yesstrict_rfc821_envelopes = yesdisable_vrfy_command = yesunknown_address_reject_code = 554unknown_hostname_reject_code = 554unknown_client_reject_code = 554smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit### When changing sender_checks, this file must be regenerated### using postmap <file>, to generate a Berkeley DBsmtpd_recipient_restrictions = check_client_access hash:/etc/postfix/helo_client_exceptions check_sender_access hash:/etc/postfix/sender_checks, reject_invalid_hostname,### Can cause issues with Auth SMTP, so be weary!## reject_non_fqdn_hostname,################################## reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit_mynetworks, reject_unauth_destination,### Add RBL exceptions here, when changing rbl_client_exceptions,### this file must be regenerated using postmap <file>,### to generate a Berkeley DB check_client_access hash:/etc/postfix/rbl_client_exceptions, reject_rbl_client cbl.abuseat.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rhsbl_sender dsn.rfc-ignorant.org, ###IJL research greylisting and switch on here #check_policy_service inet:127.0.0.1:60000 permitqmqpd_authorized_clients = $mynetworksqmqpd_error_delay = 5sqmqpd_timeout = 300s####IJ added this to help prevent lost connection errorsconnection_cache_ttl_limit=20ssmtp_connection_cache_time_limit=$connection_cache_ttl_limit
Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.
grblades: wow, thanks, it looks good so far, i'm just doing the last phase of testing this morning and then will award the points. i hope that's ok.
kereme: thanks for the additional help!! those examples only include one domain (porcupine.org), but we have multiple domains. i'm sorry, but i'm not sure exactly how to modify them for multiple domains. i will have a look at the backscatter levels over the next few weeks and figure out how to apply those regEx checks, should the need arise. thanks so so much for your help!
grblades: I cleared out all the backscatter and see that new backscatter is still arriving. darn. I have attached an excerpt from a backscatter mail.
Somehow our server is not refusing the mail in the first place. Would it be helpful if I include my updated main.cf?
Sorry to mess you around so much on this one, the help is hugely appreciated.
From MAILER-DAEMON@m2north.com (Mail Delivery System)To ajay@mailexcite.comDate Thu, 6 Dec 2007 10:34:15 +0200 (SAST)Subject Undelivered Mail Returned to SenderThis is the mail system at host mail.m2north.com.I'm sorry to have to inform you that your message could notbe delivered to one or more recipients. It's attached below.For further assistance, please send mail to postmaster.If you do so, please include this problem report. You candelete your own text from the attached returned message. The mail system<200309170248.h8h2mgk06866@za-jnb-001.m2north.com>: mail for za-jnb-001.m2north.com loops back to myself(And then this mail has 2 attachments: message/delivery-statusViagra email)
That returned mail is complaining about mail looping back to itself. Your mail server is oviously configured to allow relaying for that domain (za-jnb-001.m2north.com) but has not been told where to sent it on to. It therefore looks at the DNS and finds the primary entry pointing to itself and it generates that error.
You will need to either stop relaying for that domain or configure postfix to forward it onto the correct machine which is the final destination for that domain.
Hi grblades... this stil hasn't solved the problem, somehow.... i've attached a snippet from my qshape deferred and you'll see piles of backscatter mail still... if you have any suggestions, i'd really appreciate it, thanks
I had the same problem (Open Relay) on our SBS2003 Exchange Server. 189,000 Virtual connectors had been created each containing 1000's of SPAM relay mails.
I added SPAMHOUS and SPAM COP to the exchange, Created a temporary virtual SMTP connector and routed everything through it. This was a long job to clear out the mails but the SPAM filtering houses stopped the bad mail coming in. Now we have been clear for 2 weeks - I checked on whitelist.org for proof.
Read the rules on SPAMHOUS and SPAM COP website - they are free to use if you are not a commercial business (making money from emails) and your mail exchange process less than a certian number a day. Our organisation is part of EU and have the max 75 users on the domain and remote.
Good luck
0
Featured Post
At Springboard, we know how to get you a job in data science. With Springboard’s Data Science Career Track, you’ll master data science with a curriculum built by industry experts. You’ll work on real projects, and get 1-on-1 mentorship from a data scientist.
Virtualization software lets you run different versions of Windows, Ubuntu Linux and other versions of Linux all at the same time, rather than running each one directly from your computer's hard drive.
With the emergence of Office 365 as a superior email communication platform, many organizations have started switching over to it. After migrating to Office 365, sometimes users, as well as organizations, will have to import PST files to Office 36…
This Micro Tutorial demonstrates how Internet marketers work with competitive analysis data, and a common task in data preparation is creating separate column for domains. You will then extract from a list of URLs.