Solved

Postfix backscatter ongoing problem

Posted on 2007-12-05
16
2,382 Views
Last Modified: 2012-08-13
Our incoming mail server queue is constantly under backscatter attack. I have searched and searched for ways of blocking this and, I thought I had solved it, but when I run a "qshape deferred", literally every deferred mail listed is from a backscatter attack. As a result, we are being blacklisted and all our real mail is getting delayed.

Please please could someone point out what the problem might be...

Here is an excerpt from qshape deferred:

                                         T  5 10 20 40 80 160 320 640 1280 1280+
                                 TOTAL 326  0  0  0  0  0   0   2   6   31   287
                           intomart.nl  20  0  0  0  0  0   0   0   0    0    20
                              qile.net  13  0  0  0  0  0   0   0   0    0    13
                         pharmcomm.com  13  0  0  0  0  0   0   0   0    0    13
                          rs.nic.or.kr  11  0  0  0  0  0   0   0   0    0    11
                              kdtm.com   8  0  0  0  0  0   0   0   0    0     8
                            hitemp.com   8  0  0  0  0  0   0   0   0    0     8

Here is a view of the mailq of one of the mails from the top of the prev list:

88D835866C     6294 Fri Nov 30 17:54:14  MAILER-DAEMON
                (connect to intomart.nl[193.173.46.196]: Connection timed out)
                                         jrainsnn@intomart.nl

This is an excerpt from the mail header information of one of these backscatter mails:

  From  "Mariano Bauer" <Mariano@intomart.nl>
  To  "Garth Rivers" <200403240249.i2o2nj728922@za-jnb-001.m2north.com>
  Date  Fri, 30 Nov 2007 17:54:40 +0200
  Subject  The volume of your male meat is absolutely essential!

I see what they're doing. They're sending a mail to a fictitious address on our server. Our server is accepting this mail, thinking it's for one of our users, only to find that the user does not exist. Then our server is attempting to bounce the mail, which is actually addressed to some other email address where the spam is aimed (in this case, mariano@intomart.nl).

It makes more sense to me for our mail server refuse the mail in the first place as it should know that this user does not exist?

Sorry for being morons!! We are happy to try anything :) thanks so so so much!!


In case it helps, here is a copy of our /etc/postfix/main.cf:
 

# Debian specific:  Specifying a file name will cause the first

# line of that file to be used as the name.  The Debian default

# is /etc/mailname.

#myorigin = /etc/mailname
 

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

biff = no
 

# appending .domain is the MUA's job.

append_dot_mydomain = no
 

# Uncomment the next line to generate "delayed mail" warnings

#delay_warning_time = 4h
 

# TLS parameters

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

smtpd_use_tls=yes

smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache

smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
 

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

# information on enabling SSL in the smtp client.
 

myhostname = mail.m2north.com

mydomain = m2north.com

myorigin = m2north.com
 

alias_maps = hash:/etc/aliases

alias_database = hash:/etc/aliases

#myorigin = /etc/mailname

mydestination = m2north.com, localhost.localdomain, localhost.localdomain, localhost, mail.m2north.com, m2north.net, mail.m2north.net, m2north.co.za, mail.m2north.co.za, m2north.ca, mail.m2north.ca
 

#ijl 4/10/7 to remove backscatter

#local_recipient_maps =
 

unknown_local_recipient_reject_code = 550
 

#relayhost =

mynetworks = 127.0.0.0/8
 

#mynetworks = 10.0.1.0/24, 10.0.10.0/24, 127.0.0.0/8
 

mailbox_command = procmail -a "$EXTENSION"

mailbox_size_limit = 0

recipient_delimiter = +

inet_interfaces = all
 
 

luser_relay = m2split
 
 

################Added from http://www.howtoforge.com/virtual_postfix_antispam

### Checks to remove badly formed email

smtpd_helo_required     = yes

strict_rfc821_envelopes = yes

disable_vrfy_command = yes
 

unknown_address_reject_code  = 554
 

unknown_hostname_reject_code = 554
 

unknown_client_reject_code   = 554
 

smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit
 

### When changing sender_checks, this file must be regenerated

### using postmap <file>, to generate a Berkeley DB
 

smtpd_recipient_restrictions =
 

   check_client_access hash:/etc/postfix/helo_client_exceptions
 

   check_sender_access    hash:/etc/postfix/sender_checks,
 

   reject_invalid_hostname,
 

### Can cause issues with Auth SMTP, so be weary!

##  reject_non_fqdn_hostname,

##################################
 

   reject_non_fqdn_sender,
 

   reject_non_fqdn_recipient,
 

   reject_unknown_sender_domain,
 

   reject_unknown_recipient_domain,
 

   permit_mynetworks,
 

   reject_unauth_destination,
 
 
 

### Add RBL exceptions here, when changing rbl_client_exceptions,

### this file must be regenerated using postmap <file>,

### to generate a Berkeley DB
 

          check_client_access hash:/etc/postfix/rbl_client_exceptions,
 

          reject_rbl_client cbl.abuseat.org,
 

          reject_rbl_client sbl-xbl.spamhaus.org,
 

          reject_rbl_client bl.spamcop.net,
 

          reject_rhsbl_sender    dsn.rfc-ignorant.org,
 
 
 

        ###IJL research greylisting and switch on here

         #check_policy_service inet:127.0.0.1:60000
 

         permit
 

qmqpd_authorized_clients = $mynetworks

qmqpd_error_delay = 5s

qmqpd_timeout = 300s
 
 

####IJ added this to help prevent lost connection errors

connection_cache_ttl_limit=20s

smtp_connection_cache_time_limit=$connection_cache_ttl_limit

Open in new window

0
Comment
Question by:justin_irjsoftware
16 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 20409976
Is your postfix install accepting the mail for a local user or is it relaying it onto another box?

Can you post the output of 'postconf -n' as its easier to read.
0
 

Author Comment

by:justin_irjsoftware
ID: 20410020
Thanks for the speedy response, grblades: this postfix is accepting the mail for a local user
The output of postconf -n:
 

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

append_dot_mydomain = no

biff = no

config_directory = /etc/postfix

connection_cache_ttl_limit = 20s

disable_vrfy_command = yes

inet_interfaces = all

luser_relay = m2split

mailbox_command = procmail -a "$EXTENSION"

mailbox_size_limit = 0

mydestination = m2north.com, localhost.localdomain, localhost.localdomain, localhost, mail.m2north.com, m2north.net, mail.m2north.net, m2north.co.za, mail.m2north.co.za, m2north.ca, mail.m2north.ca

mydomain = m2north.com

myhostname = mail.m2north.com

mynetworks = 127.0.0.0/8

myorigin = m2north.com

qmqpd_authorized_clients = $mynetworks

qmqpd_error_delay = 5s

qmqpd_timeout = 300s

recipient_delimiter = +

smtp_connection_cache_time_limit = $connection_cache_ttl_limit

smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit

smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/helo_client_exceptions   check_sender_access    hash:/etc/postfix/sender_checks,   reject_invalid_hostname,   reject_non_fqdn_sender,   reject_non_fqdn_recipient,   reject_unknown_sender_domain,   reject_unknown_recipient_domain,   permit_mynetworks,   reject_unauth_destination,          check_client_access hash:/etc/postfix/rbl_client_exceptions,          reject_rbl_client cbl.abuseat.org,          reject_rbl_client sbl-xbl.spamhaus.org,          reject_rbl_client bl.spamcop.net,           reject_rhsbl_sender    dsn.rfc-ignorant.org,         permit

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache

smtpd_use_tls = yes

strict_rfc821_envelopes = yes

unknown_address_reject_code = 554

unknown_client_reject_code = 554

unknown_hostname_reject_code = 554

unknown_local_recipient_reject_code = 550

Open in new window

0
 
LVL 36

Accepted Solution

by:
grblades earned 500 total points
ID: 20410177
I dont see a local recipient map defined. Have a look at :-
http://www.postfix.org/LOCAL_RECIPIENT_README.html
0
 

Author Comment

by:justin_irjsoftware
ID: 20410814
Thanks a lot! I've made the change and will test it out in the next hour and a bit and get back to you.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 20411409
Please don't forget to inclde these RegEx checks too:

http://www.postfix.org/BACKSCATTER_README.html

0
 

Author Comment

by:justin_irjsoftware
ID: 20417925
grblades: wow, thanks, it looks good so far, i'm just doing the last phase of testing this morning and then will award the points. i hope that's ok.

kereme: thanks for the additional help!! those examples only include one domain (porcupine.org), but we have multiple domains. i'm sorry, but i'm not sure exactly how to modify them for multiple domains. i will have a look at the backscatter levels over the next few weeks and figure out how to apply those regEx checks, should the need arise. thanks so so much for your help!
0
 

Author Comment

by:justin_irjsoftware
ID: 20418368
grblades: I cleared out all the backscatter and see that new backscatter is still arriving. darn. I have attached an excerpt from a backscatter mail.

Somehow our server is not refusing the mail in the first place. Would it be helpful if I include my updated main.cf?

Sorry to mess you around so much on this one, the help is hugely appreciated.
From  MAILER-DAEMON@m2north.com (Mail Delivery System)

To  ajay@mailexcite.com

Date  Thu, 6 Dec 2007 10:34:15 +0200 (SAST)

Subject  Undelivered Mail Returned to Sender
 
 

This is the mail system at host mail.m2north.com.
 

I'm sorry to have to inform you that your message could not

be delivered to one or more recipients. It's attached below.
 

For further assistance, please send mail to postmaster.
 

If you do so, please include this problem report. You can

delete your own text from the attached returned message.
 

                   The mail system
 

<200309170248.h8h2mgk06866@za-jnb-001.m2north.com>: mail for

    za-jnb-001.m2north.com loops back to myself
 
 
 

(And then this mail has 2 attachments: 

message/delivery-status

Viagra email)

Open in new window

0
 

Author Comment

by:justin_irjsoftware
ID: 20418372
Here is the updated postconf -n
alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

append_dot_mydomain = no

biff = no

config_directory = /etc/postfix

connection_cache_ttl_limit = 20s

disable_vrfy_command = yes

inet_interfaces = all

local_recipient_maps = proxy:unix:passwd.byname $alias_maps

luser_relay = m2split

mailbox_command = procmail -a "$EXTENSION"

mailbox_size_limit = 0

mydestination = m2north.com, localhost.localdomain, localhost.localdomain, localhost, mail.m2north.com, m2north.net, mail.m2north.net, m2north.co.za, mail.m2north.co.za, m2north.ca, mail.m2north.ca

mydomain = m2north.com

myhostname = mail.m2north.com

mynetworks = 127.0.0.0/8

myorigin = m2north.com

qmqpd_authorized_clients = $mynetworks

qmqpd_error_delay = 5s

qmqpd_timeout = 300s

recipient_delimiter = +

smtp_connection_cache_time_limit = $connection_cache_ttl_limit

smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, regexp:/etc/postfix/helo.regexp, permit

smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/helo_client_exceptions   check_sender_access    hash:/etc/postfix/sender_checks,   reject_invalid_hostname,   reject_non_fqdn_sender,   reject_non_fqdn_recipient,   reject_unknown_sender_domain,   reject_unknown_recipient_domain,   permit_mynetworks,   reject_unauth_destination,          check_client_access hash:/etc/postfix/rbl_client_exceptions,          reject_rbl_client cbl.abuseat.org,          reject_rbl_client sbl-xbl.spamhaus.org,          reject_rbl_client bl.spamcop.net,           reject_rhsbl_sender    dsn.rfc-ignorant.org,         permit

smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache

smtpd_use_tls = yes

strict_rfc821_envelopes = yes

unknown_address_reject_code = 554

unknown_client_reject_code = 554

unknown_hostname_reject_code = 554

unknown_local_recipient_reject_code = 550

Open in new window

0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 36

Expert Comment

by:grblades
ID: 20418466
That returned mail is complaining about mail looping back to itself. Your mail server is oviously configured to allow relaying for that domain (za-jnb-001.m2north.com) but has not been told where to sent it on to. It therefore looks at the DNS and finds the primary entry pointing to itself and it generates that error.

You will need to either stop relaying for that domain or configure postfix to forward it onto the correct machine which is the final destination for that domain.
0
 

Author Comment

by:justin_irjsoftware
ID: 20418488
We are not meaning to be relaying. is there something in the main.cf that is causing relaying that you can see? sorry.

This is not a fancy implementation of postfix, so if anything looks that way, please feel free to suggest a change.

Sorry to keep this issue going for so long. It has caused a lot of pressure for us.

Thanks a lot

Justin
0
 
LVL 36

Assisted Solution

by:grblades
grblades earned 500 total points
ID: 20418515
Check in main.cf that you have the following line :-
relay_domains = $mydestination
0
 

Author Closing Comment

by:justin_irjsoftware
ID: 31412795
Thank you so much grblades! I hope this will be the end of our backscatter contribution to spam bandwidth loss.
0
 

Author Comment

by:justin_irjsoftware
ID: 20440297
Hi grblades... this stil hasn't solved the problem, somehow.... i've attached a snippet from my qshape deferred and you'll see piles of backscatter mail still... if you have any suggestions, i'd really appreciate it, thanks
za-jnb-002:~# qshape deferred

                                         T  5 10 20 40 80 160 320 640 1280 1280+

                                 TOTAL 484  0  0  0  1  5   6   3   4  224   241

                            ing-im.com 186  0  0  0  0  0   0   0   0  186     0

                        hds-online.com 165  0  0  0  0  0   0   0   0    0   165

                     characterlink.net  15  0  0  0  0  0   0   0   0    0    15

                           pacpipe.com  13  0  0  0  0  0   0   0   0    0    13

                      owenscroning.com   8  0  0  0  0  0   0   0   0    0     8

                          3yoonksa.com   6  0  0  0  0  0   0   0   0    6     0

                            epilot.com   5  0  0  0  0  0   0   0   0    0     5

                          welt-weit.de   4  0  0  0  0  4   0   0   0    0     0

                   4japanesespares.com   4  0  0  0  0  0   4   0   0    0     0

            crofters.commission.org.uk   4  0  0  0  0  0   0   0   0    0     4

 

Open in new window

0
 
LVL 36

Expert Comment

by:grblades
ID: 20440562
I am away at the moment and dont have access to my systems. I'll take another look on Wednesday.
0
 

Author Comment

by:justin_irjsoftware
ID: 20449603
Ok, we've finally closed the last hole we needed to have

relay_domains =


(just like that. we were relaying backscatter)

man, these spam guys waste a lot of man hours.

thanks to everyone for their help!!
0
 

Expert Comment

by:FreakyGeek
ID: 34447145
I had the same problem (Open Relay) on our SBS2003 Exchange Server. 189,000 Virtual connectors had been created each containing 1000's of SPAM relay mails.
I added SPAMHOUS and SPAM COP to the exchange, Created a temporary virtual SMTP connector and routed everything through it. This was a long job to clear out the mails but the SPAM filtering houses stopped the bad mail coming in. Now we have been clear for 2 weeks - I checked on whitelist.org for proof.
Read the rules on SPAMHOUS and SPAM COP website - they are free to use if you are not a commercial business (making money from emails) and your mail exchange process less than a certian number a day. Our organisation is part of EU and have the max 75 users on the domain and remote.
Good luck
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

If you are anything like me, you install many apps on your phone and have your life on it, sometimes literally.  When I bought my current phone, a Samsung Galaxy S5 from Verizon, they were only selling the versions with 16 GB internal.  I didn't rea…
I didn’t use eM Client for long when I decided to swap to Outlook 2016. The reason for the switch is that it started asking for payment to continue some of its services after one month.   The problems I faced when I didn’t pay were:   I was not …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now