how to stop backscatter without check headers
in [Postfix]
|
Prev: smtpd_bind_address
Next: recipient_bcc_maps override
From: Jeroen Geilman on 11 Jun 2010 14:19 On 06/11/2010 08:00 PM, motty.cruz wrote: > > *From:* owner-postfix-users(a)postfix.org > [mailto:owner-postfix-users(a)postfix.org] *On Behalf Of *Jeroen Geilman > *Sent:* Friday, June 11, 2010 10:32 AM > *To:* postfix-users(a)postfix.org > *Subject:* Re: how to stop backscatter without check headers > > On 06/11/2010 04:40 PM, motty.cruz wrote: > > *From:* owner-postfix-users(a)postfix.org > <mailto:owner-postfix-users(a)postfix.org> > [mailto:owner-postfix-users(a)postfix.org] *On Behalf Of *Jeroen Geilman > *Sent:* Thursday, June 10, 2010 4:02 PM > *To:* postfix-users(a)postfix.org <mailto:postfix-users(a)postfix.org> > *Subject:* Re: how to stop backscatter without check headers > > On 06/11/2010 12:44 AM, motty.cruz wrote: > > Is there a best way to stop backscatter spam without using check > headers? Traffic is too heavy to user check headers + we received > email for three different domains. > > Using postfix 2.6. > > Thanks, > > motty > > > To stop backscatter spam, don't accept mail you cannot deliver. > > That is a very smart answer, please pardon my stupidity. > > > Header_checks are trivially spoofed. > > J. > > > Spammers spoof the "from" and gets redirected to "user" in my domain? > How do you fight that? > > > I don't understand what you mean. > > I'm sorry for not being specific, > > > If spammers spoof the envelope sender, header_checks will not help you. > > I know header_checks won't work that's the reason I posted this > questions. I have done read > http://www.postfix.org/BACKSCATTER_README.html but eaither i did not > fully understood its contents or did not help me with me issue. > > > If spammers spoof the sender header, well, postfix doesn't look at > From: headers. > J. > > Here is my postconf --n am I missing something? > > host# postconf -n > > alias_database = hash:/usr/local/etc/postfix/aliases > > alternate_config_directories = /usr/local/etc/postfix-out > > anvil_rate_time_unit = 2s > > biff = no > > command_directory = /usr/local/sbin > > config_directory = /usr/local/etc/postfix > > content_filter = smtp-amavis:[127.0.0.1]:10024 > > daemon_directory = /usr/local/libexec/postfix > > data_directory = /var/db/postfix > > debug_peer_level = 2 > > disable_vrfy_command = yes > > html_directory = no > > in_flow_delay = 1s > > local_recipient_maps = hash:/usr/local/etc/postfix/userdb, > hash:/usr/local/etc/postfix/uservirt > > mail_owner = postfix > > mailq_path = /usr/local/bin/mailq > > manpage_directory = /usr/local/man > > message_size_limit = 50000000 > > mydestination = foo1.com, foo2.com, foo3.com > > myhostname = host.foo1.com > > mynetworks = 127.0.0.0/8, 192.168.1.1/32 > > myorigin = foo1.com > > newaliases_path = /usr/local/bin/newaliases > > queue_directory = /var/spool/postfix > > readme_directory = no > > relay_domains = hash:/usr/local/etc/postfix/relay_domains > > sample_directory = /usr/local/etc/postfix > > sendmail_path = /usr/local/sbin/sendmail > > setgid_group = maildrop > > smtpd_banner = host.foo1.com > > smtpd_error_sleep_time = 0 > > smtpd_helo_required = yes > > smtpd_helo_restrictions = permit_mynetworks, > reject_non_fqdn_hostname, reject_invalid_hostname > > smtpd_recipient_restrictions = permit_mynetworks, > reject_unauth_destination, reject_invalid_hostname, > reject_non_fqdn_hostname, reject_non_fqdn_sender, > reject_non_fqdn_recipient, reject_unknown_sender_domain, > reject_unknown_recipient_domain, reject_unknown_helo_hostname > > smtpd_sender_restrictions = hash:/usr/local/etc/postfix/access > > unknown_address_reject_code = 554 > > unknown_client_reject_code = 554 > > unknown_hostname_reject_code = 554 > > unknown_local_recipient_reject_code = 550 > > unverified_recipient_reject_code = 550 > > unverified_sender_reject_code = 550 > > header of spoof sender > > Return-Path: <user(a)foo1.com> > > Received: from [89.216.172.32] (cable-89-216-172-32.dynamic.sbb.rs > [89.216.172.32]) > > by host.foo.com (Postfix) with ESMTP id B009FB8AF > > for <user(a)foo.com>; Fri, 28 May 2010 11:40:31 -0700 (PDT) > > From: GenuineViagraOnline dealer <user(a)foo.com> > > To: user(a)foo.com > > Subject: Prices go down for user_lastname! 75% off. Sites and and > > Date: Fri, 28 May 2010 20:40:43 +0200 > > MIME-Version: 1.0 > > Content-Type: text/html; charset="ISO-8859-1" > > Content-Transfer-Encoding: 8bit > A combination of a good RBL such as zen.spamhaus.org and a content scanner such as amavisd-new and/or spamassassin usually catches most of these. Header spoofing is not preventable - such is the life of the mail admin. J. > Any suggestions, advice welcome, > > -motty > > From: Mail Delivery Subsystem [mailto:MAILER-DAEMON(a)smtp.newsguy.com] > > Sent: Thursday, June 10, 2010 1:28 AM > > To: user(a)obscure.com <mailto:user(a)obscure.com> > > Subject: Returned mail: see transcript for details > > The original message was received at Thu, 10 Jun 2010 01:28:19 -0700 > (PDT) from [124.217.198.141] > > ----- The following addresses had permanent fatal errors ----- > <ericha(a)newsguy.com> <mailto:ericha(a)newsguy.com> > > (reason: Can't create output) > > ----- Transcript of session follows ----- 550 5.0.0 > <ericha(a)newsguy.com> <mailto:ericha(a)newsguy.com>... Can't create output >
From: Robert Schetterer on 12 Jun 2010 03:42
Am 11.06.2010 19:31, schrieb Jeroen Geilman: > On 06/11/2010 04:40 PM, motty.cruz wrote: >> >> >> >> >> >> *From:* owner-postfix-users(a)postfix.org >> [mailto:owner-postfix-users(a)postfix.org] *On Behalf Of *Jeroen Geilman >> *Sent:* Thursday, June 10, 2010 4:02 PM >> *To:* postfix-users(a)postfix.org >> *Subject:* Re: how to stop backscatter without check headers >> >> >> >> On 06/11/2010 12:44 AM, motty.cruz wrote: >> >> Is there a best way to stop backscatter spam without using check >> headers? Traffic is too heavy to user check headers + we received >> email for three different domains. >> >> Using postfix 2.6. >> >> >> >> Thanks, >> >> motty >> >> >> To stop backscatter spam, don't accept mail you cannot deliver. >> >> That is a very smart answer, please pardon my stupidity. >> >> >> Header_checks are trivially spoofed. >> >> J. >> >> Spammers spoof the �from� and gets redirected to �user� in my domain? >> How do you fight that? >> > > I don't understand what you mean. > If spammers spoof the envelope sender, header_checks will not help you. > If spammers spoof the sender header, well, postfix doesn't look at From: > headers. > > J. > >> From: Mail Delivery Subsystem [mailto:MAILER-DAEMON(a)smtp.newsguy.com] >> >> Sent: Thursday, June 10, 2010 1:28 AM >> >> To: user(a)obscure.com >> >> Subject: Returned mail: see transcript for details >> >> >> >> The original message was received at Thu, 10 Jun 2010 01:28:19 -0700 >> (PDT) from [124.217.198.141] >> >> >> >> ----- The following addresses had permanent fatal errors ----- >> <ericha(a)newsguy.com> >> >> (reason: Can't create output) >> >> >> >> ----- Transcript of session follows ----- 550 5.0.0 >> <ericha(a)newsguy.com>... Can't create output >> >> >> >> >> > hi, you can do it like this, but think and analyse your logs and setup before, dont simple copy paste i.e smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, permit_mynetworks, check_sender_access hash:/etc/postfix/sender_backscatter_access, --- /etc/postfix/sender_backscatter_access Symantec_Mail_Security_for_SMTP@ backscatter Gateway_SMTP@ backscatter Notify_nav_gateways@ backscatter <> backscatter postmaster@ backscatter MAILER-DAEMON@ backscatter devnull@ backscatter MDaemon@ backscatter imsspostmaster@ backscatter Administrator@ backscatter imss@ backscatter majordomo@ backscatter symantec_antivirus_for_smtp_gateways@ backscatter Mail_Security_for_SMTP@ backscatter FETCHMAIL-DAEMON@ backscatter NULL@ backscatter ------ smtpd_restriction_classes = ...., backscatter, .... ----- from here you may use rbls and/or a list of your well known backscattered recipients or match it only to your daily backscatter ips etc, many combinations are possible, keep care that they make sense rejecting valid bounce mails i.e from <> may loose you urgent debug info backscatter = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, check_recipient_access hash:/etc/postfix/backscatter_recipient_access Again attention , you should analyse your logs and setup to match setup like this to your needs -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria |