Loading ...
Sorry, an error occurred while loading the content.

BackScatter Problem

Expand Messages
  • jan gestre
    Hi, I ve a backscatter problem wherein users receives emails from valid company addresses but based on content of the message it is obviously spam. I m using
    Message 1 of 11 , May 26, 2009
    • 0 Attachment
      Hi,

      I've a backscatter problem wherein users receives emails from valid
      company addresses but based on content of the message it is obviously
      spam. I'm using postfix 2.5 with virtual domains using mysql + dovecot
      and mailscanner and I've already read
      http://www.postfix.org/BACKSCATTER_README.html however I'm not sure
      how to go about it since I'm using mysql lookups.
      This is my postconf -n:

      [root@kartero ~]# postconf -n
      alias_database = hash:/etc/postfix/aliases
      alias_maps = hash:/etc/postfix/aliases
      broken_sasl_auth_clients = yes
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      data_directory = /var/lib/postfix
      debug_peer_level = 2
      header_checks = regexp:/etc/postfix/header_checks
      html_directory = /usr/share/doc/postfix-2.5.5-documentation/html
      inet_interfaces = all
      mail_owner = postfix
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      maps_rbl_domains = bl.spamcop.net
      message_size_limit = 40960000
      mydestination = localhost
      mydomain = example.com
      myhostname = kartero.example.com
      mynetworks = 192.168.88.0/24, 127.0.0.0/8
      myorigin = $mydomain
      newaliases_path = /usr/bin/newaliases.postfix
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.5.5-documentation/readme
      recipient_delimiter = +
      relay_domains = $mydestination
      relayhost =
      sample_directory = /etc/postfix
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtpd_helo_required = yes
      smtpd_recipient_restrictions = permit_sasl_authenticated
      permit_mynetworks
      reject_unauth_destination
      permit_tls_all_clientcerts
      reject_non_fqdn_hostname
      reject_non_fqdn_sender
      reject_non_fqdn_recipient
      reject_unauth_destination
      reject_unauth_pipelining
      reject_invalid_hostname
      reject_rbl_client sbl-xbl.spamhaus.org
      reject_rhsbl_sender dsn.rfc-ignorant.org
      reject_rbl_client bl.spamcop.net permit
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_exceptions_networks = $mynetworks
      smtpd_sasl_path = /var/run/dovecot/auth-client
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_type = dovecot
      smtpd_tls_cert_file = /etc/postfix/ssl/mail-cert.pem
      smtpd_tls_key_file = /etc/postfix/ssl/mail-key.pem
      smtpd_tls_loglevel = 1
      smtpd_tls_received_header = yes
      smtpd_tls_security_level = may
      smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
      smtpd_tls_session_cache_timeout = 3600s
      tls_random_source = dev:/dev/urandom
      transport_maps = hash:/etc/postfix/transport
      unknown_local_recipient_reject_code = 550
      virtual_alias_maps = proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf
      virtual_gid_maps = static:12
      virtual_mailbox_base = /home/virtualmail
      virtual_mailbox_domains =
      proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf
      virtual_mailbox_maps =
      proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf
      virtual_minimum_uid = 150
      virtual_transport = dovecot
      virtual_uid_maps = static:150
      # ---------------

      My /etc/postfix/header_checks contain only the following:

      /^Received:/ HOLD

      According to MailScanner docs the above line is mandatory in order for
      MailScanner to work, what revisions do I need to add to header_checks
      in order to prevent backscatter? Is the following correct and will it
      work?

      if /^Received:/
      /^Received:/ HOLD
      /^Received: +from +(example\.com) +/
      reject forged client name in Received: header: $1
      /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(example\.com)\)/
      reject forged client name in Received: header: $2
      /^Received:.* +by +(example\.com)\b/
      reject forged mail server name in Received: header: $1
      endif
      /^Message-ID:.* <!&!/ DUNNO
      /^Message-ID:.*@(example\.com)/
      reject forged domain name in Message-ID: header: $1

      TIA,

      Jan
    • Sahil Tandon
      ... If it s backscatter, it should be coming from , not a valid company address . Please show your logs during delivery of the alleged backscatter. ...
      Message 2 of 11 , May 26, 2009
      • 0 Attachment
        On Wed, 27 May 2009, jan gestre wrote:

        > I've a backscatter problem wherein users receives emails from valid
        > company addresses but based on content of the message it is obviously
        > spam. I'm using postfix 2.5 with virtual domains using mysql + dovecot
        > and mailscanner and I've already read
        > http://www.postfix.org/BACKSCATTER_README.html however I'm not sure
        > how to go about it since I'm using mysql lookups.
        > This is my postconf -n:

        If it's backscatter, it should be coming from <>, not a "valid company
        address". Please show your logs during delivery of the alleged backscatter.

        > My /etc/postfix/header_checks contain only the following:
        >
        > /^Received:/ HOLD

        Very odd that you want to hold ALL email with this check. Does MailScanner
        examine messages in the hold queue and then release them?

        --
        Sahil Tandon <sahil@...>
      • jan gestre
        ... I don t have anymore the logs from Postfix and I m not sure if it really is a backscatter problem, all I have right now is the ... From: Judy Aguilar
        Message 3 of 11 , May 26, 2009
        • 0 Attachment
          > If it's backscatter, it should be coming from <>, not a "valid company
          > address".  Please show your logs during delivery of the alleged backscatter.
          >

          I don't have anymore the logs from Postfix and I'm not sure if it
          really is a backscatter problem, all I have right now is the
          following:

          ----------------------
          -----Original Message-----
          From: Judy Aguilar [mailto:judyaguilar@...]
          Sent: Tuesday, May 26, 2009 4:41 PM
          To: Sheila Villanueva
          Subject: Fw: No branding needed!

          Pls see "VIAGRA.Official Site's email address -- creatives@...

          Fyi.

          ----- Original Message ----- From: "Biba Cabuquit" <bibacabuquit@...>
          To: "VIAGRA . Official Site" <creatives@...>
          Sent: Tuesday, May 26, 2009 3:16 PM
          Subject: No branding needed!

          ------- end---------

          The creatives@... is a valid email address and yet it has the
          name VIAGRA Official site, is the mail server the causing the issue or
          there is a worm on the users PC that' causing this.


          >> My /etc/postfix/header_checks contain only the following:
          >>
          >> /^Received:/ HOLD
          >
          > Very odd that you want to hold ALL email with this check.  Does MailScanner
          > examine messages in the hold queue and then release them?
          >

          MailScanner really examines messages in the HOLD queue because all
          emails incoming/outgoing are tagged by MailScanner as having scanned
          or I'm totally wrong?
        • MacShane, Tracy
          ... While others might have better luck trying to divine why you re getting the spam, it s very difficult to do so with a couple of message snips (you haven t
          Message 4 of 11 , May 27, 2009
          • 0 Attachment
            > -----Original Message-----
            > From: owner-postfix-users@...
            > [mailto:owner-postfix-users@...] On Behalf Of jan gestre
            > Sent: Wednesday, 27 May 2009 5:00 PM
            > To: postfix-users@...
            > Subject: Re: BackScatter Problem
            >
            > > If it's backscatter, it should be coming from <>, not a
            > "valid company
            > > address".  Please show your logs during delivery of the
            > alleged backscatter.
            > >
            >
            > I don't have anymore the logs from Postfix and I'm not sure
            > if it really is a backscatter problem, all I have right now is the
            > following:
            >
            > ----------------------
            > -----Original Message-----
            > From: Judy Aguilar [mailto:judyaguilar@...]
            > Sent: Tuesday, May 26, 2009 4:41 PM
            > To: Sheila Villanueva
            > Subject: Fw: No branding needed!
            >
            > Pls see "VIAGRA.Official Site's email address -- creatives@...
            >
            > Fyi.
            >
            > ----- Original Message ----- From: "Biba Cabuquit"
            > <bibacabuquit@...>
            > To: "VIAGRA . Official Site" <creatives@...>
            > Sent: Tuesday, May 26, 2009 3:16 PM
            > Subject: No branding needed!
            >
            > ------- end---------
            >
            > The creatives@... is a valid email address and yet it
            > has the name VIAGRA Official site, is the mail server the
            > causing the issue or there is a worm on the users PC that'
            > causing this.
            >
            >
            > >> My /etc/postfix/header_checks contain only the following:
            > >>
            > >> /^Received:/ HOLD
            > >
            > > Very odd that you want to hold ALL email with this check.  Does
            > > MailScanner examine messages in the hold queue and then
            > release them?
            > >
            >
            > MailScanner really examines messages in the HOLD queue
            > because all emails incoming/outgoing are tagged by
            > MailScanner as having scanned or I'm totally wrong?
            >


            While others might have better luck trying to divine why you're getting the spam, it's very difficult to do so with a couple of message snips (you haven't even included the full headers). However, as a guess, someone is spoofing the "creatives@..." to send spam, and now you're getting the backscatter. It could be any machine on the internet spoofing that address.

            As for Mailscanner, perhaps it's better to ask over on their support site. If you look at the Addons page on the postfix.org site, it says "* mailscanner system, works with Postfix and other MTAs. WARNING: This software uses unsupported methods to manipulate Postfix queue files directly. This will result in corruption or loss of mail. The mailscanner authors have sofar refused to discuss a proper access API or protocol."
          • kj
            ... The message snippet is of no use. Can you post the full headers? That and a corresponding log entry should clear things up. From what you ve said so far
            Message 5 of 11 , May 27, 2009
            • 0 Attachment
              jan gestre wrote:
              > I don't have anymore the logs from Postfix and I'm not sure if it
              > really is a backscatter problem, all I have right now is the
              > following:

              The message snippet is of no use. Can you post the full headers? That
              and a corresponding log entry should clear things up.

              From what you've said so far it sounds more likely to be a forged
              return-path/from, in which case adding and checking against spf records
              would solve your issue.

              --kj
            • Sahil Tandon
              ... FWIW, the snippet alone hits Sanesecurity.Hdr.9913.UNOFFICIAL. -- Sahil Tandon
              Message 6 of 11 , May 27, 2009
              • 0 Attachment
                On Wed, 27 May 2009, kj wrote:

                > jan gestre wrote:
                >> I don't have anymore the logs from Postfix and I'm not sure if it
                >> really is a backscatter problem, all I have right now is the
                >> following:
                >
                > The message snippet is of no use. Can you post the full headers? That
                > and a corresponding log entry should clear things up.

                FWIW, the snippet alone hits Sanesecurity.Hdr.9913.UNOFFICIAL.

                --
                Sahil Tandon <sahil@...>
              • jan gestre
                ... sample header: Received: from 55.Red-88-7-191.staticIP.rima-tde.net (55.Red-88-7-191.staticIP.rima-tde.net [88.7.191.55]) by mail.example.com (Postfix)
                Message 7 of 11 , May 31, 2009
                • 0 Attachment
                  On Thu, May 28, 2009 at 8:37 PM, jan gestre <ipcopper.ph@...> wrote:
                  > On Wed, May 27, 2009 at 5:31 PM, kj
                  > <koffiejunkielistlurker@...> wrote:
                  >> jan gestre wrote:
                  >>>
                  >>> I don't have anymore the logs from Postfix and I'm not sure if it
                  >>> really is a backscatter problem, all I have right now is the
                  >>> following:
                  >>
                  >> The message snippet is of no use.  Can you post the full headers?  That and
                  >> a corresponding log entry should clear things up.
                  >>
                  >> From what you've said so far it sounds more likely to be a forged
                  >> return-path/from, in which case adding and checking against spf records
                  >> would solve your issue.
                  >>
                  >> --kj
                  >>
                  >
                  > I want to post here the complete message with headers but problem is
                  > it will take a while, I'm several kilometers away from this office and
                  > the on-site support guy still has not sent the message headers I've
                  > asked for.
                  >

                  sample header:

                  Received: from 55.Red-88-7-191.staticIP.rima-tde.net
                  (55.Red-88-7-191.staticIP.rima-tde.net [88.7.191.55])
                  by mail.example.com (Postfix) with ESMTP id 9DEC4148041
                  for <jmgarcia@...>; Mon, 1 Jun 2009 08:58:53 +0800 (PHT)
                  Message-ID: <365683314256959.DTWIBJSCPDREBDG@...-88-7-191.staticIP.rima-tde.net>
                  From: "Jeanine" <jmgarcia@...>
                  To: jmgarcia@...
                  Subject: Check it now
                  MIME-Version: 1.0
                  Content-Type: text/html; charset="ISO-8859-1"
                  Content-Transfer-Encoding: 7bit
                  Date: Mon, 1 Jun 2009 08:58:53 +0800 (PHT)

                  The received from ip address is obviously not the company's real ip
                  address, and we have lots of emails like this.
                • Sahil Tandon
                  ... Consider blocking at SMTP with the zen.spamhaus.org RBL. ... You omitted Return-Path:, but it probably matches the email address in the From: header. If
                  Message 8 of 11 , May 31, 2009
                  • 0 Attachment
                    On Mon, 01 Jun 2009, jan gestre wrote:

                    > >>> I don't have anymore the logs from Postfix and I'm not sure if it
                    > >>> really is a backscatter problem, all I have right now is the
                    > >>> following:
                    > >>
                    > >> The message snippet is of no use.  Can you post the full headers?  That and
                    > >> a corresponding log entry should clear things up.
                    > >>
                    > >> From what you've said so far it sounds more likely to be a forged
                    > >> return-path/from, in which case adding and checking against spf records
                    > >> would solve your issue.
                    > >>
                    > > I want to post here the complete message with headers but problem is
                    > > it will take a while, I'm several kilometers away from this office and
                    > > the on-site support guy still has not sent the message headers I've
                    > > asked for.
                    >
                    > sample header:
                    >
                    > Received: from 55.Red-88-7-191.staticIP.rima-tde.net
                    > (55.Red-88-7-191.staticIP.rima-tde.net [88.7.191.55])

                    Consider blocking at SMTP with the zen.spamhaus.org RBL.

                    > by mail.example.com (Postfix) with ESMTP id 9DEC4148041
                    > for <jmgarcia@...>; Mon, 1 Jun 2009 08:58:53 +0800 (PHT)
                    > Message-ID: <365683314256959.DTWIBJSCPDREBDG@...-88-7-191.staticIP.rima-tde.net>
                    > From: "Jeanine" <jmgarcia@...>
                    > To: jmgarcia@...
                    > Subject: Check it now
                    > MIME-Version: 1.0
                    > Content-Type: text/html; charset="ISO-8859-1"
                    > Content-Transfer-Encoding: 7bit
                    > Date: Mon, 1 Jun 2009 08:58:53 +0800 (PHT)
                    >
                    > The received from ip address is obviously not the company's real ip
                    > address, and we have lots of emails like this.

                    You omitted Return-Path:, but it probably matches the email address in the
                    From: header. If so, this is not backscatter at all. It is a typical
                    spammer tactic of sending email with sender equal to recipient. See archives
                    of this mailing list on how to prevent external (or untrusted) IPs/senders
                    from using your domain name(s) in the envelope from. Also note the
                    unintended consequences (also previously discussed on this list) of taking
                    such preventive action.

                    --
                    Sahil Tandon <sahil@...>
                  • kj
                    ... This is just ordinary spam, not backscatter. If it was backscatter, there would be trace of a server having bounced it. The above was sent from an IP that
                    Message 9 of 11 , Jun 1, 2009
                    • 0 Attachment
                      jan gestre wrote:
                      > Received: from 55.Red-88-7-191.staticIP.rima-tde.net
                      > (55.Red-88-7-191.staticIP.rima-tde.net [88.7.191.55])
                      > by mail.example.com (Postfix) with ESMTP id 9DEC4148041
                      > for <jmgarcia@...>; Mon, 1 Jun 2009 08:58:53 +0800 (PHT)
                      > Message-ID: <365683314256959.DTWIBJSCPDREBDG@...-88-7-191.staticIP.rima-tde.net>
                      > From: "Jeanine" <jmgarcia@...>
                      > To: jmgarcia@...
                      > Subject: Check it now
                      > MIME-Version: 1.0
                      > Content-Type: text/html; charset="ISO-8859-1"
                      > Content-Transfer-Encoding: 7bit
                      > Date: Mon, 1 Jun 2009 08:58:53 +0800 (PHT)
                      >
                      > The received from ip address is obviously not the company's real ip
                      > address, and we have lots of emails like this.

                      This is just ordinary spam, not backscatter. If it was backscatter,
                      there would be trace of a server having bounced it.

                      The above was sent from an IP that doesn't accept mail, and judging by
                      that PTR, it's not a real mail server anyway. If you were using
                      Spamhaus, it would have been rejected too - it's in PBL and XBL.

                      --kj
                    • jan gestre
                      On Tue, Jun 2, 2009 at 7:31 AM, kj ... Hi KJ, That s the funny thing, I m using sbl-xbl spamhaus as well as spamcop.net but it wasn t blocked, I ve now changed
                      Message 10 of 11 , Jun 1, 2009
                      • 0 Attachment
                        On Tue, Jun 2, 2009 at 7:31 AM, kj
                        <koffiejunkielistlurker@...> wrote:
                        > jan gestre wrote:
                        >>
                        >> Received: from 55.Red-88-7-191.staticIP.rima-tde.net
                        >> (55.Red-88-7-191.staticIP.rima-tde.net [88.7.191.55])
                        >>     by mail.example.com (Postfix) with ESMTP id 9DEC4148041
                        >>     for <jmgarcia@...>; Mon, 1 Jun 2009 08:58:53 +0800 (PHT)
                        >> Message-ID:
                        >> <365683314256959.DTWIBJSCPDREBDG@...-88-7-191.staticIP.rima-tde.net>
                        >> From: "Jeanine" <jmgarcia@...>
                        >> To: jmgarcia@...
                        >> Subject: Check it now
                        >> MIME-Version: 1.0
                        >> Content-Type: text/html; charset="ISO-8859-1"
                        >> Content-Transfer-Encoding: 7bit
                        >> Date: Mon, 1 Jun 2009 08:58:53 +0800 (PHT)
                        >>
                        >> The received from ip address is obviously not the company's real ip
                        >> address, and we have lots of emails like this.
                        >
                        > This is just ordinary spam, not backscatter.  If it was backscatter, there
                        > would be trace of a server having bounced it.
                        >
                        > The above was sent from an IP that doesn't accept mail, and judging by that
                        > PTR, it's not a real mail server anyway.  If you were using Spamhaus, it
                        > would have been rejected too - it's in PBL and XBL.
                        >
                        > --kj
                        >

                        Hi KJ,

                        That's the funny thing, I'm using sbl-xbl spamhaus as well as
                        spamcop.net but it wasn't blocked, I've now changed it to zen, I'm not
                        sure though if it would have any effect.

                        Regards,

                        Jan
                      • Sahil Tandon
                        ... The IP is not listed on SBL and was only listed on CBL (ergo XBL) at 2009-06-01 14:00 GMT; you received it before then. If you had been using PBL (or
                        Message 11 of 11 , Jun 1, 2009
                        • 0 Attachment
                          On Tue, 02 Jun 2009, jan gestre wrote:

                          > That's the funny thing, I'm using sbl-xbl spamhaus as well as
                          > spamcop.net but it wasn't blocked, I've now changed it to zen, I'm not
                          > sure though if it would have any effect.

                          The IP is not listed on SBL and was only listed on CBL (ergo XBL) at
                          2009-06-01 14:00 GMT; you received it before then. If you had been using
                          PBL (or better, Zen), then it might've been blocked.

                          --
                          Sahil Tandon <sahil@...>
                        Your message has been successfully submitted and would be delivered to recipients shortly.