Re: "mail forwarding loop" from certain spam only
- On Wed, Nov 28, 2012 at 04:02:57PM -0600, Noel Jones wrote:
> On 11/28/2012 1:17 PM, Will Yardley wrote:Thanks. I was tearing my hair out about this one, and couldn't see
> > I'm having a problem where messages are accepted but then seem to
> > generate a mail forwarding loop. It seems to happen a lot with mail
> > from a particular spammer.
> There was a discussion earlier this month about some spammer including
> a Delivered-To: header in their spam. Postfix local(8) uses this
> header to detect loops and will bounce messages with a Delivered-To:
> header equal to the current recipient.
anything really obviously weird in the raw message, but this explanation
I will poke through the archives and see if any of the nasty solutions
might help, now that I have an idea of what to look for. Our
architecture is fairly simple, so may be able to just unset
$nested_header_checks and define a header check to block these.
You are right that the messages have 'Delivered-To' headers set to the
user's address, and I can reproduce this behavior with later Postfix
versions as well.
> > The To: header in the raw email as viewed in postcat looks like this:Right, I understand that, and could see that the env recipient looked
> > To: foo@... <foo@...>
> Postfix doesn't use To: headers for delivery, only envelope information.
correct in the logs -- it just stood out, esp. since Postfix does seems
to rewrite it before delivering it if I send a test message with similar
> > Nov 27 05:05:47 hostname postfix/smtpd: 0C18B32807B: client=ajaxkottely.info[184.108.40.206]Just an example, but yes, we do use some RBLs, including Zen. We have
> This client is listed in the zen and barracudacentral RBLs today,
> maybe they weren't listed yet yesterday. You are using some RBLs?
classes which allow users to choose a more or less restrictive policy
(or no blocking), but this user does have our recommended class. At this
time, I'm seeing this particular source in zen [from one of our SMTP
servers this morning]:
$ dig 220.127.116.11.zen.spamhaus.org +sh
However, my guess is that they've already started sending from other IPs
that aren't blocked in major blocklists - don't see any new mail from
that source today. Also have some messages from back on 18.104.22.168
(also listed) from back on Tues.