On Wed, Nov 28, 2012 at 04:02:57PM -0600, Noel Jones wrote:
> On 11/28/2012 1:17 PM, Will Yardley wrote:
> > I'm having a problem where messages are accepted but then seem to
> > generate a mail forwarding loop. It seems to happen a lot with mail
> > from a particular spammer.
> There was a discussion earlier this month about some spammer including
> a Delivered-To: header in their spam. Postfix local(8) uses this
> header to detect loops and will bounce messages with a Delivered-To:
> header equal to the current recipient.
Thanks. I was tearing my hair out about this one, and couldn't see
anything really obviously weird in the raw message, but this explanation
I will poke through the archives and see if any of the nasty solutions
might help, now that I have an idea of what to look for. Our
architecture is fairly simple, so may be able to just unset
$nested_header_checks and define a header check to block these.
You are right that the messages have 'Delivered-To' headers set to the
user's address, and I can reproduce this behavior with later Postfix
versions as well.
> > The To: header in the raw email as viewed in postcat looks like this:
> > To: foo@... <foo@...>
> Postfix doesn't use To: headers for delivery, only envelope information.
Right, I understand that, and could see that the env recipient looked
correct in the logs -- it just stood out, esp. since Postfix does seems
to rewrite it before delivering it if I send a test message with similar
> > Nov 27 05:05:47 hostname postfix/smtpd: 0C18B32807B: client=ajaxkottely.info[188.8.131.52]
> This client is listed in the zen and barracudacentral RBLs today,
> maybe they weren't listed yet yesterday. You are using some RBLs?
Just an example, but yes, we do use some RBLs, including Zen. We have
classes which allow users to choose a more or less restrictive policy
(or no blocking), but this user does have our recommended class. At this
time, I'm seeing this particular source in zen [from one of our SMTP
servers this morning]:
$ dig 184.108.40.206.zen.spamhaus.org +sh
However, my guess is that they've already started sending from other IPs
that aren't blocked in major blocklists - don't see any new mail from
that source today. Also have some messages from back on 220.127.116.11
(also listed) from back on Tues.