Loading ...
Sorry, an error occurred while loading the content.

Wait if downstream MTA accepts mail - reject if not

Expand Messages
  • Sebastian Wiesinger
    Hello, I have some users that forward their mail to GMAIL. This is implemented with virtual alias maps. So postfix forwards: user@example.com -
    Message 1 of 6 , May 8, 2014
    • 0 Attachment
      Hello,

      I have some users that forward their mail to GMAIL. This is
      implemented with virtual alias maps. So postfix forwards:

      user@... -> example.user@...

      The problem is when SPAM mails get through all the postfix defences
      and get forwarded to GMAIL. GMAIL does some body checks and rejects
      the mail like this:

      relay=gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b]:25,
      delay=3.8, delays=2.7/0.01/0.51/0.6, dsn=5.7.0, status=bounced (host
      gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b] said: 552-5.7.0
      This message was blocked because its content presents a potential
      552-5.7.0 security issue. Please visit 552-5.7.0
      http://support.google.com/mail/bin/answer.py?answer=6590 to review
      our 552 5.7.0 message content and attachment content guidelines.
      f45si10647314eet.279 - gsmtp (in reply to end of DATA command))

      Now postfix generates a bounce message which 99.9% of the time will
      not be deliverable (because sender is faked) and just sit in the queue
      for five days.

      Question is, is there a way to prevent this from happening (if
      possible without using sender verification)?

      Something like relaying the error back to the client (delay accepting
      the mail until dowstream MTA has accepted it as well) or not
      generating a non-delivery notification... I can't figure out if that
      is possible with postfix.


      Regards

      Sebastian


      --
      GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
      'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
      -- Terry Pratchett, The Fifth Elephant
    • Marius Gologan
      Filtering your inbound traffic for spam and malware will prevent these cases (malicious messages will not be forwarded). Marius. ... From:
      Message 2 of 6 , May 8, 2014
      • 0 Attachment
        Filtering your inbound traffic for spam and malware will prevent these cases
        (malicious messages will not be forwarded).

        Marius.

        -----Original Message-----
        From: owner-postfix-users@...
        [mailto:owner-postfix-users@...] On Behalf Of Sebastian Wiesinger
        Sent: Friday, May 9, 2014 12:02 AM
        To: Postfix Users
        Subject: Wait if downstream MTA accepts mail - reject if not

        Hello,

        I have some users that forward their mail to GMAIL. This is implemented with
        virtual alias maps. So postfix forwards:

        user@... -> example.user@...

        The problem is when SPAM mails get through all the postfix defences and get
        forwarded to GMAIL. GMAIL does some body checks and rejects the mail like
        this:

        relay=gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b]:25,
        delay=3.8, delays=2.7/0.01/0.51/0.6, dsn=5.7.0, status=bounced (host
        gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b] said: 552-5.7.0 This
        message was blocked because its content presents a potential
        552-5.7.0 security issue. Please visit 552-5.7.0
        http://support.google.com/mail/bin/answer.py?answer=6590 to review our 552
        5.7.0 message content and attachment content guidelines.
        f45si10647314eet.279 - gsmtp (in reply to end of DATA command))

        Now postfix generates a bounce message which 99.9% of the time will not be
        deliverable (because sender is faked) and just sit in the queue for five
        days.

        Question is, is there a way to prevent this from happening (if possible
        without using sender verification)?

        Something like relaying the error back to the client (delay accepting the
        mail until dowstream MTA has accepted it as well) or not generating a
        non-delivery notification... I can't figure out if that is possible with
        postfix.


        Regards

        Sebastian


        --
        GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
        'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE
        SCYTHE.
        -- Terry Pratchett, The Fifth Elephant
      • Wietse Venema
        ... It common for people to forward all mail including spam to Gmail, and to discover that some of non-spam mail is not delivered as expected. If you wait for
        Message 3 of 6 , May 8, 2014
        • 0 Attachment
          Sebastian Wiesinger:
          > Hello,
          >
          > I have some users that forward their mail to GMAIL. This is
          > implemented with virtual alias maps. So postfix forwards:
          >
          > user@... -> example.user@...
          >
          > The problem is when SPAM mails get through all the postfix defences
          > and get forwarded to GMAIL. GMAIL does some body checks and rejects
          > the mail like this:

          It common for people to forward all mail including spam to Gmail,
          and to discover that some of non-spam mail is not delivered as
          expected.

          If you wait for Gmail to reject mail then it is already too late.

          The solution is "do not forward SPAM". Sorry, there is no simple
          solution.

          Wietse
        • Sebastian Wiesinger
          ... I already have RBL checks any other policy in place that prevents most of the SPAM/Malware being accepted, but sometimes Google is more strict / has more
          Message 4 of 6 , May 8, 2014
          • 0 Attachment
            * Wietse Venema <wietse@...> [2014-05-08 23:36]:
            > Sebastian Wiesinger:
            > > Hello,
            > >
            > > I have some users that forward their mail to GMAIL. This is
            > > implemented with virtual alias maps. So postfix forwards:
            > >
            > > user@... -> example.user@...
            > >
            > > The problem is when SPAM mails get through all the postfix defences
            > > and get forwarded to GMAIL. GMAIL does some body checks and rejects
            > > the mail like this:
            >
            > It common for people to forward all mail including spam to Gmail,
            > and to discover that some of non-spam mail is not delivered as
            > expected.

            I already have RBL checks any other policy in place that prevents most
            of the SPAM/Malware being accepted, but sometimes Google is more
            strict / has more advanced filtering it seems.

            > If you wait for Gmail to reject mail then it is already too late.
            >
            > The solution is "do not forward SPAM". Sorry, there is no simple
            > solution.

            Yeah, that was kind of expected. Thanks for the reply anyway.

            Regards

            Sebastian

            --
            GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
            'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant
          • Marius Gologan
            RBLs will not protect you against exploited accounts sending malicious emails from popular providers (IPs with good reputation). In your particular case,
            Message 5 of 6 , May 8, 2014
            • 0 Attachment
              RBLs will not protect you against exploited accounts sending malicious
              emails from popular providers (IPs with good reputation).
              In your particular case, gmail's rejection might be caused by a .zip file
              containing .exe or .scr file.

              Marius.

              -----Original Message-----
              From: owner-postfix-users@...
              [mailto:owner-postfix-users@...] On Behalf Of Sebastian Wiesinger
              Sent: Friday, May 9, 2014 1:02 AM
              To: Postfix Users
              Subject: Re: Wait if downstream MTA accepts mail - reject if not

              * Wietse Venema <wietse@...> [2014-05-08 23:36]:
              > Sebastian Wiesinger:
              > > Hello,
              > >
              > > I have some users that forward their mail to GMAIL. This is
              > > implemented with virtual alias maps. So postfix forwards:
              > >
              > > user@... -> example.user@...
              > >
              > > The problem is when SPAM mails get through all the postfix defences
              > > and get forwarded to GMAIL. GMAIL does some body checks and rejects
              > > the mail like this:
              >
              > It common for people to forward all mail including spam to Gmail, and
              > to discover that some of non-spam mail is not delivered as expected.

              I already have RBL checks any other policy in place that prevents most of
              the SPAM/Malware being accepted, but sometimes Google is more strict / has
              more advanced filtering it seems.

              > If you wait for Gmail to reject mail then it is already too late.
              >
              > The solution is "do not forward SPAM". Sorry, there is no simple
              > solution.

              Yeah, that was kind of expected. Thanks for the reply anyway.

              Regards

              Sebastian

              --
              GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
              'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE
              SCYTHE.
              -- Terry Pratchett, The Fifth Elephant
            • Viktor Dukhovni
              ... You may also need content-based filters, though those are not perfect either, they should be able to cut the spam volume down further (if you re not
              Message 6 of 6 , May 8, 2014
              • 0 Attachment
                On Fri, May 09, 2014 at 12:01:43AM +0200, Sebastian Wiesinger wrote:

                > I already have RBL checks any other policy in place that prevents most
                > of the SPAM/Malware being accepted, but sometimes Google is more
                > strict / has more advanced filtering it seems.

                You may also need content-based filters, though those are not
                perfect either, they should be able to cut the spam volume down
                further (if you're not already doing that too).

                --
                Viktor.
              Your message has been successfully submitted and would be delivered to recipients shortly.