LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-14-2008, 11:25 AM   #1
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Debian
Posts: 2,900

Rep: Reputation: 73
Backscatter Email (Postfix)


I am afraid my server is getting "backscatter" and was looking at:

http://www.postfix.org/BACKSCATTER_README.html#wtf

If you read the section that tells you how to check if your server is getting
Quote:
With Postfix, you know that you're a backscatter victim when your logfile goes on and on like this:

Dec 4 04:30:09 hostname postfix/smtpd[58549]: NOQUEUE: reject:
RCPT from xxxxxxx[x.x.x.x]: 550 5.1.1 <yyyyyy@your.domain.here>:
Recipient address rejected: User unknown; from=<>
to=<yyyyyy@your.domain.here> proto=ESMTP helo=<zzzzzz>
I did a check on my logs and found:

Code:
cat /var/log/maillog | grep "from=<>"
Apr 14 10:03:54 mail postfix/qmgr[5484]: AC55A15C057: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 10:08:32 mail postfix/qmgr[5484]: 1D57115C059: from=<>, size=52186, nrcpt=1 (queue active)
Apr 14 10:11:19 mail postfix/qmgr[5484]: E8CA215C044: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 10:17:31 mail postfix/cleanup[8390]: B64E815C039: reject: header Subject: 15% off watches from unknown[192.168.0.164]; from=<> to=<HQbailym@thehastingscenter.org> proto=ESMTP helo=<miller>: SPAM
Apr 14 10:20:38 mail postfix/qmgr[5484]: 93F8D15C039: from=<>, size=11687, nrcpt=1 (queue active)
Apr 14 10:20:38 mail postfix/qmgr[5484]: CD0D915C042: from=<>, size=12162, nrcpt=1 (queue active)
Apr 14 10:27:59 mail postfix/qmgr[5484]: AC55A15C057: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 10:27:59 mail postfix/qmgr[5484]: 436F215C046: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 10:30:14 mail postfix/qmgr[5484]: 9FF6915C059: from=<>, size=3795, nrcpt=1 (queue active)
Apr 14 10:32:37 mail postfix/cleanup[9409]: 2B7DA15C05D: reject: header To: undisclosed-recipients:; from unknown[192.168.0.164]; from=<> to=<dfoo@example.org> proto=ESMTP helo=<miller>: My name isn't Undisclosed Recipients.
Apr 14 10:52:59 mail postfix/qmgr[5484]: E8CA215C044: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 10:55:33 mail postfix/qmgr[5484]: 3008315C039: from=<>, size=4220, nrcpt=1 (queue active)
Apr 14 11:01:19 mail postfix/qmgr[5484]: AC55A15C057: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 11:01:29 mail postfix/qmgr[5484]: 6E35C15C059: from=<>, size=4875, nrcpt=1 (queue active)
Apr 14 11:03:55 mail postfix/qmgr[5484]: 38A9815C059: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 11:09:39 mail postfix/qmgr[5484]: 436F215C046: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 11:10:24 mail postfix/qmgr[5484]: A63FB15C05D: from=<>, size=52743, nrcpt=1 (queue active)
Apr 14 11:11:43 mail postfix/qmgr[5484]: 4602715C061: from=<>, size=39053, nrcpt=1 (queue active)
Apr 14 11:20:35 mail postfix/qmgr[5484]: 2E8D615C039: from=<>, size=6106, nrcpt=1 (queue active)
Apr 14 11:20:35 mail postfix/qmgr[5484]: 9CF2E15C05C: from=<>, size=6573, nrcpt=1 (queue active)
Apr 14 11:26:19 mail postfix/qmgr[5484]: 38A9815C059: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 11:30:42 mail postfix/qmgr[5484]: 3B17F15C039: from=<>, size=1956, nrcpt=1 (queue active)
Apr 14 11:30:42 mail postfix/qmgr[5484]: 5A9A915C05C: from=<>, size=2407, nrcpt=1 (queue active)
Apr 14 11:31:21 mail postfix/qmgr[24523]: E8CA215C044: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 11:33:54 mail postfix/qmgr[24523]: F065E15C064: from=<>, size=1958, nrcpt=1 (queue active)
Apr 14 11:33:54 mail postfix/qmgr[24523]: 3A63B15C05C: from=<>, size=2409, nrcpt=1 (queue active)
Apr 14 11:39:02 mail postfix/cleanup[24573]: 9295015C061: reject: header X-Mailer: The Bat! (v2.10.01) Educational from unknown[192.168.0.164]; from=<> to=<leqpelfukig@pelfu.com> proto=ESMTP helo=<miller>: We do not accept email sent using this program.
Apr 14 11:39:41 mail postfix/qmgr[24523]: AC55A15C057: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 11:43:24 mail postfix/qmgr[24523]: 64DC615C05C: from=<>, size=1946, nrcpt=1 (queue active)
Apr 14 11:43:24 mail postfix/qmgr[24523]: 76BF115C061: from=<>, size=2397, nrcpt=1 (queue active)
Apr 14 11:48:01 mail postfix/qmgr[24523]: 436F215C046: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 11:56:21 mail postfix/qmgr[24523]: 38A9815C059: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 12:03:52 mail postfix/qmgr[24523]: 615C215C064: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 12:13:01 mail postfix/qmgr[24523]: E8CA215C044: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 12:17:54 mail postfix/qmgr[24523]: EE0A915C061: from=<>, size=4181, nrcpt=1 (queue active)
Apr 14 12:21:21 mail postfix/qmgr[24523]: AC55A15C057: from=<>, size=3419, nrcpt=1 (queue active)
Apr 14 12:21:21 mail postfix/qmgr[24523]: 615C215C064: from=<>, size=3419, nrcpt=1 (queue active)
Anyone know what I can do to resolve this or even be sure what I am seeing in my logs "is" officially backscatter based on the link I provided?
 
Old 04-14-2008, 02:07 PM   #2
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
Code:
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
unknown_local_recipient_reject_code = 550
Code:
smtpd_recipient_restrictions =
        permit_mynetworks
        reject_unauth_destination
        reject_unknown_recipient_domain
        reject_unknown_sender_domain
        reject_unverified_recipient
        reject_non_fqdn_recipient
        reject_non_fqdn_sender
        reject_invalid_hostname
 
Old 04-14-2008, 02:25 PM   #3
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Debian
Posts: 2,900

Original Poster
Rep: Reputation: 73
Thanks for the reply. I am guessing you're recommending those entries into my main.cf:

Here is what I have:

Code:
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_client_access dbm:/etc/postfix/client_blacklist,
        check_sender_access hash:/etc/postfix/access,
        check_policy_service inet:127.0.0.1:12525,
        reject_non_fqdn_recipient,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        reject_non_fqdn_hostname,
        reject_invalid_hostname,
        reject_unauth_pipelining,
        reject_unlisted_recipient,
        reject_unverified_sender,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client list.dsbl.org,
        reject_rbl_client multihop.dsbl.org,
        reject_rbl_client unconfirmed.dsbl.org,
        reject_rbl_client zombie.dnsbl.sorbs.net,
        reject_rbl_client dnsbl.njabl.org,
        reject_rbl_client spam.dnsrbl.org,
        reject_rbl_client dul.dnsbl.sorbs.net,
        reject_rbl_client dun.dnsrbl.net,
        reject_rbl_client vox.schpider.com,
        reject_rhsbl_sender dsn.rfc-ignorant.org,
        permit
From the top 3, I only have: unknown_local_recipient_reject_code = 550

Where should I append the 2 I don't have? Can I just add them to the very bottom of main.cf or do they need to sit under a specific parameter?
 
Old 04-15-2008, 02:00 AM   #4
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
NO they dont have to sit any where specific. And yes you need them in main.cf
 
Old 04-15-2008, 07:41 AM   #5
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Debian
Posts: 2,900

Original Poster
Rep: Reputation: 73
Thanks. So I added this last night and did a postfix reload to make sure the changes made to my main.cf were recognized. So I decided to check my logs this morning and see if I can still see the issue and here is what I found...

Code:
Apr 15 07:44:19 mail postfix/qmgr[5810]: 35CE915C05C: from=<>, size=3419, nrcpt=1 (queue active)
Apr 15 07:44:19 mail postfix/qmgr[5810]: 4294215C044: from=<>, size=3419, nrcpt=1 (queue active)
Apr 15 07:52:39 mail postfix/qmgr[5810]: E4FB215C057: from=<>, size=3419, nrcpt=1 (queue active)
Apr 15 07:52:39 mail postfix/qmgr[5810]: 6B17A15C040: from=<>, size=3419, nrcpt=1 (queue active)
Apr 15 08:03:50 mail postfix/qmgr[5810]: E1D9A15C040: from=<>, size=3419, nrcpt=1 (queue active)
Apr 15 08:05:18 mail postfix/qmgr[5810]: EAF0315C02E: from=<>, size=1710, nrcpt=1 (queue active)
Apr 15 08:05:18 mail postfix/qmgr[5810]: 1636C15C046: from=<>, size=2181, nrcpt=1 (queue active)
Apr 15 08:05:18 mail postfix/qmgr[5810]: 3B2C115C02E: from=<>, size=1710, nrcpt=1 (queue active)
Apr 15 08:05:18 mail postfix/qmgr[5810]: 6020715C056: from=<>, size=2181, nrcpt=1 (queue active)
Apr 15 08:16:34 mail postfix/qmgr[5810]: 1232D15C02D: from=<>, size=1815, nrcpt=1 (queue active)
Apr 15 08:16:35 mail postfix/qmgr[5810]: E564E15C02E: from=<>, size=2266, nrcpt=1 (queue active)
Apr 15 08:16:35 mail postfix/qmgr[5810]: 0A23C15C044: from=<>, size=2404, nrcpt=1 (queue active)
Apr 15 08:19:08 mail postfix/qmgr[5810]: B17C715C02D: from=<>, size=3341, nrcpt=1 (queue active)
Apr 15 08:19:08 mail postfix/qmgr[5810]: 2D65A15C02E: from=<>, size=3800, nrcpt=1 (queue active)
Apr 15 08:25:59 mail postfix/qmgr[5810]: E1D9A15C040: from=<>, size=3419, nrcpt=1 (queue active)
Apr 15 08:31:59 mail postfix/qmgr[5810]: D33C115C02D: from=<>, size=3340, nrcpt=1 (queue active)
Apr 15 08:31:59 mail postfix/qmgr[5810]: 54D5415C02E: from=<>, size=3799, nrcpt=1 (queue active)
It appears I still have several of them throughout the morning over and over.

Perhaps I can post my main.cf in postconf -n output and you can tell me if I did anything wrong as I don't see any impact of changes made yet...

alias_database = hash:/etc/postfix/aliases, hash:/etc/mailman/aliases
alias_maps = hash:/etc/postfix/aliases, hash:/etc/mailman/aliases
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
command_time_limit = 1400
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
default_destination_recipient_limit = 100
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 40000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
max_idle = 175
maximal_backoff_time = 2000s
message_size_limit = 10240000
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
mydomain = example.org
myhostname = mail.example.org
mynetworks = $config_directory/mynetworks
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
proxy_interfaces = 12.16.141.11
qmgr_message_active_limit = 20000
queue_directory = /var/spool/postfix
queue_run_delay = 500s
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
relay_domains = example.net, example.com
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client safe.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org
smtpd_error_sleep_time = 0
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, check_helo_access, regexp:/etc/postfix/helo.regexp
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access, hash:/etc/postfix/sender_restrictions, check_sender_access hash:/etc/postfix/siteoverride, reject_unknown_sender_domain, reject_non_fqdn_sender, permit
smtpd_soft_error_limit = 4
smtpd_timeout = 60s
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/httpd/conf/ssl.crt/mail.example.org.crt
smtpd_tls_key_file = /etc/httpd/conf/ssl.key/mail.example.org.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 501
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
 
Old 04-15-2008, 07:50 AM   #6
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
Try sending mail to a unknown user and see if it gets accepted then a NDR sent
 
Old 04-15-2008, 09:00 AM   #7
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Debian
Posts: 2,900

Original Poster
Rep: Reputation: 73
Email sent to an unknown user gets a valid delivery failure back to the sender...

Quote:
This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed permanently:

foo@example.org

Technical details of permanent failure:
PERM_FAILURE: Gmail tried to deliver your message, but it was rejected by the recipient domain. The error that the other server returned was: 550 550 <foo@example.org>: Recipient address rejected: User unknown in local recipient table. We recommend contacting the other email provider for further information about the cause of this error. Thanks for your continued support. (state 14)

----- Original message -----
 
Old 04-15-2008, 09:04 AM   #8
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
I think postfix is doing the correct thing coz its rejecting the message at smtp time 550 so there should be no need to send from <> i am thinking what you are seeing in the logs was stuff that was accepted before you make the changes flush the queue and remove any messages that cannot be flushed then monitor again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
POSTFIX Email Can't Receive External Email carlosinfl Linux - Server 2 10-15-2007 06:00 AM
postfix could not sent email inaki Linux - Server 2 08-08-2007 12:47 PM
Duration of backscatter billymayday Linux - Security 9 01-20-2007 05:47 AM
How do I configure postfix master to forward all email to an email server ? hello321_1999 Linux - Software 1 11-18-2004 04:43 AM


All times are GMT -5. The time now is 08:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration