when I "REJECT" an email using a postfix restriction or rbl does the sender get a "Reject email"?
If so can I use "DISCARD" to just drop the message without sending a reject email to a likely forged return address?
All my restrictions use hash.

At one employer we set it up so all messages that were more likely spam just got sent to /dev/null

Thx for the reply
That is something to consider.

BTW: I found the answer to my question. According to several other forums I could use DISCARD with hash. So I changed and set obvious spammers to DISCARD instead of REJECT, as far as the sender knows the email got through when in reality it was just DISCARDED.

This makes the spammer think he won and they move on the next victim for the night. But I get the last laugh.

To keep false positives to a minimum I manually check every entry before adding to the discard list. Fortunately I have a small user base we only we get about 900-1500 spams a day and most are blocked by postfix's builtin restriction and checks.

Thanks to this forum and alot of head banging at postfix.org, we are at a 98% spam block rate now.

Carl, 95% of all spam is sent by infected systems (bot'd, zombied, etc). and the spamming software does not "think" anything about winning. The bot just goes onto the next one in its list.

REJECTing messages isn't a backscatter source - accepting and then bouncing is the requirement for backscatter. Whether you REJECT or DISCARD ultimately can only affect your legitimate senders, so use DISCARD wisely and sparingly.

C
I did several tests manually using a helo address on the restricted list and using my real email address as MAIL FROM:, each time the mail was rejected because of the helo I got a message saying message could not be delivered to receipts and gave reject reason I put beside REJECT in the restriction file. Therefore I can only conclude that each time a message was REJECTED at helo an email was sent to the return address. I don't know about rbl rejects.

I agree that most spam is sent from zombied computers. But I noticed that once I REJECTED some messages I would be plagued with same/similar message from different IPs using different fake fqdn helos.

Once a spammer sent a message manually saying "See I can break the rules too". Shortly after that the box got slammed by relay access denied error messages,which is great they were blocked. So at least one spammer monitors his/her bots to see who is blocking and why. Hence AT LEAST ONE "THINKS ABOUT WINNING". Granted this maybe an isolated incident but that drove my "WINNING" comment.

Caution personal observation below:

Oh BTW eventhough your knowledge is obvious and sometimes helpful on the subjects you post on, your words and demeanor are usually degrading to the person who happens to ask a seemly simple question. Just thought I would mention that in case noone else has.

I'll state again - NO message is sent when your server REJECTS a message (unless you've configured it to do so). The client receives a 5xx permanent reject SMTP status code, and postfix disconnects.

The "See I can break the rules too" messages comes from postfix, when a client does not follow the SMTP dialog correctly. Postfix summarily closes the connection. So, what you thought was a manual message was postfix itself. So, your "winning" strategy against "human" spammers is now at 0%. :-)

I've been tracking and monitoring various forms of spam for years now (I wrote postfix-logwatch / amavis-logwatch - try them out to help you see stats on how your system is dealing with its mail); random helo names are just part of the game. Configure postfix to reject obvious forgeries and invalid helo names, and postfix will take care of you.

I appreciate your point of view. I do not mean to be degrading; I answer a lot of posts, and often do so quickly. My time is valuable to me, and I don't spend time writing in the soft points. Please don't confuse an attempt at brevity and clarity as degrading.

Thank you for your reply and information

I still am learning postfix and appreciate any information I can use to protect my users.

from your last post "NO message is sent when your server REJECTS a message (unless you've configured it to do so)" how do I make sure it is NOT configured to send REJECT messages? Evidently my current configuration allows these to be sent.

Postconf:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_at_myorigin = no
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
content_filter = smtp:[127.0.0.1]:2526
delay_warning_time = 1h
disable_vrfy_command = yes
error_notice_recipient = policy.admin@example.com
helpful_warnings = yes
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
#regularly send manuals to off site contracters
message_size_limit = 30280000
mydestination = domain, mail.domain, localhost, domain2.net
myhostname = mail.domain.net
# All except 1 users are limited to one location, my 1 off site user is
confined to webmail to send mail
mynetworks = 127.0.0.0/8 xxx.xxx.xxx.xxx
myorigin = /etc/mailname
#Policy is temp for design assessment
notify_classes = resource, software, delay, bounce, policy
recipient_delimiter = +
relayhost =
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_client_access
hash:/etc/postfix/client_restrictions
check_recipient_access
hash:/etc/postfix/postmaster,
reject_invalid_hostname,
permit
smtpd_data_restrictions =
reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_helo_access static:warn
check_helo_access
hash:/etc/postfix/helo_client_exceptions,
check_helo_access
hash:/etc/postfix/helo_restricted,
reject_non_fqdn_hostname,
warn_if_reject,
reject_invalid_helo_hostname,
permit
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
permit_mynetworks,
reject_unauth_destination,
check_recipient_access
hash:/etc/postfix/postmaster,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client korea.blackholes.us,
reject_rbl_client korea.blackholes.us,
reject_rbl_client russia.blackholes.us,
reject_rbl_client china.blackholes.us,
reject_rbl_client taiwan.blackholes.us,
reject_rbl_client japan.blackholes.us,
reject_rbl_client nigeria.blackholes.us,
reject_rbl_client argentina.blackholes.us,
reject_rbl_client brazil.blackholes.us,
reject_rbl_client thailand.blackholes.us,
permit
smtpd_sender_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_sender_access
hash:/etc/postfix/sender_access_list,
check_sender_access
hash:/etc/postfix/sender_bans,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit

The default is resource, software.

See notify_classes in man 5 postconf.