Backscatter
Date: Tue, 03 Oct 2006 11:11:31 +0100 From: Tom Pike To: Fasthosts Xtreme Support Team Subject: Spam to non-existent users being bounced by Postfix Account number: ******** Support PIN: **** Hi We have a problem with the Postfix SMTP server on our dedicated server. Mail that is sent to non-existent users is not being instantly rejected - instead a bounce e-mail is being sent. This is of course highly undesirable when the e-mail is sent from a fake e-mail address (typical of most spam). This problem seems to occur with the default setup with domains set up using the Matrix Control Panel (and therefore presumably a lot of your dedicated servers are affected by this - many of their owners may be unaware), but nothing I change in the Postfix configuration seems to stop this behaviour. I believe this to be a very serious problem affecting more than just our server, and would appreciate your investigation of this matter. Best regards Tom Pike
Date: Tue, 3 Oct 2006 12:04:06 +0100 From: Fasthosts Xtreme Support Team Subject: ******#****** Your Fasthosts support enquiry (PLEASE DO NOT CHANGE SUBJECT) To: Tom Pike Dear Tom, The behaviour that you describe is the default way that Postfix deals with messages of this type. I believe that it happens in this manner as there are legitimate emails that are, for whatever reason, undeliverable (misspelt username, sent to a person who has left the company). These should be bounced so the sender is aware that the email has not been delivered. As far as I can tell, for the server to make the distinction between whether emails that are spam should be immediately rejected, Postfix would have to have anti-spam protection built-in, which falls far outside of the Postfix team's remit. However, in my personal experience administering Postfix mailservers, I have come across the configuration document at: http://www.postfix.org/ADDRESS_VERIFICATION_README.html ...which you may find useful towards your particular configuration needs. As the document says: "The sender/recipient address verification feature described in this document is suitable only for low-traffic sites. It performs poorly under high load and may cause your site to be blacklisted by some providers. See the "Limitations" section for details. The technique has obvious uses to reject junk mail with an unreplyable sender address. " In light of my findings above, I do not believe that Postfix's current modus operandi as set up by Fedora on our dedicated server platform is incorrect or a detriment to the mailservers' operation. Thank you for your comments on the dedicated server setup. If you have any further queries about Postfix, please reply to this mail and we will endeavour to further advise you.
Date: Tue, 03 Oct 2006 14:17:19 +0100
From: Tom Pike
To: Fasthosts Xtreme Support Team
Subject: Re: *****#***** Your Fasthosts support enquiry (PLEASE DO NOT CHANGE
SUBJECT)
Yes, the sender should receive an error message but not in the form of
an e-mail sent back to the From: address. At the SMTP level, what is
happening is:
~$ telnet xxxxxxxx.co.uk smtp
Trying xxx.xxx.xxx.xx...
Connected to xxxxxxxx.co.uk.
Escape character is '^]'.
220 xxxxxxxx.co.uk ESMTP Postfix
MAIL FROM: myfakeemailaddress@example.com
250 Ok
RCPT TO: nonexistentaddress@xxxxxxxx.co.uk
250 Ok
The "250 Ok" response at the end is the problem. There is no
"catch-all" e-mail address set for xxxxxxxx.co.uk, so it should
respond immediately with a 450 or 550 error code. Instead it is
accepting the e-mail at this point, but then sending a bounce e-mail to
the address specified in MAIL FROM. This is very bad behaviour[1] in
today's spam-ridden e-mail environment.
http://www.postfix.org/LOCAL_RECIPIENT_README.html contains details of
how to prevent this occurring with Postfix by setting the
local_recipient_maps parameter. Theoretically by setting this as follows:
local_recipient_maps = hash:/etc/postfix/virtual
it should solve the problem. Unfortunately with our Fasthosts server
this does not seem to be the case for some unknown reason.
[1] See http://www.tuffmail.com/backscatter.php
http://spamlinks.net/prevent-secure-backscatter.htm
http://www.spamcop.net/fom-serve/cache/329.html#bounces
for explanation as to why this is bad.
"Accepting a message and then sending a DSN to the possibly forged
envelope sender address is just not an acceptable practice today. If the
message can not be delivered it should not be accepted."
"Configure your software to either reject messages during delivery or
accept them permanently. Do not let your software make choices about
delivery after it has accepted a message."
Date: Tue, 3 Oct 2006 17:36:58 +0100 From: Fasthosts Xtreme Support Team To: Tom Pike Subject: ******#****** Your Fasthosts support enquiry (PLEASE DO NOT CHANGE SUBJECT) Dear Tom, I have discussed your comments with our server engineers. There is no RFC stating that undeliverable mail has to be handled with a 450 or 550 response. According the the engineers, as there is no explicit RFC on this issue, our systems respond in this way to further integrate with the rest of the services on the machine. Our engineers can reconfigure Postfix for you however, this will incur our Personal Engineer Service charge of £60 +VAT per half-hour of service for them to do this on your behalf. Our engineers have not indicated that they consider this setting to be a detriment to customers on our Dedicated Server platform as a whole.
Anyway, in the end I figured it out for myself. Needed to add virtual_mailbox_maps = hash:/etc/postfix/virtual to /etc/postfix/main.cf.
Posted: 2006-10-03 16:44:07 UTC by Xiven | Cross-references (0) | Comments (0)
Cross-references
None
Comments
None