View Single Post
  #1  
Old 4th April 2013, 14:46
arraken arraken is offline
Member
 
Join Date: Mar 2010
Posts: 91
Thanks: 13
Thanked 3 Times in 3 Posts
Default Lots of deferred mails - backscatter?

Hi,

I recently had an SMTP AUTH relay attack, on my mail-server, which i solved as described in this thread: http://www.howtoforge.com/forums/sho...331#post295331

I am however still getting a high amount of deferred e-mails, but it's not a spam-flood anymore. They are rather just "trickling" in - a few mails per minute. The reason seems to be different from before, maybe it's backscatter? (someone sends spam mail with a faked sender with a domain that is hosted on my server -> my server get's the deferred messages).

when i type "qshape deferred" i get the following output:



Code:
T  5 10 20 40 80 160 320 640 1280 1280+
TOTAL 2443  0  0 36 18 38 136 287 460 1468     0
DomainOnMyServer 2424  0  0 36 17 38 136 284 455 1458     0
usamail.com   15  0  0  0  1  0   0   3   4    7     0
example.com    2  0  0  0  0  0   0   0   1    1     0
aol.com    1  0  0  0  0  0   0   0   0    1     0
duck-calls.net    1  0  0  0  0  0   0   0   0    1     0
when i grep my mail.log for "deferred" i get lots of lines like this:

Code:
Apr  4 12:07:02 server1 postfix/pipe[30294]: 181E12134114: to=<homesteadspeered@DomainOnMyServer.at>, orig_to=<homesteadspeered@OtherDomainOnMyServer.at>, relay=maildrop, delay=25686, delays=25684/1.5/0/1.1, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/homesteadspeered/31248.0.server1.  )
Apr  4 12:07:02 server1 postfix/pipe[30755]: D82401FBE607: to=<bernhard.tucek@DomainOnMyServer.at>, orig_to=<bernhard.tucek@OtherDomainOnMyServer.at>, relay=maildrop, delay=38377, delays=38374/0.54/0/2.2, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/bernhard.tucek/30995.0.server1.  )
Apr  4 12:07:03 server1 postfix/pipe[30308]: 2286A1FBE380: to=<muscovyjanna@DomainOnMyServer.at>, orig_to=<muscovyjanna@OtherDomainOnMyServer.at>, relay=maildrop, delay=50730, delays=50726/0.12/0/3.4, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/muscovyjanna/30578.0.server1.  )
Apr  4 12:07:03 server1 postfix/pipe[30478]: 02A421FBE362: to=<muscovyjanna@DomainOnMyServer.at>, orig_to=<muscovyjanna@OtherDomainOnMyServer.at>, relay=maildrop, delay=50921, delays=50918/3.4/0/0.01, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/muscovyjanna/31394.0.server1.  )
Apr  4 12:07:03 server1 postfix/pipe[30012]: 2286A1FBE380: to=<n.steixner@DomainOnMyServer.at>, orig_to=<n.steixner@OtherDomainOnMyServer.at>, relay=maildrop, delay=50730, delays=50726/1.1/0/2.8, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/n.steixner/31132.0.server1.  )
Apr  4 12:07:03 server1 postfix/pipe[30159]: 2286A1FBE380: to=<n.kurz@DomainOnMyServer.at>, orig_to=<n.kurz@OtherDomainOnMyServer.at>, relay=maildrop, delay=50731, delays=50726/0.13/0/4.2, dsn=4.3.0, status=deferred (temporary failure. Command output: ERR: authdaemon: s_connect() failed: Permission denied /usr/bin/maildrop: Unable to create a dot-lock at /var/vmail/DomainOnMyServer.at/n.kurz/30594.0.server1.  )
The mailboxes to which the deferred mails are addressed do not exist on my server - but the domains are hosted on it. I obviously have no problem with the mails being deferred, but i wanted to know if this is standard behaviour for postfix, or should i be worried?

My deferred queue is getting filled up by this, so isn't there a possibility to just bounce those mails?
Reply With Quote
Sponsored Links