Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 19th August 2008, 21:15
sholtzrevtek sholtzrevtek is offline
Junior Member
 
Join Date: Aug 2008
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default spammer using my email - postfix system

I have this really really bad problem

I have been getting these undelivered mail notifications in my inbox and I noticed the "from" addresses in the original email (that bounced) uses my domain address. So a lot of these email addresses would look like this: Agabeyoglu.Evren@mydomain.com (mydomain being my personal website address)

The original email would be spam like stuff - "viagra vs. cialis"

The first thing I thought was my mail server was being used an a open relay but I have this thing locked down and I did some online tests and all showed there was no open relay.

I am completely perplexed. I modified the main.cf file for postfix and removed the smtp mail relay which is my ISP smtp since they block all port 25 traffic.

So right now, I am kind of lost as to what is causing this issue. I looked at all my logs but I didn't really notice anything out of the ordinary. I would not have even known this was happening if it were not for the bounced emails I keep getting.

Does anyone here have any experience with this kind of issue or could at least give me a hypothesis of what could be going on here.

I am a complete noob so if there are any logs or other information you need, let me know and I will post it. Shoot, I will be your personal slave if that will get me through this.

Thanks a million and I will buy a beer for anyone who can lead me to a solution
Reply With Quote
Sponsored Links
  #2  
Old 19th August 2008, 22:40
ralic ralic is offline
Member
 
Join Date: Jun 2008
Posts: 69
Thanks: 0
Thanked 11 Times in 11 Posts
Default

You probably don't have anything to worry about. This sounds like backscatter.
Reply With Quote
  #3  
Old 19th August 2008, 23:36
sholtzrevtek sholtzrevtek is offline
Junior Member
 
Join Date: Aug 2008
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ralic View Post
You probably don't have anything to worry about. This sounds like backscatter.
Well, it looks like I learned something new today. Jeez

Thanks for the tip, that is exactly what is going on here.

Is there a way to at least block all these NDR's? Maybe a configuration setting in Postfix?

(I have actually been trying to do this but with no luck so far so this is why I am asking....not because I am too lazy to look it up )

I tried this but I am still getting the NDR's:

Quote:
To block such backscatter I use header_checks and body_checks patterns like this:

/etc/postfix/main.cf:
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks

/etc/postfix/header_checks:
if /^Received:/
/^Received: +from +(porcupine\.org) +/
reject forged client name in Received: header: $1
/^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
reject forged client name in Received: header: $2
/^Received:.* +by +(porcupine\.org)\b/
reject forged mail server name in Received: header: $1
endif
/^Message-ID:.* <!&!/ DUNNO
/^Message-ID:.*@(porcupine\.org)/
reject forged domain name in Message-ID: header: $1

/etc/postfix/body_checks:
if /^[> ]*Received:/
/^[> ]*Received: +from +(porcupine\.org) /
reject forged client name in Received: header: $1
/^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
reject forged client name in Received: header: $2
/^[> ]*Received:.* +by +(porcupine\.org)\b/
reject forged mail server name in Received: header: $1
endif
/^[> ]*Message-ID:.* <!&!/ DUNNO
/^[> ]*Message-ID:.*@(porcupine\.org)/
reject forged domain name in Message-ID: header: $1
Reply With Quote
  #4  
Old 20th August 2008, 19:53
ralic ralic is offline
Member
 
Join Date: Jun 2008
Posts: 69
Thanks: 0
Thanked 11 Times in 11 Posts
 
Default

Quote:
Originally Posted by sholtzrevtek View Post
Is there a way to at least block all these NDR's?
Haven't faced this in any serious volumes, so unfortunately it's a bridge I haven't crossed.....yet. Maybe someone else cares to comment.
Quote:
Originally Posted by sholtzrevtek View Post
Maybe a configuration setting in Postfix?
Doesn't look like it's that simple. But you've already been to the source I see. Would it be worthwhile firing off an email to the postmaster addresses of the domains that are generating them? Would be doing the world a favour if they took more care with what they determine to be legitimate and what they bounce.

If you haven't already, you could try implement spf records. Gives those of us that use it as part of our validation process a fighting chance.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix email server config veremchook Server Operation 10 18th April 2009 17:14
Postfix mail users not working rigelhosting Installation/Configuration 0 19th August 2008 17:43
Postfix - wildcard email forwarding moxie Server Operation 3 27th February 2008 08:35
Query on email system mphayesuk General 8 26th June 2006 13:17
Postfix or email server setup matrich Server Operation 3 24th November 2005 23:26


All times are GMT +2. The time now is 09:10.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.