spammer using my email - postfix system

[sholtzrevtek]

I have this really really bad problem

I have been getting these undelivered mail notifications in my inbox and I noticed the "from" addresses in the original email (that bounced) uses my domain address. So a lot of these email addresses would look like this: Agabeyoglu.Evren@mydomain.com (mydomain being my personal website address)

The original email would be spam like stuff - "viagra vs. cialis"

The first thing I thought was my mail server was being used an a open relay but I have this thing locked down and I did some online tests and all showed there was no open relay.

I am completely perplexed. I modified the main.cf file for postfix and removed the smtp mail relay which is my ISP smtp since they block all port 25 traffic.

So right now, I am kind of lost as to what is causing this issue. I looked at all my logs but I didn't really notice anything out of the ordinary. I would not have even known this was happening if it were not for the bounced emails I keep getting.

Does anyone here have any experience with this kind of issue or could at least give me a hypothesis of what could be going on here.

I am a complete noob so if there are any logs or other information you need, let me know and I will post it. Shoot, I will be your personal slave if that will get me through this.

Thanks a million and I will buy a beer for anyone who can lead me to a solution

[ralic]

You probably don't have anything to worry about. This sounds like backscatter.

[sholtzrevtek]

Quote:

Originally Posted by ralic

You probably don't have anything to worry about. This sounds like backscatter.

Well, it looks like I learned something new today. Jeez

Thanks for the tip, that is exactly what is going on here.

Is there a way to at least block all these NDR's? Maybe a configuration setting in Postfix?

(I have actually been trying to do this but with no luck so far so this is why I am asking....not because I am too lazy to look it up )

I tried this but I am still getting the NDR's:

Quote:

To block such backscatter I use header_checks and body_checks patterns like this:

/etc/postfix/main.cf:
header_checks = pcre:/etc/postfix/header_checks
body_checks = pcre:/etc/postfix/body_checks

/etc/postfix/header_checks:
if /^Received:/
/^Received: +from +(porcupine\.org) +/
reject forged client name in Received: header: $1
/^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
reject forged client name in Received: header: $2
/^Received:.* +by +(porcupine\.org)\b/
reject forged mail server name in Received: header: $1
endif
/^Message-ID:.* <!&!/ DUNNO
/^Message-ID:.*@(porcupine\.org)/
reject forged domain name in Message-ID: header: $1

/etc/postfix/body_checks:
if /^[> ]*Received:/
/^[> ]*Received: +from +(porcupine\.org) /
reject forged client name in Received: header: $1
/^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
reject forged client name in Received: header: $2
/^[> ]*Received:.* +by +(porcupine\.org)\b/
reject forged mail server name in Received: header: $1
endif
/^[> ]*Message-ID:.* <!&!/ DUNNO
/^[> ]*Message-ID:.*@(porcupine\.org)/
reject forged domain name in Message-ID: header: $1

[ralic]

Quote:

Originally Posted by sholtzrevtek

Is there a way to at least block all these NDR's?

Haven't faced this in any serious volumes, so unfortunately it's a bridge I haven't crossed.....yet. Maybe someone else cares to comment.

Quote:

Originally Posted by sholtzrevtek

Maybe a configuration setting in Postfix?

Doesn't look like it's that simple. But you've already been to the source I see. Would it be worthwhile firing off an email to the postmaster addresses of the domains that are generating them? Would be doing the world a favour if they took more care with what they determine to be legitimate and what they bounce.

If you haven't already, you could try implement spf records. Gives those of us that use it as part of our validation process a fighting chance.