OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Backscatting filter?

From: Robert Schetterer (robertschetterer.org)
Date: Wed May 07 2008 - 17:16:43 CDT

mouss schrieb:
> Blake Hudson wrote:
>> -------- Original Message --------
>> Subject: Re: Backscatting filter?
>> From: Noel Jones <njonesmegan.vbhcs.org>
>> To: postfix-userspostfix.org
>> Date: Wednesday, May 07, 2008 1:09:02 PM
>>> Blake Hudson wrote:
>>>>
>>>>
>>>> It seems a waste to subject all messages to these filters, is there
>>>> a way to apply these regexp header_checks/body_checks only to
>>>> messages from a null sender, as is the case with the second
>>>> recommendation:
>>>>
>>>
>>> header_checks and body_checks apply to all mail, there is no bypass
>>> or selective application mechanism.
>>> So they can't be applied to only messages from a null sender.
>>>
>>>
>>
>> Yeah, sounds like I would need sender based routing setup with a
>> transport that applies to null senders only and is specifically
>> configured with header/body checks on that one transport. The closest
>> thing in a regular recipient routing setup would be the FILTER action
>> mechanism which allows me to apply a content filter to messages based
>> on sender address in an access table.
>>
>
> but then you can't block. you can discard, quarantine or deliver. but in
> this case, spamassassin is probably a better place to do your checks.
>
> if you want to block the messages, then use a proxy_filter or a milter.
>>
>> The backscatter we receive has the following commonalities: Comes from
>> NULL sender, does not contain our server's IP, and does not contain
>> the outbound content filter 'received' header information. If I were
>> to block backscatter from forged sources I would ideally look at only
>> mail from NULL senders, which in the body contains a 'received:' line,
>> but does not contain our server's IP or the content filter addition.
>>
>> I do not believe I can accurately pass all mail through these types of
>> regexp checks because we provide technical support for other companies
>> and are often asked to debug or analyze bounce messages received from
>> clients. These bounces do have the 'received:' information in the
>> body, and typically do not contain information about our mail server
>> since they do not pass through our network. These messages would come
>> from actual users though, not a NULL sender.
>>
>> The postfix backscatter readme only talks about filtering based on the
>> presence of invalid information (versus the lack of valid
>> information). I could filter this way, but it seems that it would not
>> be nearly as effective or efficient.
>>
>> If I were to use backscatterer.org or similar backscatter list I run
>> the risk of not receiving legitimate bounces that stem from messages
>> sent through my server. Sometimes I'm forced to send to people who use
>> MessageLabs for their SPAM filter, and unfortunately MessageLabs is
>> listed on backscatterer.org.
>
> use dnswl.org as a whitelist.
>
>>
>>
>> It would be great if there were some mechanism that would allow
>> forwarding to a transport based on access table lookup.
>
> FILTER does. but the checks would then be done at the other side of the
> transport, and not during the smtp transaction.
>
>> This would allow for some sender based exceptions within a regular
>> recipient based routing setup.
>>
>> -Blake
>>
>
Hi,

i ve done it with a policy class but this is only a solution for
one small maildomain ( the one which gets the most backscatter in my
case , up to hundert per minute)
and has not many addresses not a final solution for every case/setup
but works in my case cause i dont get any backscatter
from faked existing mail adresses
after all for that case i have vbounce plugin in spamassassin
which works nice,
adding the allready described header/body check method too
should reduce backscatter Problem to an aceptable limit without loosing
legal bounces, but wasnt possible on this server cause its an
backup mx in first case

looks like this

smtpd_sender_restrictions =
...
...
...
hash:/etc/postfix/sender_backscatter_access,
...

with /etc/postfix/sender_backscatter_access

Symantec_Mail_Security_for_SMTP backscatter
Gateway_SMTP backscatter
Notify_nav_gateways backscatter
<> backscatter
postmaster backscatter
MAILER-DAEMON backscatter
devnull backscatter
MDaemon backscatter
imsspostmaster backscatter
Administrator backscatter
imss backscatter
majordomo backscatter
symantec_antivirus_for_smtp_gateways backscatter
Mail_Security_for_SMTP backscatter
FETCHMAIL-DAEMON backscatter
NULL backscatter

smtpd_restriction_classes = ...,
                             backscatter,
                             rbl_backscatter,
                             ...

  backscatter = ...,
               ...,
check_recipient_access hash:/etc/postfix/mydomain_recipient_access

in

/etc/postfix/mydomain_recipient_access

usermydomain.de OK
user2mydomain.de OK
...
...
neversendmailmydomain.de REJECT this address accepts no bounce
mydomain.de rbl_backscatter

rbl_backscatter = ...,
                   ...,
reject_rbl_client ips.backscatterer.org,
check_recipient_access hash:/etc/postfix/backscatter_access_reject,
reject

in /etc/postfix/backscatter_access_reject

mydomain.de REJECT your ip sends backscatter avoid it use our dns spf

...means other stuff
mostly permit_mynetworks
permit_sasl_authenticated,

--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria