OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Backscatter being generated from mail aliased to other servers.

From: tobi (tobstertobisworld.homeip.net)
Date: Mon Nov 16 2009 - 16:15:09 CST


Jaroslaw Grzabel schrieb:
> Jim Lang pisze:
>> John Peach wrote:
>>> On Mon, 16 Nov 2009 13:07:05 -0700
>>> Jim Lang <postfixguscreek.com> wrote:
>>>
>>>
>>>> John Peach wrote:
>>>>
>>>>> On Mon, 16 Nov 2009 13:00:26 -0700
>>>>> Jim Lang <postfixguscreek.com> wrote:
>>>>>
>>>>>
>>>>>> Wietse Venema wrote:
>>>>>>
>>>>>>> Jim Lang:
>>>>>>>
>>>>>>>> OK here is the scenario. Spammer sends mail to:
>>>>>>>> usermyclientsdomain.com from forged
>>>>>>>> address victimrandomdomain.com
>>>>>>>>
>>>>>>>> If usermyclientsdomain.com is delivered locally, not a problem,
>>>>>>>> if the address is invalid, postix rejects the mail during the
>>>>>>>> smtp connection.
>>>>>>>>
>>>>>>>> But if usermyclientsdomain.com is an alias to
>>>>>>>> myclientotherserver.com, postfix accepts the mail as deliverable
>>>>>>>> and forwards it to hotmail.com. But if
>>>>>>>> myclientotherserver.com can for whatever reason not be
>>>>>>>> delivered, otherserver.com does what it is supposed to do and
>>>>>>>> rejects the mail during the smtp connection, which causes postfix
>>>>>>>> to send out a non-delivery report to victimrandomdomain.com --
>>>>>>>> backscatter.
>>>>>>>>
>>>>>>>> Is there a way to stop this?
>>>>>>> Yes. Don't forward SPAM.
>>>>>>>
>>>>>>> Wietse
>>>>>>>
>>>>>> And how do I do that in this scenario?
>>>>>>
>>>>> You use recipient verification.
>>>>>
>>>>>
>>>> I must have been really inarticulate when I wrote out the scenario.
>>>> I do use recipient verification on my server. How is it that that is
>>>> not clear? Do I need to rewrite this post?
>>>>
>>>>
>>> Clearly, you are *NOT* doing recipient verification, or
>>> myotherserver.com would not be rejecting it. Never accept mail which
>>> cannot be delivered.
>>>
>>
>>
>> Except no 'myotherserver.com' appeared in my scenario, nimrod.
>>
>> otherserver.com in the scenario is a server not under my control.
>>
>> unsubcribing to this useless list
> But server which is out of your control should not accept messages for
> example to non-existant user. So if you're doing verification even
> when spammer connects to your server should recieve an ansewer from
> REMOTE SERVER "user not known" or something similar. I've got similar
> situation as I had to smart host for a lot of domains and connection,
> but let's say I know people on that remote site, or even if not I've
> got any contact details like email addres so simply... I'm trying to
> explain people that if they will not protect the end server I will
> block them in the smart host as I can't take a risk of block. So
> generally you should use reject_unverified_recipient and additionally
> you can build a database... you can limit connections, check RBLs,
> CBLs, there is really a lot of things but first of all you would need
> to check which hosts on the other end couses a problem and find out
> what you can do more to prevent spam coming through.
> I know that it's impossible to block all SPAM without being too harsh,
> but there is always something what you can do to prevent it.
>
> Regards,
> Jarek
This page (http://www.postfix.org/ADDRESS_VERIFICATION_README.html)
looks like it describes part of your problem. Could be the solution

Regards

tobi