Backscatter started again

Webmin
1

Hi

I have not been listed on Backscatter for more than 2.5 years as I configured the mail server to stop it but for some reason which I can’t work I have been listed again.

When I telnet into the mail server and run a test as below I get a reject status

I would be most grateful to anyone for taking at look at my conf files and to see if they can see anything.

telnet mail.mydomain.co.uk 25 helo mail.mydomain.co.uk MAIL FROM: 250 2.1.0 Ok RCPT TO: 550 5.1.1 : Recipient address rejected: User unknown

main.cf

biff = no command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_name = mail.mydomain.co.uk smtpd_banner = ESMTP $mail_name smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtp_use_tls = yes smtpd_tls_auth_only = no smtp_tls_note_starttls_offer = yes smtpd_use_tls = yes smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s myhostname = server.mydomain.co.uk mydomain = server.mydomain.co.uk inet_protocols = ipv4 #inet_interfaces = 127.0.0.1, my.ip.addr.ess inet_interfaces = all smtp_bind_address = my.ip.addr.ess mydestination = $myhostname, localhost.$mydomain, localhost, server.mydomain.co.uk unknown_local_recipient_reject_code = 550 mynetworks = 127.0.0.0/8, my.ip.addr.range/24, 109.123.101.0/24 mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME bounce_size_limit = 2000 message_size_limit = 40960000 header_size_limit = 402400 maximal_queue_lifetime = 1d bounce_queue_lifetime = 1d smtpd_helo_required = yes disable_vrfy_command = yes smtpd_delay_reject = yes smtpd_error_sleep_time = 10 smtpd_soft_error_limit = 20 smtpd_hard_error_limit = 20 smtpd_junk_command_limit = 20 # qmgr_message_active_limit = 10000 # default 20000 strict_rfc821_envelopes = yes show_user_unknown_table_name = no debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop html_directory = no manpage_directory = /usr/share/man sample_directory = /usr/share/doc/postfix-2.6.6/samples readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES

virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
home_mailbox = Maildir/

2bounce_notice_recipient = postmaster@mydomain.co.uk
error_notice_recipient = postmaster@mydomain.co.uk
bounce_notice_recipient = postmaster@mydomain.co.uk

header_checks = regexp:/etc/postfix/header_checks
#body_checks = regexp:/etc/postfix/body_checks

Reject codes

access_map_reject_code = 554
defer_code = 450
invalid_hostname_reject_code = 501
maps_rbl_reject_code = 554
non_fqdn_reject_code = 504
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 450
unverified_sender_reject_code = 450

SMTP Restrictions

smtpd_client_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
check_client_access regexp:/etc/postfix/client_restrictions,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
warn_if_reject reject_unknown_reverse_client_hostname,
warn_if_reject reject_unknown_client

smtpd_helo_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
check_helo_access regexp:/etc/postfix/helo.regexp,
# reject_non_fqdn_helo_hostname,
warn_if_reject reject_invalid_helo_hostname,
warn_if_reject reject_non_fqdn_helo_hostname,
# warn_if_reject reject_unknown_helo_hostname,
permit

smtpd_etrn_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
reject

smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks,
check_client_access regexp:/etc/postfix/client_restrictions,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_address,
warn_if_reject reject_unverified_sender,
permit

smtpd_recipient_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
reject_unauth_destination,
check_client_access regexp:/etc/postfix/client_restrictions,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
# check_policy_service unix:private/policy-spf,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unverified_recipient,
# Added reject_unverified_recipient 7-5-19 for trying to stop Backscatter
reject_unlisted_recipient,
reject_multi_recipient_bounce,
reject_non_fqdn_hostname,
reject_invalid_hostname,
warn_if_reject reject_unknown_client,
# Added warn_if_reject 1st Feb 2018 for overcoming too many Client host rejected: cannot find your hostname
warn_if_reject reject_unknown_hostname,
reject_unauth_pipelining,
# check_sender_access hash:/etc/postfix/blacklisted_domains,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client ix.dnsbl.manitu.net,
reject_rbl_client zen.spamhaus.org,
permit

smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce,
permit

smtpd_timeout = 300s
smtp_destination_rate_delay = 1s
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.co.uk/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.co.uk/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3

smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high

smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2

smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2

tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,local:/var/run/milter-greylist/milter-greylist.sock
non_smtpd_milters = inet:localhost:8891,local:/var/run/milter-greylist/milter-greylist.sock

policy-spf_time_limit = 3600s

master.cf

# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== my.ip.addr.ess:smtp inet n - n - 200 smtpd -o smtpd_sasl_auth_enable=yes my.ip.addr.ess:submission inet n - n - - smtpd # -o smtpd_tls_security_level=encrypt -o smtpd_tls_security_level=may -o tls_preempt_cipherlist=no -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite # bounce unix - - n - 0 bounce bounce unix - - n - 0 discard defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp # policy-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/perl /usr/lib/postfix/postfix-policyd-spf-perl # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o smtp_fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # #maildrop unix - n n - - pipe # flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # # ==================================================================== # # The Cyrus deliver program has changed incompatibly, multiple times. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # #uucp unix - n n - - pipe # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # ==================================================================== # # Other external delivery methods. # #ifmail unix - n n - - pipe # flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) # #bsmtp unix - n n - - pipe # flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # #scalemail-backend unix - n n - 2 pipe # flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store # ${nexthop} ${user} ${extension} # #mailman unix - n n - - pipe # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user} #submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes 127.0.0.1:smtp inet n - n - 200 smtpd -o smtpd_sasl_auth_enable=yes 127.0.0.1:submission inet n - n - - smtpd

header_checks

## Header checks file #### Checks are done in order, top to bottom. #### /etc/postfix/header_checks ### How to check regex on command line ### echo 'mail-db5eur01on0084.outbound.protection.outlook.com' | grep -e '^\S*\.outlook\.com$'

non-RFC Compliance

/[^[:print:]]{7}/ REJECT RFC2047

/^.=20[a-z]=20[a-z]=20[a-z]=20[a-z]*/ REJECT RFC822

/(.*)?{6,}/ REJECT RFC822

/(.*)[X|x]{3,}/ REJECT RFC822

Unreadable NON-acsii un-printable text

/^Subject:.*=?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8)?/ REJECT Unreadable
/^Content-Type:.*charset="?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8|iso-2022-jp)/ REJECT Unreadable

Subject checks

/^Subject:.* / REJECT Space
/^Subject:.*r[ _.*-]+o[ _.*-]+l[ _.*-]+e[ _.*-]+x/ REJECT Hidden Words
/^Subject:.*p[ _.*-]+o[ _.*-]+r[ _.*-]+n/ REJECT Hidden Words

Character Set Checks

/^(Content-Type:.|\s+)charset\s=\s*"?(Windows-1251)?/ REJECT Bad Content Type

Backscatter checks

/^Content-Type: multipart/report; report-type=delivery-status;/ REJECT no third-party DSNs
/^Content-Type: message/delivery-status; / REJECT no third-party DSNs

Attachments

/^Content-(Type|Disposition):.(file)?name=..(ade|adp|asd|asf|asx|bat|bhx|chm|cil|cmd|com|cpl|dll|elm|exe|gif|hlp|hta|jse|lnk|mda|mdb|mde|mdw|mim|msi|msp|nws|ocx|pif|reg|scr|sct|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wmf|wms|wmz|wmd|wsc|wsf|wsh|wsz)/
REJECT Bad Attachment .${3}

Backscatter mail from virus scanners

/^Subject:.*Anti-Virus Notification/ REJECT Virus Notification
/^Subject:.*due to virus/ REJECT Virus Notification
/^Subject:.*email contains VIRUS/ REJECT Virus Notification
/^Subject:.*InterScanMSS/ REJECT Virus Notification
/^Subject:.*ScanMail for Lotus/ REJECT Virus Notification
/^Subject:.*Symantec AntiVirus/ REJECT Virus Notification
/^Subject:.*Virus Detected by Network Associates/ REJECT Virus Notification
/^subject:.*virus found/ REJECT Virus Notification
/^subject:.*Virus Infection Alert/ REJECT Virus Notification

Known Spammers or Unsolicited Commercial Email

/^Received:.*bellevuellc.com/ REJECT Blacklisted
/^Received:.*ccsurvey.com/ REJECT Blacklisted
/^Received:.*cmptechdirect.com/ REJECT Blacklisted
/^Received:.*dartmail.net/ REJECT Blacklisted
/^Received:.*ema10.net/ REJECT Blacklisted
/^Received:.*evmailer.com/ REJECT Blacklisted
/^Received:.*netline.com/ REJECT Blacklisted
2

Hi @applejack

I’m having the exact same problem. Did you manage to come right, and what was the resolution if you did?

3

If you check your IP on backscatter it should give you a date & time to check in your mail logs. i.e. who you were sending an email to or sending a bounce back to. I suspect it was the latter and that the sender was spoofed.

4

Thanks @Dibs… You are correct it is the latter. What I was looking for was the correct config string/s in main.cf to stop this type of behavior. I tried googling, and applied some settings, but there were hiccups…

5

I was also caught out by backscatterer and followed the advice on https://www.linuxbabe.com/mail-server/block-email-spam-postfix except for the greylisting - cut down the spam being recieved massively and got off backscatterer.

HIH

Dibs

6

@Dibs, thank you for the link! I hadn’t tried that one. I will go through the article, apply what’s there and see what happens.
As Backscatterer.org keeps the listings in for a month, I’ll only see if it’s fully effective after the middle of next month. The real acid test will be that.
I will make a note to report after the 15th December 2019, to see how effective this has been.

7

@neural you should see in log files server some indication it is kind of “idiot” to only wait after every change and look afters x days on thet list. ( i think i don’t understand your reply here :wink:

Mail delivery failures could be indication for… mostly when using forwards or mail contact forms.

I mean not you are … :wink: but one could take upfront some precautions. with log file info’s

Read also before taking such as only 1 example :
Use the following line to reject non fully qualified HELO/EHLO hostname.

reject_non_fqdn_helo_hostname

You could mis important mails for you or clients if to strict while lot of mailservices are not configured 100% ! You need do do it right in right order!

Read here for example:

https://unix.stackexchange.com/questions/91749/helo-command-rejected-need-fully-qualified-hostname-error

https://en.wikipedia.org/wiki/Backscatter_(email)

8

Hi @Jfro,
For sure, you’re right. I was always planning on checking my logs… I picked up the time when the backscatter occurred, checked the logs at that time, and saw what was causing it. Also do checks like “grep status=bounced mail.log” etc. I will definitely be checking the logs, especially to see if there are false positives, as in legitimate mail trying to get in being blocked etc… Maybe I wasn’t so verbose in my previous response, but the last “check” would be when I’d been delisted from backscatterer.org and not put right back on again.
I do prefer the command line to gui, so checking logs etc, not a problem to me, and what I do on a daily basis at some point.

Thanks for the input - much appreciated.

9

We had one USER / client “abusing” with wrong configured and more contact php form, almost 2 years of sh…it now this custommers is gone no problem anymore.

Was using emailadresses in contact form ( from other server / mailadres from him ) and having on virtualmin mailadresses forwarded and some more, lot of shouting on the phone his form was 100% ok safe and secure , now he is gone i have much more time and peace of mind…

:wink:

He didn’t has budget, and i can’t help with php from custommers being “webadmins”

10

Yes, sometimes people know just enough to be dangerous…
Glad you got rid of your problem client, so much better to rather let them go.
:smiley:

11

Anyone know where user mail forwarding addresses are stored so I can check easily across multiple accounts rather than having to go into each one in VM ?

12

Hi, sorry for being late, I did say I would post results after 15 December…
After going through the link that @Dibs sent, and cherry picking, I’m happy to report that I’ve not experienced backscatter again!

13

Hi neural

Do you have any client contact forms or email accounts sending / forwarding to external addresses as I suspect that is the root of my issue which I am in the process of resolving, rather than my Postfix conf.

14

Hi @applejack,

I suspect this is another topic. Rather open a new topic, if you want answers, else people are gonna ignore this as it’s not to do with the main thread.
I’ll send you a pm, and I can see if I can assist.