Backscatter started again

11 posts / 0 new
Last post
#1 Wed, 05/08/2019 - 06:11
applejack

Backscatter started again

Hi

I have not been listed on Backscatter for more than 2.5 years as I configured the mail server to stop it but for some reason which I can't work I have been listed again.

When I telnet into the mail server and run a test as below I get a reject status

I would be most grateful to anyone for taking at look at my conf files and to see if they can see anything.

telnet mail.mydomain.co.uk 25
helo mail.mydomain.co.uk
MAIL FROM: <victim@domain.com>
250 2.1.0 Ok
RCPT TO: <NoSuchUser@mydomain.com>
550 5.1.1 <NoSuchUser@mydomain.com>: Recipient address rejected: User unknown

main.cf

biff = no
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_name = mail.mydomain.co.uk
smtpd_banner = ESMTP $mail_name
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtp_use_tls = yes
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
myhostname = server.mydomain.co.uk
mydomain = server.mydomain.co.uk
inet_protocols = ipv4
#inet_interfaces = 127.0.0.1, my.ip.addr.ess
inet_interfaces = all
smtp_bind_address = my.ip.addr.ess
mydestination = $myhostname, localhost.$mydomain, localhost, server.mydomain.co.uk
unknown_local_recipient_reject_code = 550
mynetworks = 127.0.0.0/8, my.ip.addr.range/24, 109.123.101.0/24
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
bounce_size_limit = 2000
message_size_limit = 40960000
header_size_limit = 402400
maximal_queue_lifetime = 1d
bounce_queue_lifetime = 1d
smtpd_helo_required = yes
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_error_sleep_time = 10
smtpd_soft_error_limit = 20
smtpd_hard_error_limit = 20
smtpd_junk_command_limit = 20
# qmgr_message_active_limit = 10000 # default 20000
strict_rfc821_envelopes = yes
show_user_unknown_table_name = no
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/samples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES

virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
home_mailbox = Maildir/

2bounce_notice_recipient = postmaster@mydomain.co.uk
error_notice_recipient = postmaster@mydomain.co.uk
bounce_notice_recipient = postmaster@mydomain.co.uk

header_checks = regexp:/etc/postfix/header_checks
#body_checks = regexp:/etc/postfix/body_checks

### Reject codes
access_map_reject_code = 554
defer_code = 450
invalid_hostname_reject_code = 501
maps_rbl_reject_code = 554
non_fqdn_reject_code = 504
reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 450
unverified_sender_reject_code = 450

### SMTP Restrictions
smtpd_client_restrictions = permit_mynetworks,
permit_inet_interfaces,
permit_sasl_authenticated,
check_client_access regexp:/etc/postfix/client_restrictions,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
warn_if_reject reject_unknown_reverse_client_hostname,
                            warn_if_reject reject_unknown_client
                           
                           
smtpd_helo_restrictions = permit_mynetworks,
  permit_inet_interfaces,
  permit_sasl_authenticated,
                          check_helo_access regexp:/etc/postfix/helo.regexp,
                          # reject_non_fqdn_helo_hostname,
                          warn_if_reject reject_invalid_helo_hostname,
                          warn_if_reject reject_non_fqdn_helo_hostname,
                          # warn_if_reject reject_unknown_helo_hostname,
                          permit
                         
smtpd_etrn_restrictions = permit_mynetworks,
  permit_inet_interfaces,
  permit_sasl_authenticated,
                          reject
                         
smtpd_sender_restrictions = permit_sasl_authenticated,
permit_mynetworks,
check_client_access regexp:/etc/postfix/client_restrictions,
                            reject_non_fqdn_sender,
                            reject_unknown_sender_domain,
                            reject_unknown_address,
                            warn_if_reject reject_unverified_sender,
                            permit

smtpd_recipient_restrictions = permit_mynetworks,
   permit_inet_interfaces,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_client_access regexp:/etc/postfix/client_restrictions,
                               check_policy_service unix:/var/spool/postfix/postgrey/socket,
                              # check_policy_service unix:private/policy-spf,
   reject_non_fqdn_sender,
                               reject_non_fqdn_recipient,
                               reject_unknown_sender_domain,
                               reject_unknown_recipient_domain,
                               reject_unverified_recipient,
                               # Added reject_unverified_recipient 7-5-19 for trying to stop Backscatter
                               reject_unlisted_recipient,
                               reject_multi_recipient_bounce,
                               reject_non_fqdn_hostname,
                               reject_invalid_hostname,
                               warn_if_reject reject_unknown_client,
                               # Added warn_if_reject 1st Feb 2018 for overcoming too many Client host rejected: cannot find your hostname
                               warn_if_reject reject_unknown_hostname,
                               reject_unauth_pipelining,
                               # check_sender_access hash:/etc/postfix/blacklisted_domains,
                               reject_rbl_client cbl.abuseat.org,
   reject_rbl_client bl.spamcop.net,
   reject_rbl_client ix.dnsbl.manitu.net,
       reject_rbl_client zen.spamhaus.org,
   permit

smtpd_data_restrictions = reject_unauth_pipelining,
                          reject_multi_recipient_bounce,
                          permit                           


smtpd_timeout = 300s
smtp_destination_rate_delay = 1s
smtpd_tls_cert_file = /etc/letsencrypt/live/mydomain.co.uk/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mydomain.co.uk/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/mydomain.co.uk/fullchain.pem
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3

smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high

# smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
# smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2

tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

# tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
# tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES


milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891,local:/var/run/milter-greylist/milter-greylist.sock
non_smtpd_milters = inet:localhost:8891,local:/var/run/milter-greylist/milter-greylist.sock
# policy-spf_time_limit = 3600s

master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
my.ip.addr.ess:smtp inet n - n - 200 smtpd -o smtpd_sasl_auth_enable=yes
my.ip.addr.ess:submission inet n - n - - smtpd
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_security_level=may
  -o tls_preempt_cipherlist=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
# bounce    unix  -       -       n       -       0       bounce
bounce    unix  -       -       n       -       0       discard
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
# policy-spf    unix  -       n       n       -       0       spawn user=nobody argv=/usr/bin/perl /usr/lib/postfix/postfix-policyd-spf-perl
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
-o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp      unix  -       n       n       -       -       pipe
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail    unix  -       n       n       -       -       pipe
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp     unix  -       n       n       -       -       pipe
#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix -       n       n       -       2       pipe
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  ${nexthop} ${user} ${extension}
#
#mailman   unix  -       n       n       -       -       pipe
#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
#  ${nexthop} ${user}
#submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes
127.0.0.1:smtp inet n - n - 200 smtpd -o smtpd_sasl_auth_enable=yes
127.0.0.1:submission inet n - n - - smtpd

header_checks

## Header checks file
#### Checks are done in order, top to bottom.
#### /etc/postfix/header_checks
### How to check regex on command line
### echo 'mail-db5eur01on0084.outbound.protection.outlook.com' | grep -e '^\S*\.outlook\.com$'

#### non-RFC Compliance
/[^[:print:]]{7}/  REJECT RFC2047
# /^.*=20[a-z]*=20[a-z]*=20[a-z]*=20[a-z]*/ REJECT RFC822
# /(.*)?\{6,\}/ REJECT RFC822
/(.*)[X|x]\{3,\}/ REJECT RFC822

#### Unreadable NON-acsii un-printable text
/^Subject:.*=\?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8)\?/ REJECT Unreadable
/^Content-Type:.*charset="?(GB2312|big5|euc-kr|ks_c_5601-1987|koi8|iso-2022-jp)/ REJECT Unreadable

#### Subject checks
/^Subject:.*      / REJECT Space
/^Subject:.*r[ _\.\*\-]+o[ _\.\*\-]+l[ _\.\*\-]+e[ _\.\*\-]+x/ REJECT Hidden Words
/^Subject:.*p[ _\.\*\-]+o[ _\.\*\-]+r[ _\.\*\-]+n/ REJECT Hidden Words

#### Character Set Checks
/^(Content-Type:.*|\s+)charset\s*=\s*"?(Windows-1251)\?/ REJECT Bad Content Type

#### Backscatter checks
/^Content-Type: multipart\/report; report-type=delivery-status\;/ REJECT no third-party DSNs
/^Content-Type: message\/delivery-status; / REJECT no third-party DSNs

#### Attachments
/^Content-(Type|Disposition):.*(file)?name=.*\.(ade|adp|asd|asf|asx|bat|bhx|chm|cil|cmd|com|cpl|dll|elm|exe|gif|hlp|hta|jse|lnk|mda|mdb|mde|mdw|mim|msi|msp|nws|ocx|pif|reg|scr|sct|shb|shm|shs|vb|vbe|vbs|vbx|vxd|wmf|wms|wmz|wmd|wsc|wsf|wsh|wsz)/
REJECT Bad Attachment .${3}

#### Backscatter mail from virus scanners
/^Subject:.*Anti-Virus Notification/ REJECT Virus Notification
/^Subject:.*due to virus/ REJECT Virus Notification
/^Subject:.*email contains VIRUS/ REJECT Virus Notification
/^Subject:.*InterScanMSS/ REJECT Virus Notification
/^Subject:.*ScanMail for Lotus/ REJECT Virus Notification
/^Subject:.*Symantec AntiVirus/ REJECT Virus Notification
/^Subject:.*Virus Detected by Network Associates/ REJECT Virus Notification
/^subject:.*virus found/ REJECT Virus Notification
/^subject:.*Virus Infection Alert/ REJECT Virus Notification

#### Known Spammers or Unsolicited Commercial Email
/^Received:.*bellevuellc.com/ REJECT Blacklisted
/^Received:.*ccsurvey.com/ REJECT Blacklisted
/^Received:.*cmptechdirect.com/ REJECT Blacklisted
/^Received:.*dartmail.net/ REJECT Blacklisted
/^Received:.*ema10.net/ REJECT Blacklisted
/^Received:.*evmailer.com/ REJECT Blacklisted
/^Received:.*netline.com/ REJECT Blacklisted
Fri, 11/22/2019 - 00:25
neural

Hi @applejack

I'm having the exact same problem. Did you manage to come right, and what was the resolution if you did?

Fri, 11/22/2019 - 11:31
Dibs

If you check your IP on backscatter it should give you a date & time to check in your mail logs. i.e. who you were sending an email to or sending a bounce back to. I suspect it was the latter and that the sender was spoofed.

Fri, 11/22/2019 - 11:51
neural

Thanks @Dibs.... You are correct it is the latter. What I was looking for was the correct config string/s in main.cf to stop this type of behavior. I tried googling, and applied some settings, but there were hiccups....

Fri, 11/22/2019 - 15:59 (Reply to #4)
Dibs

I was also caught out by backscatterer and followed the advice on https://www.linuxbabe.com/mail-server/block-email-spam-postfix except for the greylisting - cut down the spam being recieved massively and got off backscatterer.

HIH

Dibs

Sat, 11/23/2019 - 00:41 (Reply to #5)
neural

@Dibs, thank you for the link! I hadn't tried that one. I will go through the article, apply what's there and see what happens. As Backscatterer.org keeps the listings in for a month, I'll only see if it's fully effective after the middle of next month. The real acid test will be that. I will make a note to report after the 15th December 2019, to see how effective this has been.

Sat, 11/23/2019 - 06:42
Jfro

@neural you should see in log files server some indication it is kind of "idiot" to only wait after every change and look afters x days on thet list. ( i think i don't understand your reply here ;)

Mail delivery failures could be indication for... mostly when using forwards or mail contact forms.

I mean not you are .... ;) but one could take upfront some precautions. with log file info's

Read also before taking such as only 1 example :

Use the following line to reject non fully qualified HELO/EHLO hostname.

reject_non_fqdn_helo_hostname

You could mis important mails for you or clients if to strict while lot of mailservices are not configured 100% ! You need do do it right in right order!

Read here for example:

https://unix.stackexchange.com/questions/91749/helo-command-rejected-nee...

https://en.wikipedia.org/wiki/Backscatter_(email)

Mon, 11/25/2019 - 03:16
neural

Hi @Jfro, For sure, you're right. I was always planning on checking my logs.... I picked up the time when the backscatter occurred, checked the logs at that time, and saw what was causing it. Also do checks like "grep status=bounced mail.log" etc. I will definitely be checking the logs, especially to see if there are false positives, as in legitimate mail trying to get in being blocked etc... Maybe I wasn't so verbose in my previous response, but the last "check" would be when I'd been delisted from backscatterer.org and not put right back on again. I do prefer the command line to gui, so checking logs etc, not a problem to me, and what I do on a daily basis at some point.

Thanks for the input - much appreciated.

Mon, 11/25/2019 - 03:51
Jfro

We had one USER / client "abusing" with wrong configured and more contact php form, almost 2 years of sh..it now this custommers is gone no problem anymore.

Was using emailadresses in contact form ( from other server / mailadres from him ) and having on virtualmin mailadresses forwarded and some more, lot of shouting on the phone his form was 100% ok safe and secure , now he is gone i have much more time and peace of mind...

;)

He didn't has budget, and i can't help with php from custommers being "webadmins"

Mon, 11/25/2019 - 13:54
neural

Yes, sometimes people know just enough to be dangerous... Glad you got rid of your problem client, so much better to rather let them go. :D

Thu, 11/28/2019 - 14:51
applejack

Anyone know where user mail forwarding addresses are stored so I can check easily across multiple accounts rather than having to go into each one in VM ?

Topic locked