[SLE] Rejecting backscatter mail in postfix

From: Carlos E. R. (robin1.listas_at_tiscali.es)
Date: 11/27/04

  • Next message: Ken Schneider: "Re: [SLE] Replacementsfor Windows Applications" 
    Date: Sat, 27 Nov 2004 22:03:43 +0100 (CET)
To: SLE <suse-linux-e@suse.com>

    Hi,

    I'm receiving certain backscatter mail (ie, mail sent by postmasters,
    consisting of rejecting a mail with possible virus to the claimed
    originator, which in the case of virus, can be faked, and thus are
    possibly innocent). In this case, the bounce I get includes the full viral
    load, which is a nuisance - and no, amavis-new does not detect it.

    The problem is the "from":

      Return-Path: <>
      From: Mail Delivery System <Mailer-Daemon@mx.mixmail.com>

    I understand that the envelope-from is empty (!). See the log excerpt:

      Nov 26 23:57:25 nimrodel fetchmail[14958]: SMTP> MAIL FROM: <> SIZE=33229
      Nov 26 23:57:25 nimrodel fetchmail[14958]: SMTP< 250 Ok
      Nov 26 23:57:25 nimrodel fetchmail[14958]: SMTP> RCPT TO:<cer@localhost>
      Nov 26 23:57:25 nimrodel postfix/smtpd[14970]: 11CBE20C4D: client=localhost[127.0.0.1]
      Nov 26 23:57:25 nimrodel fetchmail[14958]: SMTP< 250 Ok
      Nov 26 23:57:25 nimrodel fetchmail[14958]: SMTP> DATA
      Nov 26 23:57:25 nimrodel fetchmail[14958]: SMTP< 354 End data with <CR><LF>.<CR><LF>
      Nov 26 23:57:25 nimrodel postfix/cleanup[14973]: 11CBE20C4D: message-id=<E1CXnY0-0001VL-00@mx.mixmail.com>

    I have this rule in '/etc/postfix/access', which works for many others
    similar emails:

      mailer-daemon@mx.mixmail.com REJECT Blocking backscatter mail from virus scanners

    but it doesn't trigger in this case :-(

    Ideas?

    Perhaps the problem could be that postfix is not checking the sender
    address for existence :-?

    That would be:

    smtpd_sender_restrictions = hash:/etc/postfix/access,reject_unknown_sender_domain

    But that would cause a dns check for every mail, I suppose. What about
    reject_non_fqdn_sender? 

    -- 
Cheers,
       Carlos Robinson
-- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com
  • Next message: Ken Schneider: "Re: [SLE] Replacementsfor Windows Applications"

    Relevant Pages

    • Exim4 + ClamAV + Some Virii get through
      ... Exim4 acl stuff a bit of a black art:( ... Sometimes a virus that clamav *does* already know about gets through. ... maybe Paul could add it to hs "Rejecting Email ...
      (Debian-User)
    • Re: OL 2003
      ... Check to see if you have included a portion of the email address or the ... the (insert latest virus name here) virus, all mail sent to my personal ... | placing emails in the Junk Mail box when the email ... | originator is on the safe senders list? ...
      (microsoft.public.outlook)
    • (Moderator Note) Re: Anyome else seeing a rise in Mydoom Viruses over email?
      ... vendors have signatures for the virus, I am rejecting all of them. ... There is a fast spreading worm, ... On Tue, 27 Jan 2004, Nigel Frankcom wrote: ...
      (Incidents)
    • Report to Sender
      ... Incident Information:- ... Originator: freebsd-isp@xxxxxxxxxxx ... The file attachment readme_jkoopman.zip you sent to the recipients listed ... above was infected with the W32/Netsky.p@MM!zip virus and was successfully ...
      (freebsd-isp)
    • Re: Email From: Microsoft <security@microsoft.com>
      ... I'm not convinced--I don't know the internals of the virus itself at all ... Microsoft is aggressively filtering the newsservers, ... it's posted by the originator. ... > would see multiple irregular postings just as the spam. ...
      (microsoft.public.security.virus)