Results 1 to 4 of 4

Thread: Backscatter email to only specific user

  1. #1
    Join Date
    May 2007
    Posts
    37
    Rep Power
    8

    Default Backscatter email to only specific user

    Hey,

    We're seeing a lot of backscatter email (mainly "Mail Delivery Subsystem") to only one specific user here - no one else (out of about 150 people) have reported any problems.

    The mail is coming in about once every 10 to 15 minutes. Spamassassin is running, and I double checked to see if the plugin as described here - VBounceRuleset - Spamassassin Wiki - is enabled. It is.

    Below is the typical set of entries from zimbra.log for one of the backscatter emails. Please note we do not have anything configured in postfix, as detailed here - Dealing with backscatter, revisited / taint.org: Justin Mason's Weblog - as we've never run into issues like this before.. It seems strange it is just for one user, however - is there a way to configure these postfix changes for just one user? Or is there a better way?


    Code:
    Oct 25 09:26:15 mail postfix/smtpd[6911]: connect from mx1.aist.go.jp[150.29.246.133]
    Oct 25 09:26:16 mail postfix/smtpd[6911]: 94713105B8001: client=mx1.aist.go.jp[150.29.246.133]
    Oct 25 09:26:16 mail postfix/cleanup[13517]: 94713105B8001: message-id=<201110251326.p9PDQBgG018861@rpsmtp2.aist.go.jp>
    Oct 25 09:26:17 mail postfix/qmgr[22490]: 94713105B8001: from=<>, size=27155, nrcpt=1 (queue active)
    Oct 25 09:26:17 mail amavis[13985]: (13985-13) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20111025T084830-13985: <> -> <user@our_domain.com> SIZE=27155 Received: from mail.our_domain.com ([127.0.0.1]) by localhost (mail.our_domain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <user@our_domain.com>; Tue, 25 Oct 2011 09:26:17 -0400 (EDT)
    Oct 25 09:26:17 mail amavis[13985]: (13985-13) Checking: UOCy8bjOCtqM [150.29.246.133] <> -> <user@our_domain.com>
    Oct 25 09:26:17 mail postfix/smtpd[6911]: disconnect from mx1.aist.go.jp[150.29.246.133]
    Oct 25 09:26:19 mail postfix/smtpd[15461]: connect from localhost.localdomain[127.0.0.1]
    Oct 25 09:26:19 mail postfix/smtpd[15461]: 06331105B8007: client=localhost.localdomain[127.0.0.1]
    Oct 25 09:26:19 mail postfix/cleanup[9125]: 06331105B8007: message-id=<201110251326.p9PDQBgG018861@rpsmtp2.aist.go.jp>
    Oct 25 09:26:19 mail postfix/smtpd[15461]: disconnect from localhost.localdomain[127.0.0.1]
    Oct 25 09:26:19 mail postfix/qmgr[22490]: 06331105B8007: from=<>, size=27877, nrcpt=1 (queue active)
    Oct 25 09:26:19 mail amavis[13985]: (13985-13) FWD via SMTP: <> -> <user@our_domain.com>,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 06331105B8007
    Oct 25 09:26:19 mail amavis[13985]: (13985-13) Passed CLEAN, [150.29.246.133] [150.29.254.34] <> -> <user@our_domain.com>, Message-ID: <201110251326.p9PDQBgG018861@rpsmtp2.aist.go.jp>, mail_id: UOCy8bjOCtqM, Hits: 4.715, size: 27155, queued_as: 06331105B8007, 1541 ms
    Oct 25 09:26:19 mail postfix/smtp[13520]: 94713105B8001: to=<user@our_domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.7, delays=1.2/0/0/1.5, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 06331105B8007)
    Oct 25 09:26:19 mail postfix/qmgr[22490]: 94713105B8001: removed
    Oct 25 09:26:19 mail postfix/lmtp[15462]: 06331105B8007: to=<user@our_domain.com>, relay=mail.our_domain.com[38.99.141.99]:7025, delay=0.1, delays=0.01/0/0.02/0.07, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
    Oct 25 09:26:19 mail postfix/qmgr[22490]: 06331105B8007: removed
    Release 7.1.3_GA_3346.RHEL5_64_20110928134520 CentOS5_64 FOSS edition.

  2. #2
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    336
    Rep Power
    7

    Default

    I can't speak on the configuration (since we have an external spam filter where I handle this, not within Zimbra) but do have one comment. It is just one user now, since some specific spammer has decided to spoof their from address in their mailings.

    I've seen this happen in the past and it typically goes away for that user in a few days, though it pops up now and again for others. In my experience though, dealing with backscatter generated in situations like this (without blocking legitimate NDRs) is one of the hardest things to do.

    For this situation, I usually setup a few rules for the individual to filter all such bounce messages to Junk. After a week or so, I disable them (assuming it has stopped).
    ---
    Paul Chauvet
    State University of New York at New Paltz

  3. #3
    Join Date
    May 2007
    Posts
    37
    Rep Power
    8

    Default

    Thanks for the reply..

    Yeah, i'm going to set up filters for the user. It's been going on for nearly a month now, so not sure how soon it will stop.

    IF anyone else has input on spamassassin dealing with this, it would be great.. I'd like to at least figure out if spamassassin is seeing these emails / marking them as backscatter (although I'd assume no as they are getting through)..

    Thanks
    Release 7.1.3_GA_3346.RHEL5_64_20110928134520 CentOS5_64 FOSS edition.

  4. #4
    Join Date
    May 2007
    Posts
    37
    Rep Power
    8

    Default

    Also, if i run spamassassin -Lt email.txt - with email.txt being a cut + paste of "show original" for one of the spams, I see this:
    Code:
    Content analysis details:   (7.4 points, 5.0 required)
    
     pts rule name              description
    ---- ---------------------- --------------------------------------------------
     0.0 UNPARSEABLE_RELAY      Informational: message has unparseable relay lines
     0.4 MIME_HTML_MOSTLY       BODY: Multipart message mostly text/html MIME
     0.0 HTML_MESSAGE           BODY: HTML included in message
     2.2 MPART_ALT_DIFF         BODY: HTML and text parts are different
     1.7 HTML_IMAGE_ONLY_04     BODY: HTML: images with 0-400 bytes of words
     0.0 PART_CID_STOCK         Has a spammy image attachment (by Content-ID)
     0.0 DC_GIF_UNO_LARGO       Message contains a single large inline gif
     2.6 INVALID_MSGID          Message-Id is not valid, according to RFC 2822
     0.5 DC_IMAGE_SPAM_HTML     Possible Image-only spam
    Spamassassin in test mode see this as spam, yet the user is receiving it without any mention from SpamAssassin - is this correct?
    Release 7.1.3_GA_3346.RHEL5_64_20110928134520 CentOS5_64 FOSS edition.

Similar Threads

  1. One user, two email domains, one AD authentication domain
    By aldennis in forum Administrators
    Replies: 3
    Last Post: 03-01-2013, 04:57 AM
  2. Replies: 1
    Last Post: 06-10-2011, 04:29 AM
  3. How can I know the cos for specific user
    By mnbvmnbv in forum Administrators
    Replies: 2
    Last Post: 01-12-2011, 09:01 AM
  4. Allow user to view blocked virus email.
    By McPringle in forum Administrators
    Replies: 4
    Last Post: 06-23-2006, 04:22 AM
  5. Replies: 1
    Last Post: 10-07-2005, 11:09 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •