Results 1 to 3 of 3

Thread: My Z6 is generating backscatter

  1. #1
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Question My Z6 is generating backscatter

    Apparently, for the first time in 4 or 5 years; I've never had a report of this before.

    First: to confirm that I understand what backscatter is: it appears that people are sending spam to my domain, *some* of which has invalid recipient addresses. If the address is valid, then it just delivers, gets junk-filed or not, and all is well. But if the recipient address is invalid on my domain, it appears my Z instance is *sending a bounce message*, and it is my understanding from reading the 9 ZForum threads y'all are going to send me to, and the underlying Postfix doco, that that's not supposed to happen.

    Herewith, an example (logs trimmed to the appropriate entries):

    Code:
    [root@benjamin tmp]# cat backscatter
    Dec  4 13:21:19 benjamin postfix/cleanup[7756]: 6B4401F002E9: message-id=<529f41dc.660c320a.77ad.ffffe295@mx.mainebiolab.com>
    Dec  4 13:21:25 benjamin postfix/cleanup[5945]: 778541F0026E: message-id=<529f41dc.660c320a.77ad.ffffe295@mx.mainebiolab.com>
    Dec  4 13:21:25 benjamin amavis[11829]: (11829-02) Passed SPAM, [178.167.27.41] [178.167.27.41] <ggp@meadorswall.com> -> <jra@baylink.com>, Message-ID: <529f41dc.660c320a.77ad.ffffe295@mx.mainebiolab.com>, mail_id: BAtxUG4aqHbk, Hits: 25.67, size: 30959, queued_as: 778541F0026E, 5038 ms
    
    Dec  4 13:23:29 benjamin postfix/cleanup[8018]: 5F1591F001F0: message-id=<529f41dc.660c320a.72ad.ffffe223@mx.cargohome.com>
    Dec  4 13:23:41 benjamin postfix/cleanup[8018]: 81AA3EF008A: message-id=<529f41dc.660c320a.72ad.ffffe223@mx.cargohome.com>
    Dec  4 13:23:41 benjamin amavis[12622]: (12622-12) Passed SPAM, [1.53.102.133] [1.53.102.133] <egutierrez@mediaone.com> -> <jra@baylink.com>, Message-ID: <529f41dc.660c320a.72ad.ffffe223@mx.cargohome.com>, mail_id: NGO+spd3Y1Nl, Hits: 25.281, size: 30916, queued_as: 81AA3EF008A, 11028 ms
    
    Dec  4 13:50:47 benjamin postfix/cleanup[10895]: E8C9E1F0026E: message-id=<529f41dc.660c320a.73ad.ffffe268@mx.cardinal-graphics.com>
    Dec  4 13:50:55 benjamin postfix/cleanup[10895]: 276271F004E9: message-id=<529f41dc.660c320a.73ad.ffffe268@mx.cardinal-graphics.com>
    Dec  4 13:50:55 benjamin amavis[14397]: (14397-13) Passed SPAM, [94.20.173.76] [94.20.173.76] <ygbraze@yahoo.com> -> <bin@baylink.com>,<valeriy@baylink.com>, Message-ID: <529f41dc.660c320a.73ad.ffffe268@mx.cardinal-graphics.com>, mail_id: gqVOVaHZk14s, Hits: 28.188, size: 30910, queued_as: 276271F004E9, 5013 ms
    
    Dec  4 15:41:34 benjamin postfix/cleanup[25415]: 1D9711F0015C: message-id=<529f41dc.660c320a.71ad.ffffe211@mx.detroit.net>
    Dec  4 15:41:40 benjamin postfix/cleanup[25415]: 90C241F001A6: message-id=<529f41dc.660c320a.71ad.ffffe211@mx.detroit.net>
    Dec  4 15:41:40 benjamin amavis[6738]: (06738-01) Passed SPAM, [134.17.140.21] [134.17.140.21] <lisarose_petillo@yahoo.com> -> <jra@baylink.com>, Message-ID: <529f41dc.660c320a.71ad.ffffe211@mx.detroit.net>, mail_id: ZyJjTqPq2-Ag, Hits: 29.535, size: 30915, queued_as: 90C241F001A6, 5366 ms
    
    Dec  4 20:57:39 benjamin postfix/cleanup[30438]: F0CBF1F001BD: message-id=<529f41dc.660c320a.72ad.ffffe294@mx.maishman.com>
    Dec  4 20:57:44 benjamin postfix/cleanup[997]: B4CE31F001E5: message-id=<529f41dc.660c320a.72ad.ffffe294@mx.maishman.com>
    Dec  4 20:57:44 benjamin amavis[3013]: (03013-03) Passed SPAM, [85.29.140.166] [85.29.140.166] <johnand@sbcglobal.net> -> <tanner@baylink.com>, Message-ID: <529f41dc.660c320a.72ad.ffffe294@mx.maishman.com>, mail_id: 9zyTQrITlY90, Hits: 16.808, size: 30928, queued_as: B4CE31F001E5, 4914 ms
    
    Dec  4 20:57:44 benjamin postfix/smtpd[25903]: B4CE31F001E5: client=localhost.localdomain[127.0.0.1]
    Dec  4 20:57:44 benjamin postfix/cleanup[997]: B4CE31F001E5: message-id=<529f41dc.660c320a.72ad.ffffe294@mx.maishman.com>
    Dec  4 20:57:44 benjamin postfix/qmgr[15322]: B4CE31F001E5: from=<johnand@sbcglobal.net>, size=31395, nrcpt=1 (queue active)
    Dec  4 20:57:44 benjamin amavis[3013]: (03013-03) FWD via SMTP: <johnand@sbcglobal.net> -> <tanner@baylink.com>,BODY=7BIT 250 2.0.0 Ok, id=03013-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B4CE31F001E5
    Dec  4 20:57:44 benjamin postfix/error[988]: B4CE31F001E5: to=<tanner@baylink.com>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.0.0, status=bounced (baylink.com)
    Dec  4 20:57:44 benjamin amavis[3013]: (03013-03) Passed SPAM, [85.29.140.166] [85.29.140.166] <johnand@sbcglobal.net> -> <tanner@baylink.com>, Message-ID: <529f41dc.660c320a.72ad.ffffe294@mx.maishman.com>, mail_id: 9zyTQrITlY90, Hits: 16.808, size: 30928, queued_as: B4CE31F001E5, 4914 ms
    Dec  4 20:57:44 benjamin postfix/smtp[994]: F0CBF1F001BD: to=<tanner@baylink.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.2, delays=2.3/0/0/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=03013-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B4CE31F001E5)
    Dec  4 20:57:44 benjamin postfix/bounce[998]: B4CE31F001E5: sender non-delivery notification: B6D751F002C5
    Dec  4 20:57:44 benjamin postfix/qmgr[15322]: B4CE31F001E5: removed
    I left the first 3 in there because, though they had a valid address, I noted that the Message IDs were strikingly similar; I infer a botnet client, since the MXs were different (though I admittedly haven't looked up the IPs for them).

    The last one, though, is for an address with no mailbox. It appears to *me* that Zimbra is generating a bounce, as I understand that it is not supposed to.

    I cannot speak to whether this has been happening forever or it's a change; nonetheless my upstream (Road Runner) would very much like for me to stop it. It *feels* to me as if there are two layers of Zimbra involved here, and the one answering the incomings can't check for valid mailbox -- which would of course be fatal for me on this point, and I can't imagine that's so.

    So what am I missing, folks?
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by Baylink View Post
    So what am I missing, folks?
    Perhaps "reject_unlisted_recipients" as mentioned in all (or most) of the documents you've read.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    7

    Default

    So, Postfix gets this right, and Zimbra comes along behind them and gets it wrong?
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

Similar Threads

  1. Replies: 0
    Last Post: 01-04-2013, 08:31 AM
  2. generating a CSR for GoDaddy UCC certificate
    By ericbullock in forum Administrators
    Replies: 2
    Last Post: 07-18-2012, 02:30 PM
  3. Converter Generating Warnings
    By hcso in forum Migration
    Replies: 0
    Last Post: 10-06-2011, 10:19 AM
  4. Generating Certificate for Zimbra MTA!
    By zibra in forum Administrators
    Replies: 0
    Last Post: 07-24-2007, 09:43 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •