Page 1 of 1

Backscatter

Posted: Thu Feb 02, 2017 9:08 pm
by osNomad
I recently had an issue with backscatter whereby my zimbra server is queueing and trying to resend the forged, bounced backscatter emails. I had 16k emails in my deferred queue and none of them were from a valid user on my domain. they did, however, all have an appropriate domain name after the @. example nonexistantuser@mydomain.com.

i wrote a script to delete forged messages from my deferred queue just to get them out of the way but it seems there should be a setting that I'm missing somewhere.

Im failing to see where i can protect myself from this happening again. does anyone have any insight that they could share?

tia

john

zimbra 8.6.0 ga 1153

Re: Backscatter

Posted: Thu Feb 02, 2017 10:39 pm
by vavai
Hi,

You can check it by :

1. Check whether your Zimbra server are open relay or not. MXtoolbox has online mail server test to see whether a mail server are open relay or not.
2. Try to catch the original spammer account, what is the result of :

Code: Select all

cat /var/log/zimbra.log | grep sasl_method
?

Normally, user with so many line listed as sasl_user name would be the original spammer account and you can take appropriate step to limit its spam source, something like lock the account, change its password to stronger one etc.

Re: Backscatter

Posted: Fri Feb 03, 2017 3:30 pm
by osNomad
thanks for your reply. I've checked for open relay and the checks I've run all report that I'm not relaying. which i believe to be true based on my setting for my networks.

as far as catching a spammer, the only sasl authentications in the log are from my internal clients and the balance is spread pretty evenly between them all.

i'm no closer to finding a solution to this problem yet. I've taken to writing a cron script to list the messages in the deferred queue and delete them if the from address is not from a real user on my domain. this is a terrible hack to just keep the problem down until i find the real solution.

Re: Backscatter

Posted: Fri Feb 03, 2017 3:42 pm
by phoenix
What RBLs are you using and have you enabled Postscreen (you should)?

Re: Backscatter

Posted: Fri Feb 03, 2017 4:02 pm
by osNomad
i do not use post screen. I'm using zimbra 8.6 and its not part of the distribution as far as i can tell.

i don't have RBLs. that leads to a piece that i neglected to mention in the first post. we use barracuda as a spam filtering service. the only ip addresses allowed to connect to the mail server without authentication are barracudas servers.

i have tested this from other ip addresses and i am definitely being rejected if i connect and try to send a message as a my domain.com user thats not from my local network or if i haven't been authenticated.