Backscatter

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
osNomad
Posts: 12
Joined: Fri Sep 12, 2014 10:30 pm

Backscatter

Postby osNomad » Thu Feb 02, 2017 9:08 pm

I recently had an issue with backscatter whereby my zimbra server is queueing and trying to resend the forged, bounced backscatter emails. I had 16k emails in my deferred queue and none of them were from a valid user on my domain. they did, however, all have an appropriate domain name after the @. example nonexistantuser@mydomain.com.

i wrote a script to delete forged messages from my deferred queue just to get them out of the way but it seems there should be a setting that I'm missing somewhere.

Im failing to see where i can protect myself from this happening again. does anyone have any insight that they could share?

tia

john

zimbra 8.6.0 ga 1153


User avatar
vavai
Advanced member
Advanced member
Posts: 154
Joined: Thu Nov 14, 2013 2:41 pm
Location: Indonesia
Contact:

Re: Backscatter

Postby vavai » Thu Feb 02, 2017 10:39 pm

Hi,

You can check it by :

1. Check whether your Zimbra server are open relay or not. MXtoolbox has online mail server test to see whether a mail server are open relay or not.
2. Try to catch the original spammer account, what is the result of :

Code: Select all

cat /var/log/zimbra.log | grep sasl_method
?

Normally, user with so many line listed as sasl_user name would be the original spammer account and you can take appropriate step to limit its spam source, something like lock the account, change its password to stronger one etc.
osNomad
Posts: 12
Joined: Fri Sep 12, 2014 10:30 pm

Re: Backscatter

Postby osNomad » Fri Feb 03, 2017 3:30 pm

thanks for your reply. I've checked for open relay and the checks I've run all report that I'm not relaying. which i believe to be true based on my setting for my networks.

as far as catching a spammer, the only sasl authentications in the log are from my internal clients and the balance is spread pretty evenly between them all.

i'm no closer to finding a solution to this problem yet. I've taken to writing a cron script to list the messages in the deferred queue and delete them if the from address is not from a real user on my domain. this is a terrible hack to just keep the problem down until i find the real solution.
phoenix
Ambassador
Ambassador
Posts: 26243
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Backscatter

Postby phoenix » Fri Feb 03, 2017 3:42 pm

What RBLs are you using and have you enabled Postscreen (you should)?
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
osNomad
Posts: 12
Joined: Fri Sep 12, 2014 10:30 pm

Re: Backscatter

Postby osNomad » Fri Feb 03, 2017 4:02 pm

i do not use post screen. I'm using zimbra 8.6 and its not part of the distribution as far as i can tell.

i don't have RBLs. that leads to a piece that i neglected to mention in the first post. we use barracuda as a spam filtering service. the only ip addresses allowed to connect to the mail server without authentication are barracudas servers.

i have tested this from other ip addresses and i am definitely being rejected if i connect and try to send a message as a my domain.com user thats not from my local network or if i haven't been authenticated.

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 26 guests