Bounce from "destination server" as SPAM - header/received too short!

Glenn Steen glenn.steen at gmail.com
Fri Nov 14 08:56:59 GMT 2014


Just to be clear on what you need do Sim, here's a few more precise pointers:

In MailScanner.conf change

Check Watermarks With No Sender = yes

to

Check Watermarks With No Sender = %rules-dir%/check.watermark.rules

and in the ruleset file (in the rules subdirectory of your MailScanner
etc directory (probably /etc/MailScanner/rules/check.watermark.rules)
create tre rules
-------- Start ------
# Our MailStore server(s) IP addresses should have a "no" for this
From:           192.168.3.140    no

# Under no circumstances should this be changed to "no".
FromOrTo:       default                 yes
-------- End ------
Please be sure to separate the colums ("From:" is the first column,
"192.168.3.140" is the second etc) with <TAB> character(s). Reload or
restart mailScanner after this change and you'll not check watermarks
for internally generated non-delivery-notices, out-of-office messages
etc, and hence will not break the RFSs in such a bad way as before.

Also, consider either setting (in MailScanner.conf)
Treat Invalid Watermarks With No Sender as Spam = spam
or
Treat Invalid Watermarks With No Sender as Spam = 7
(or some other low-scoring spam number), since elsewise you run a
definite risk of losing non-delivery-reports genereted on outside
systems that do not preserve the watermark header... Better that they
violate the RFCs than you;-)

And finally, you can easily configure RECIPIENT address verification
in postfix by adding something like
reject_unverified_recipient
to your smtpd_recipient_restrictions in main.cf ... or something
similar (I actually don't use this feature, since I don't trust our
mailstoree to properly reject things, so use a relay_recipient_map
instead... that I generate with LDAP every 15 minutes.. Same effect,
different approach). If you didn't find it anywhere else, your systems
package for Postfix probably installed the readme somewhere like:
/usr/share/doc/postfix-*/README_FILES/ADDRESS_VERIFICATION_README
... See the warnings at the top, and heed the one about SENDER address
verification.

Cheers
-- 
-- Glenn (who had a few minutes to spend on this:-)

On 13 November 2014 11:15, Glenn Steen <glenn.steen at gmail.com> wrote:
> Actually.... You could play around with a ruleset on this:
>
> # Do you want to check watermarks?
> # This can also be the filename of a ruleset.
> Check Watermarks With No Sender = yes
>
> ... And simply avoid checking the watermark on your mailstore systems
> IP address.
> Probably the simplest fix of all;-).
>
> Cheers!
> --
> -- Glenn
>
> On 13 November 2014 10:58, Glenn Steen <glenn.steen at gmail.com> wrote:
>> I just re-read your initial post and get what's happening:
>>
>> You have the watermark feature enabled, to handle all those faked
>> bounces/NDRs/NDNs (in reality, where the envelope sender is <>), but
>> when your own mailstore (the server/servers protected by your
>> MX/MailScanner system) generate a bounce these also lack the watermark
>> (which is just a specific header with a checksum cryptagraphically
>> protected...) and thus get handled as "bad". Many systems
>> implementation of OoO will fall into this category as well. Regular
>> bounces SHOULD NOT lack the watermark, but this is up to the
>> mailstore, whether the watermark is present in the NDN or not.
>>
>> First off:
>> - Don't mark them as "High scoring spam". Just mark as Spam and they
>> will actually get delivered, thus making your system RFC compliant (or
>> at least a tad more so:-).
>>
>> Second thing to explore:
>> - Try to make your mailstore system(s) generate or preserve a valid
>> watermark header for bounces etc. This is a lot less trivial than the
>> first step, and in many cases close to impossible... In many cases,
>> just implementing the first step above is the only real option... at
>> least from a time management perspective:-):-).
>>
>> So... this problem of yours is mostly a problem outside of
>> mailScanner, but entirely caused be the use of the watermark feature.
>> i wouldn't recommend turning it off, without first doing a thorough
>> analysis of the effectiveness of the feature...;)
>>
>> Cheers!
>> --
>> -- Glenn
>>
>> On 12 November 2014 19:58, Sim <simvirus at gmail.com> wrote:
>>> Thanks for reply...
>>> But in other case the bounce is generated for other reasons
>>> For example if the mailbox for the user is over quota, etc..
>>> In this case the bounce is "dropped".
>>> The question is why this "postfix/cleanup - MailScanner" header is too short
>>> ...and how to extend it :-(
>>>
>>> Thanks again
>>>
>>> ---
>>> Sim
>>>
>>> 2014-11-10 18:16 GMT+01:00 Glenn Steen <glenn.steen at gmail.com>:
>>>>
>>>> Actually... All you need do is configure recipient verification in postfix
>>>> (this is in-built and documented well several places, like the postfix doc
>>>> site or the MailScanner wiki). Alternatively maintain a relay recipient map
>>>> or an access map (both are fairly trivial to set up).
>>>> Doing any of these will reject instead of bounce, for unknown recipients.
>>>> Flip side of the coin is that you may expose your recipient "universe", for
>>>> easy mapping (regardless if you have disabled vrfy), but... That's just how
>>>> it is:-)
>>>>
>>>> Cheers
>>>> --
>>>> -- Glenn
>>>>
>>>> Den 10 nov 2014 14:03 skrev "Joolee" <mailscanner at joolee.nl>:
>>>>
>>>>> Quite an easy solution is to simply don't bounce. E-mail to non-existing
>>>>> users is probably (uncought) spam and they rarely come from legit e-mail
>>>>> addresses. You are spamming the actual owners of the e-mail addresses being
>>>>> abused by sending backscatter to them. It might even get you listed on a
>>>>> backscatter dnsbl.
>>>>>
>>>>> If you want to provide legit mail senders with a "this user doesn't
>>>>> exist" message, configure all legit users on your edge server so mail to
>>>>> non-existing users is being blocked on smtp level. (This will also reject
>>>>> ~90% of spam) The sending party can than implement any backscatter/messages
>>>>> they want with this information, it's not your problem.
>>>>>
>>>>>
>>>>> On 10 November 2014 12:44, Sim <simvirus at gmail.com> wrote:
>>>>>>
>>>>>> Hello to all!
>>>>>>
>>>>>> I've a little issue...
>>>>>>
>>>>>> SENDER (from test at extenal.com  to  nomail at mydomain) ------> MailScanner
>>>>>> -----> Mailbox Server (@mydomain)
>>>>>>
>>>>>> At this time my internal "Mailbox Server" generate a bounce for not
>>>>>> exiting "nomail" account.
>>>>>> This bounce is detected as SPAM from MailScanner.
>>>>>>
>>>>>> Note:
>>>>>> - The IP of Mailbox Server is in "Whitelist"
>>>>>> - The LAN (/24) of Mailbox Server is in "Trusted Network"
>>>>>> - The LAN (/24) of Mailbox Server is in "Outbound mail relay"
>>>>>> - All other email sent from "Mailbox Server" are detected as "white
>>>>>> list"
>>>>>>
>>>>>>
>>>>>> Checking the log of postfix i've found this:
>>>>>>
>>>>>> postfix/cleanup[20872]: C1C2960069: hold: header Received: from
>>>>>> srv.mydomain.local (unknown [192.168.0.10])??(using TLSv1 with cipher
>>>>>> AES128-SHA (128/128 bits))??(No client certificate requested)??by
>>>>>> mail.mydomain.com (Postfix) w from unknown[192.168.0.10]; from=<>
>>>>>> to=<test at external.com> proto=ESMTP helo=<srv.mydomain.local>
>>>>>> [..]
>>>>>> MailScanner[19852]: Spam Checks: Starting
>>>>>> MailScanner[19852]: Message C1C2960069.AEB15 from 192.168.0.10 has no
>>>>>> (or invalid) watermark or sender address, marked as high-scoring spam
>>>>>> MailScanner[19852]: Spam Checks: Found 1 spam messages
>>>>>>
>>>>>>
>>>>>> The header of postifx/cleanup is incomplete!!!!
>>>>>>
>>>>>> Looking for full header i've seen:  "(Postfix) with ESMTPS id
>>>>>> C1C2960069?"    and not only    "(Postfix) w"
>>>>>>
>>>>>>
>>>>>> How to increase this "check of the header limit" in postfix, cleanup or
>>>>>> MailScanner ?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> --
>>>>>> MailScanner mailing list
>>>>>> mailscanner at lists.mailscanner.info
>>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>>
>>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>>
>>>>>> Support MailScanner development - buy the book off the website!
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> MailScanner mailing list
>>>>> mailscanner at lists.mailscanner.info
>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>>
>>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>>
>>>>> Support MailScanner development - buy the book off the website!
>>>>>
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>
>>>
>>> --
>>> MailScanner mailing list
>>> mailscanner at lists.mailscanner.info
>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>> Before posting, read http://wiki.mailscanner.info/posting
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>
>>
>>
>> --
>> -- Glenn
>> email: glenn < dot > steen < at > gmail < dot > com
>> work: glenn < dot > steen < at > ap1 < dot > se
>
>
>
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se



-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list