Bounce from "destination server" as SPAM - header/received too short!

Sim simvirus at gmail.com
Fri Nov 14 18:23:44 GMT 2014 

Hello Glenn,

thanks for your relevant and accurate information!
I will try this these settings

Best regards

---
Sim

2014-11-14 9:56 GMT+01:00 Glenn Steen <glenn.steen at gmail.com>:

> Just to be clear on what you need do Sim, here's a few more precise
> pointers:
>
> In MailScanner.conf change
>
> Check Watermarks With No Sender = yes
>
> to
>
> Check Watermarks With No Sender = %rules-dir%/check.watermark.rules
>
> and in the ruleset file (in the rules subdirectory of your MailScanner
> etc directory (probably /etc/MailScanner/rules/check.watermark.rules)
> create tre rules
> -------- Start ------
> # Our MailStore server(s) IP addresses should have a "no" for this
> From:           192.168.3.140    no
>
> # Under no circumstances should this be changed to "no".
> FromOrTo:       default                 yes
> -------- End ------
> Please be sure to separate the colums ("From:" is the first column,
> "192.168.3.140" is the second etc) with <TAB> character(s). Reload or
> restart mailScanner after this change and you'll not check watermarks
> for internally generated non-delivery-notices, out-of-office messages
> etc, and hence will not break the RFSs in such a bad way as before.
>
> Also, consider either setting (in MailScanner.conf)
> Treat Invalid Watermarks With No Sender as Spam = spam
> or
> Treat Invalid Watermarks With No Sender as Spam = 7
> (or some other low-scoring spam number), since elsewise you run a
> definite risk of losing non-delivery-reports genereted on outside
> systems that do not preserve the watermark header... Better that they
> violate the RFCs than you;-)
>
> And finally, you can easily configure RECIPIENT address verification
> in postfix by adding something like
> reject_unverified_recipient
> to your smtpd_recipient_restrictions in main.cf ... or something
> similar (I actually don't use this feature, since I don't trust our
> mailstoree to properly reject things, so use a relay_recipient_map
> instead... that I generate with LDAP every 15 minutes.. Same effect,
> different approach). If you didn't find it anywhere else, your systems
> package for Postfix probably installed the readme somewhere like:
> /usr/share/doc/postfix-*/README_FILES/ADDRESS_VERIFICATION_README
> ... See the warnings at the top, and heed the one about SENDER address
> verification.
>
> Cheers
> --
> -- Glenn (who had a few minutes to spend on this:-)
>
> On 13 November 2014 11:15, Glenn Steen <glenn.steen at gmail.com> wrote:
> > Actually.... You could play around with a ruleset on this:
> >
> > # Do you want to check watermarks?
> > # This can also be the filename of a ruleset.
> > Check Watermarks With No Sender = yes
> >
> > ... And simply avoid checking the watermark on your mailstore systems
> > IP address.
> > Probably the simplest fix of all;-).
> >
> > Cheers!
> > --
> > -- Glenn
> >
> > On 13 November 2014 10:58, Glenn Steen <glenn.steen at gmail.com> wrote:
> >> I just re-read your initial post and get what's happening:
> >>
> >> You have the watermark feature enabled, to handle all those faked
> >> bounces/NDRs/NDNs (in reality, where the envelope sender is <>), but
> >> when your own mailstore (the server/servers protected by your
> >> MX/MailScanner system) generate a bounce these also lack the watermark
> >> (which is just a specific header with a checksum cryptagraphically
> >> protected...) and thus get handled as "bad". Many systems
> >> implementation of OoO will fall into this category as well. Regular
> >> bounces SHOULD NOT lack the watermark, but this is up to the
> >> mailstore, whether the watermark is present in the NDN or not.
> >>
> >> First off:
> >> - Don't mark them as "High scoring spam". Just mark as Spam and they
> >> will actually get delivered, thus making your system RFC compliant (or
> >> at least a tad more so:-).
> >>
> >> Second thing to explore:
> >> - Try to make your mailstore system(s) generate or preserve a valid
> >> watermark header for bounces etc. This is a lot less trivial than the
> >> first step, and in many cases close to impossible... In many cases,
> >> just implementing the first step above is the only real option... at
> >> least from a time management perspective:-):-).
> >>
> >> So... this problem of yours is mostly a problem outside of
> >> mailScanner, but entirely caused be the use of the watermark feature.
> >> i wouldn't recommend turning it off, without first doing a thorough
> >> analysis of the effectiveness of the feature...;)
> >>
> >> Cheers!
> >> --
> >> -- Glenn
> >>
> >> On 12 November 2014 19:58, Sim <simvirus at gmail.com> wrote:
> >>> Thanks for reply...
> >>> But in other case the bounce is generated for other reasons
> >>> For example if the mailbox for the user is over quota, etc..
> >>> In this case the bounce is "dropped".
> >>> The question is why this "postfix/cleanup - MailScanner" header is too
> short
> >>> ...and how to extend it :-(
> >>>
> >>> Thanks again
> >>>
> >>> ---
> >>> Sim
> >>>
> >>> 2014-11-10 18:16 GMT+01:00 Glenn Steen <glenn.steen at gmail.com>:
> >>>>
> >>>> Actually... All you need do is configure recipient verification in
> postfix
> >>>> (this is in-built and documented well several places, like the
> postfix doc
> >>>> site or the MailScanner wiki). Alternatively maintain a relay
> recipient map
> >>>> or an access map (both are fairly trivial to set up).
> >>>> Doing any of these will reject instead of bounce, for unknown
> recipients.
> >>>> Flip side of the coin is that you may expose your recipient
> "universe", for
> >>>> easy mapping (regardless if you have disabled vrfy), but... That's
> just how
> >>>> it is:-)
> >>>>
> >>>> Cheers
> >>>> --
> >>>> -- Glenn
> >>>>
> >>>> Den 10 nov 2014 14:03 skrev "Joolee" <mailscanner at joolee.nl>:
> >>>>
> >>>>> Quite an easy solution is to simply don't bounce. E-mail to
> non-existing
> >>>>> users is probably (uncought) spam and they rarely come from legit
> e-mail
> >>>>> addresses. You are spamming the actual owners of the e-mail
> addresses being
> >>>>> abused by sending backscatter to them. It might even get you listed
> on a
> >>>>> backscatter dnsbl.
> >>>>>
> >>>>> If you want to provide legit mail senders with a "this user doesn't
> >>>>> exist" message, configure all legit users on your edge server so
> mail to
> >>>>> non-existing users is being blocked on smtp level. (This will also
> reject
> >>>>> ~90% of spam) The sending party can than implement any
> backscatter/messages
> >>>>> they want with this information, it's not your problem.
> >>>>>
> >>>>>
> >>>>> On 10 November 2014 12:44, Sim <simvirus at gmail.com> wrote:
> >>>>>>
> >>>>>> Hello to all!
> >>>>>>
> >>>>>> I've a little issue...
> >>>>>>
> >>>>>> SENDER (from test at extenal.com  to  nomail at mydomain) ------>
> MailScanner
> >>>>>> -----> Mailbox Server (@mydomain)
> >>>>>>
> >>>>>> At this time my internal "Mailbox Server" generate a bounce for not
> >>>>>> exiting "nomail" account.
> >>>>>> This bounce is detected as SPAM from MailScanner.
> >>>>>>
> >>>>>> Note:
> >>>>>> - The IP of Mailbox Server is in "Whitelist"
> >>>>>> - The LAN (/24) of Mailbox Server is in "Trusted Network"
> >>>>>> - The LAN (/24) of Mailbox Server is in "Outbound mail relay"
> >>>>>> - All other email sent from "Mailbox Server" are detected as "white
> >>>>>> list"
> >>>>>>
> >>>>>>
> >>>>>> Checking the log of postfix i've found this:
> >>>>>>
> >>>>>> postfix/cleanup[20872]: C1C2960069: hold: header Received: from
> >>>>>> srv.mydomain.local (unknown [192.168.0.10])??(using TLSv1 with
> cipher
> >>>>>> AES128-SHA (128/128 bits))??(No client certificate requested)??by
> >>>>>> mail.mydomain.com (Postfix) w from unknown[192.168.0.10]; from=<>
> >>>>>> to=<test at external.com> proto=ESMTP helo=<srv.mydomain.local>
> >>>>>> [..]
> >>>>>> MailScanner[19852]: Spam Checks: Starting
> >>>>>> MailScanner[19852]: Message C1C2960069.AEB15 from 192.168.0.10 has
> no
> >>>>>> (or invalid) watermark or sender address, marked as high-scoring
> spam
> >>>>>> MailScanner[19852]: Spam Checks: Found 1 spam messages
> >>>>>>
> >>>>>>
> >>>>>> The header of postifx/cleanup is incomplete!!!!
> >>>>>>
> >>>>>> Looking for full header i've seen:  "(Postfix) with ESMTPS id
> >>>>>> C1C2960069?"    and not only    "(Postfix) w"
> >>>>>>
> >>>>>>
> >>>>>> How to increase this "check of the header limit" in postfix,
> cleanup or
> >>>>>> MailScanner ?
> >>>>>>
> >>>>>> Thanks
> >>>>>>
> >>>>>> --
> >>>>>> MailScanner mailing list
> >>>>>> mailscanner at lists.mailscanner.info
> >>>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>>>>
> >>>>>> Before posting, read http://wiki.mailscanner.info/posting
> >>>>>>
> >>>>>> Support MailScanner development - buy the book off the website!
> >>>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> MailScanner mailing list
> >>>>> mailscanner at lists.mailscanner.info
> >>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>>>
> >>>>> Before posting, read http://wiki.mailscanner.info/posting
> >>>>>
> >>>>> Support MailScanner development - buy the book off the website!
> >>>>>
> >>>>
> >>>> --
> >>>> MailScanner mailing list
> >>>> mailscanner at lists.mailscanner.info
> >>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>>
> >>>> Before posting, read http://wiki.mailscanner.info/posting
> >>>>
> >>>> Support MailScanner development - buy the book off the website!
> >>>>
> >>>
> >>>
> >>> --
> >>> MailScanner mailing list
> >>> mailscanner at lists.mailscanner.info
> >>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>>
> >>> Before posting, read http://wiki.mailscanner.info/posting
> >>>
> >>> Support MailScanner development - buy the book off the website!
> >>>
> >>
> >>
> >>
> >> --
> >> -- Glenn
> >> email: glenn < dot > steen < at > gmail < dot > com
> >> work: glenn < dot > steen < at > ap1 < dot > se
> >
> >
> >
> > --
> > -- Glenn
> > email: glenn < dot > steen < at > gmail < dot > com
> > work: glenn < dot > steen < at > ap1 < dot > se
>
>
>
> --
> -- Glenn
> email: glenn < dot > steen < at > gmail < dot > com
> work: glenn < dot > steen < at > ap1 < dot > se
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20141114/e88cc1c4/attachment.html

More information about the MailScanner mailing list