Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: How to stop Backscatter Spam

  1. #1
    yoom@hostwebase.com is offline Active Member
    Join Date
    Jan 2008
    Posts
    26
    Rep Power
    7

    Default How to stop Backscatter Spam

    I need help to get rid off the Backscatter Spam.

    I am running version 5.X and have implemented some sugguestion from other on how to get rid of Blackscatter.
    However, I am still getting thousand thousand of these Returned, Undelivered mail.
    Do you have a working configuration to share. I am hoping Zambra has this capability.
    There are only 10 users on this pilot server. Is there a way to get this function turn on and work correctly
    once for all.


    Thanks in advance,

    Y

  2. #2
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,373
    Rep Power
    10

    Default

    The definitive general guide; four years old but still entirely relevant:

    Postfix Backscatter Howto

    If you need help with specific Zimbra commands to implement what you need, just reply and we'll all try to help!

    All the best,
    Mark

  3. #3
    yoom@hostwebase.com is offline Active Member
    Join Date
    Jan 2008
    Posts
    26
    Rep Power
    7

    Default Backscatter and Spam Confirmation

    Mark,

    Is it true, Zimbra capable of allow only Users and Domains that created/allowed by our Zimbra server for outgoing email?

    It is also true to prevent/stop this type of backscatter attack the domains that get Spam SHOULD HAS THEIR MAIL SERVER REVERSE LOOKUP TURN ON to verify the impostor has the right IP address with the MX before their email server accepting incoming email, right?

    off course, for us we need to implement the informtion that you had sugguested to prevent these bounce/retured/undelivered email, correct?

    Thank you,

    Y

  4. #4
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,373
    Rep Power
    10

    Default

    Quote Originally Posted by yoom@hostwebase.com View Post
    Mark,

    Is it true, Zimbra capable of allow only Users and Domains that created/allowed by our Zimbra server for outgoing email?

    It is also true to prevent/stop this type of backscatter attack the domains that get Spam SHOULD HAS THEIR MAIL SERVER REVERSE LOOKUP TURN ON to verify the impostor has the right IP address with the MX before their email server accepting incoming email, right?

    off course, for us we need to implement the informtion that you had sugguested to prevent these bounce/retured/undelivered email, correct?

    Thank you,

    Y
    The only Postfix DNS check we do in Zimbra is reject_unknown_sender_domain, which you can enable from the Administration console.

    I think you may also want to look at the SpamAssassin V_Bounce filter, and search the forums here for tips on enhancing the score that check gives to emails.

    I think also you need to know if your users are OK with not receiving any NDRs (Non-Delivery Receipts) at all, because if so, then you can add some Postfix regular expressions as the Postfix readme link I posted indicates to block such emails.

    There are also posts on this forum about adding Postfix regular expressions to Zimbra to help with mail filtering.

    All the best,
    Mark

  5. #5
    yoom@hostwebase.com is offline Active Member
    Join Date
    Jan 2008
    Posts
    26
    Rep Power
    7

    Default remove spam email

    Mark,

    Can you help with a command to remove all of these 5500 spam email for a particular user such yoom@hostwebase.com by using the From or Subject

    The key words for From can be either MAILER-DEAMON, postmaster or Mail Delivery System

    and the Subject is contain the following key words such as:
    Undeliverable mail, underlivered, SPAM...

    Or is there a better way to clean this up?

    Thanks much,

    Y

  6. #6
    travisb is offline Active Member
    Join Date
    Feb 2007
    Location
    Seattle, WA
    Posts
    41
    Rep Power
    8

    Default

    You should be able to delete those messages from the queue in Zimbra Admin or you issue this command:

    mailq | tail -n +2 | grep -v '^ *(' | awk 'BEGIN { RS = "" } # $7=sender, $8=recipient1, $9=recipient2 { if ($8 == "example.com" && $9 == "") print $1 } ' | tr -d '*!' | postsuper -d ALL deferred

    This deletes messages from the deferred queue. So if you want to delete from all change postsuper -d -

    Also be sure to change up example.com to yoom@hostwebase.com or what ever

  7. #7
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,373
    Rep Power
    10

    Default

    Quote Originally Posted by yoom@hostwebase.com View Post
    Mark,

    Can you help with a command to remove all of these 5500 spam email for a particular user such yoom@hostwebase.com by using the From or Subject

    The key words for From can be either MAILER-DEAMON, postmaster or Mail Delivery System

    and the Subject is contain the following key words such as:
    Undeliverable mail, underlivered, SPAM...

    Or is there a better way to clean this up?

    Thanks much,

    Y
    You can select/highlight any grouping of emails in the Admin Console, right click, and choose "Delete".

    Much easier than trying to script something with postsuper -D <message id>...

    A few mouse clicks should clean this up for you no problem!

    Hope that helps,
    Mark

  8. #8
    spinaltoad is offline Member
    Join Date
    Apr 2007
    Posts
    13
    Rep Power
    8

    Default

    Since 99.99% of all my backscatter email is coming from domains I have never sent mail to, I was thinking that a simple solution might be possible. though not perfect solution.

    1) Make an automatic white list for every domain mail is sent to.
    2) When a bounced message is received, the domain in the header is checked against the white list. If there is a match, the subject is rewritten to something like "Zimbra Is Notifying you of a bounced email". For every thing not on the whitelist, rewrite the header as "Unconfirmed bounced message"
    3) Add a filter to move email messages containing the subject 'Unconfirmed bounced email" to a mailbox named 'Bounced' or to the Junk folder. Tell the filter to not move any message with the subject "Zimbra Is Notifying you of a bounced email"


    I don't know if its a good solution. Just a thought.

  9. #9
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,373
    Rep Power
    10

    Default

    What we are seeing is that almost all legitimate bounce messages are due either to the recipient's mailbox being over-quota, or to the sender mistyping the recipient (e.g. a0l.com instead of aol.com being one of the more common we see).

    In the first case, the recipient will quickly figure out they are over-quota, because they will not be receiving any new emails. Once the quota issue is resolved inbound email (hopefully deferred) will start flowing again. No need to bother the sender with an NDR; they couldn't fix the recipient's problem anyway, although the recipient might learn about the problem a little sooner.

    In the second case, our experience has been that users will readily choose "no NDRs at all, including legitimate NDRs" just to avoid the torrent of illegitimate bounces. If, as a result, the user is just a bit more careful about typing in an email address, so much the better. Certainly, the look-ahead feature in the Zimbra compose window helps to eliminate a lot of potential email address typing mistakes.

    Given the foregoing, we have therefore become pretty aggressive at blocking NDRs in principle (we use a few Postfix regular expressions), and educating our users accordingly.

    So far, no complaints!

    Also, if your script plan just whitelists domains, you'll still get a lot of bogus NDRs. If your script whitelists only recipient email addresses, then how do propose to handle aliases? I think you could easily wind up with a very complex script that will need to be maintained pretty regularly to be effective; I'm wondering if our "less is more" approach might serve you and your users better?

    Hope that helps,
    Mark

  10. #10
    spinaltoad is offline Member
    Join Date
    Apr 2007
    Posts
    13
    Rep Power
    8

    Default

    That makes sense. I guess I'll stick with filtering it out on a per user bases for now.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra .pids / service monitoring
    By bin2hex in forum Administrators
    Replies: 24
    Last Post: 04-03-2010, 09:12 PM
  2. [SOLVED] Spam Backscatter
    By jrefl5 in forum Administrators
    Replies: 23
    Last Post: 12-06-2009, 05:55 AM
  3. Major SPAM to one account
    By CarputerTech in forum Administrators
    Replies: 4
    Last Post: 09-04-2008, 10:54 PM
  4. Zimbra Cluster Installation
    By veronica in forum Installation
    Replies: 1
    Last Post: 06-25-2008, 01:55 AM
  5. Trying to understand Zimbra's anti-spam system
    By TaskMaster in forum Users
    Replies: 11
    Last Post: 01-25-2008, 09:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •