Results 1 to 3 of 3

Thread: My Z6 is generating backscatter

  1. #1
    Baylink is offline Elite Member
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    6

    Question My Z6 is generating backscatter

    Apparently, for the first time in 4 or 5 years; I've never had a report of this before.

    First: to confirm that I understand what backscatter is: it appears that people are sending spam to my domain, *some* of which has invalid recipient addresses. If the address is valid, then it just delivers, gets junk-filed or not, and all is well. But if the recipient address is invalid on my domain, it appears my Z instance is *sending a bounce message*, and it is my understanding from reading the 9 ZForum threads y'all are going to send me to, and the underlying Postfix doco, that that's not supposed to happen.

    Herewith, an example (logs trimmed to the appropriate entries):

    Code:
    [root@benjamin tmp]# cat backscatter
    Dec  4 13:21:19 benjamin postfix/cleanup[7756]: 6B4401F002E9: message-id=<529f41dc.660c320a.77ad.ffffe295@mx.mainebiolab.com>
    Dec  4 13:21:25 benjamin postfix/cleanup[5945]: 778541F0026E: message-id=<529f41dc.660c320a.77ad.ffffe295@mx.mainebiolab.com>
    Dec  4 13:21:25 benjamin amavis[11829]: (11829-02) Passed SPAM, [178.167.27.41] [178.167.27.41] <ggp@meadorswall.com> -> <jra@baylink.com>, Message-ID: <529f41dc.660c320a.77ad.ffffe295@mx.mainebiolab.com>, mail_id: BAtxUG4aqHbk, Hits: 25.67, size: 30959, queued_as: 778541F0026E, 5038 ms
    
    Dec  4 13:23:29 benjamin postfix/cleanup[8018]: 5F1591F001F0: message-id=<529f41dc.660c320a.72ad.ffffe223@mx.cargohome.com>
    Dec  4 13:23:41 benjamin postfix/cleanup[8018]: 81AA3EF008A: message-id=<529f41dc.660c320a.72ad.ffffe223@mx.cargohome.com>
    Dec  4 13:23:41 benjamin amavis[12622]: (12622-12) Passed SPAM, [1.53.102.133] [1.53.102.133] <egutierrez@mediaone.com> -> <jra@baylink.com>, Message-ID: <529f41dc.660c320a.72ad.ffffe223@mx.cargohome.com>, mail_id: NGO+spd3Y1Nl, Hits: 25.281, size: 30916, queued_as: 81AA3EF008A, 11028 ms
    
    Dec  4 13:50:47 benjamin postfix/cleanup[10895]: E8C9E1F0026E: message-id=<529f41dc.660c320a.73ad.ffffe268@mx.cardinal-graphics.com>
    Dec  4 13:50:55 benjamin postfix/cleanup[10895]: 276271F004E9: message-id=<529f41dc.660c320a.73ad.ffffe268@mx.cardinal-graphics.com>
    Dec  4 13:50:55 benjamin amavis[14397]: (14397-13) Passed SPAM, [94.20.173.76] [94.20.173.76] <ygbraze@yahoo.com> -> <bin@baylink.com>,<valeriy@baylink.com>, Message-ID: <529f41dc.660c320a.73ad.ffffe268@mx.cardinal-graphics.com>, mail_id: gqVOVaHZk14s, Hits: 28.188, size: 30910, queued_as: 276271F004E9, 5013 ms
    
    Dec  4 15:41:34 benjamin postfix/cleanup[25415]: 1D9711F0015C: message-id=<529f41dc.660c320a.71ad.ffffe211@mx.detroit.net>
    Dec  4 15:41:40 benjamin postfix/cleanup[25415]: 90C241F001A6: message-id=<529f41dc.660c320a.71ad.ffffe211@mx.detroit.net>
    Dec  4 15:41:40 benjamin amavis[6738]: (06738-01) Passed SPAM, [134.17.140.21] [134.17.140.21] <lisarose_petillo@yahoo.com> -> <jra@baylink.com>, Message-ID: <529f41dc.660c320a.71ad.ffffe211@mx.detroit.net>, mail_id: ZyJjTqPq2-Ag, Hits: 29.535, size: 30915, queued_as: 90C241F001A6, 5366 ms
    
    Dec  4 20:57:39 benjamin postfix/cleanup[30438]: F0CBF1F001BD: message-id=<529f41dc.660c320a.72ad.ffffe294@mx.maishman.com>
    Dec  4 20:57:44 benjamin postfix/cleanup[997]: B4CE31F001E5: message-id=<529f41dc.660c320a.72ad.ffffe294@mx.maishman.com>
    Dec  4 20:57:44 benjamin amavis[3013]: (03013-03) Passed SPAM, [85.29.140.166] [85.29.140.166] <johnand@sbcglobal.net> -> <tanner@baylink.com>, Message-ID: <529f41dc.660c320a.72ad.ffffe294@mx.maishman.com>, mail_id: 9zyTQrITlY90, Hits: 16.808, size: 30928, queued_as: B4CE31F001E5, 4914 ms
    
    Dec  4 20:57:44 benjamin postfix/smtpd[25903]: B4CE31F001E5: client=localhost.localdomain[127.0.0.1]
    Dec  4 20:57:44 benjamin postfix/cleanup[997]: B4CE31F001E5: message-id=<529f41dc.660c320a.72ad.ffffe294@mx.maishman.com>
    Dec  4 20:57:44 benjamin postfix/qmgr[15322]: B4CE31F001E5: from=<johnand@sbcglobal.net>, size=31395, nrcpt=1 (queue active)
    Dec  4 20:57:44 benjamin amavis[3013]: (03013-03) FWD via SMTP: <johnand@sbcglobal.net> -> <tanner@baylink.com>,BODY=7BIT 250 2.0.0 Ok, id=03013-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B4CE31F001E5
    Dec  4 20:57:44 benjamin postfix/error[988]: B4CE31F001E5: to=<tanner@baylink.com>, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.0.0, status=bounced (baylink.com)
    Dec  4 20:57:44 benjamin amavis[3013]: (03013-03) Passed SPAM, [85.29.140.166] [85.29.140.166] <johnand@sbcglobal.net> -> <tanner@baylink.com>, Message-ID: <529f41dc.660c320a.72ad.ffffe294@mx.maishman.com>, mail_id: 9zyTQrITlY90, Hits: 16.808, size: 30928, queued_as: B4CE31F001E5, 4914 ms
    Dec  4 20:57:44 benjamin postfix/smtp[994]: F0CBF1F001BD: to=<tanner@baylink.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=7.2, delays=2.3/0/0/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=03013-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B4CE31F001E5)
    Dec  4 20:57:44 benjamin postfix/bounce[998]: B4CE31F001E5: sender non-delivery notification: B6D751F002C5
    Dec  4 20:57:44 benjamin postfix/qmgr[15322]: B4CE31F001E5: removed
    I left the first 3 in there because, though they had a valid address, I noted that the Message IDs were strikingly similar; I infer a botnet client, since the MXs were different (though I admittedly haven't looked up the IPs for them).

    The last one, though, is for an address with no mailbox. It appears to *me* that Zimbra is generating a bounce, as I understand that it is not supposed to.

    I cannot speak to whether this has been happening forever or it's a change; nonetheless my upstream (Road Runner) would very much like for me to stop it. It *feels* to me as if there are two layers of Zimbra involved here, and the one answering the incomings can't check for valid mailbox -- which would of course be fatal for me on this point, and I can't imagine that's so.

    So what am I missing, folks?
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by Baylink View Post
    So what am I missing, folks?
    Perhaps "reject_unlisted_recipients" as mentioned in all (or most) of the documents you've read.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Baylink is offline Elite Member
    Join Date
    Aug 2008
    Location
    St Pete FL USA
    Posts
    392
    Rep Power
    6

    Default

    So, Postfix gets this right, and Zimbra comes along behind them and gets it wrong?
    Jay R. Ashworth - ZCS 6.0.9CE/CentOS5 - St Pete FL US - Music - Blog - Photography - IANAL - IAAMA
    Try to Ask Questions The Smart Way -- you'll get better answers.

    Put your product and version in your profile/signature - All opinions strictly my own, even though I have an employer these days.
    If you [SOLVE] something, please tell everyone how for the archives
    And, please... read what people write, and answer the questions they asked, not the ones they didn't.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 0
    Last Post: 01-04-2013, 08:31 AM
  2. generating a CSR for GoDaddy UCC certificate
    By ericbullock in forum Administrators
    Replies: 2
    Last Post: 07-18-2012, 01:30 PM
  3. Converter Generating Warnings
    By hcso in forum Migration
    Replies: 0
    Last Post: 10-06-2011, 09:19 AM
  4. Generating Certificate for Zimbra MTA!
    By zibra in forum Administrators
    Replies: 0
    Last Post: 07-24-2007, 08:43 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •