Backscatter mails not catched by Mail2?

mail2
v7
rspamd

(Matthieu Gaillet) #1

Hi @stephdl and all,

I just remarked that one of my user had received a backscatter bounce message. Is there a way to configure rspamd so that it catches them or keep them to be generated ? The mail was rejected when it first landed on my system.

Here are the logs :

Txs for your help,

Matthieu


(Stéphane de Labrusse) #2

the question is why the email exceed the score of 15, for sure a good reason, either put up the score or add the sender (email or domain) to the trusted senders

edit: I probably misunderstood, if the email is rejected and the recipient is not know, you do not want the bounced message ?


(Matthieu Gaillet) #3

Nope. Actually that’s a spam that was sent from a forged sender to one of my users. The forged sender got a non delivery (spam) that was in turn sent back to my user because the forged sender was apparently not existing.


(Stéphane de Labrusse) #4

we should need some relevant lines of logs please


(Davide Principi) #5

Steph is right: more info is required to understand. From the screenshot above I can’t say the two messages have any relation between them.


(Matthieu Gaillet) #6

Yes they are. The subject is the same. And here is what my user received back from the forged sender’s mail server

 De: "Mail Delivery Subsystem" <MAILER-DAEMON@mxsc.fl-it.net>
Objet: Undeliverable mail: antworte
Date: 16 juin 2018 22:08:36 UTC+2
À: <etienne@gaillet.be>

Failed to deliver to 'dieter.reimann@nielsen-soerensen.de'
SMTP module(domain mx.fl-it.net) reports:
host mx.fl-it.net says:
550 dieter.reimann@nielsen-soerensen.de unknown user account

Reporting-MTA: dns; mxsc.fl-it.net

Original-Recipient: rfc822;<dieter.reimann@nielsen-soerensen.de>
Final-Recipient: rfc822;<dieter.reimann@nielsen-soerensen.de>
Action: failed
Status: 5.0.0
Remote-MTA: dns; mx.fl-it.net
Diagnostic-Code: smtp;host mx.fl-it.net says:
550 dieter.reimann@nielsen-soerensen.de unknown user account
Received: from [124.158.112.2] ([124.158.112.2] verified)
 by mxsc.fl-it.net (CommuniGate Pro SMTP 6.2.0)
 with ESMTP id 22830565 for dieter.reimann@nielsen-soerensen.de; Sat, 16 Jun 2018 22:08:35 +0200
X-Spam: [124.158.112.2] blacklisted(ix.dnsbl.manitu.net)
Received-SPF: none
receiver=mxsc.fl-it.net; client-ip=124.158.112.2; envelope-from=etienne@gaillet.be
Message-ID: <6F70719E916E9F7E61608F807F8E6F70@Q7N758NLR3>
From: <etienne@gaillet.be>
To: <dieter.reimann@nielsen-soerensen.de>
Subject: antworte
Date: 16 Jun 2018 19:42:46 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_0018_01D405F1.017B5FFE"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109

Will try to find some logs back from then.


(Davide Principi) #7
$ host -t mx nielsen-soerensen.de
nielsen-soerensen.de mail is handled by 10 mxsc.fl-it.net.
nielsen-soerensen.de mail is handled by 20 mxsc.fl-it.net.

IIUC, a legitimate mail server rejects a message because the recipient doesn’t exist. The client 124.158.112.2 (blacklisted) sends it back to the (forged) sender. Rspamd does not consider it spam. Why? Only the maillog can give the answer. The manual has some instructions about how to find it:

http://docs.nethserver.org/en/v7/mail.html#log


(Matthieu Gaillet) #8

Here are the logs :

Incoming Spam :

Jun 16 07:14:13 mattlabs postfix/smtpd[31795]: connect from 213.211.170.105.static.edpnet.net[213.211.170.105]                                                                                                   │
Jun 16 07:14:13 mattlabs rspamd[26808]: <f8ea22>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0                                                                │
Jun 16 07:14:13 mattlabs postfix/smtpd[31795]: 30DD9C003E76: client=213.211.170.105.static.edpnet.net[213.211.170.105]                                                                                           │
Jun 16 07:14:13 mattlabs rspamd[26808]: <f8ea22>; milter; rspamd_milter_process_command: got connection from 213.211.170.105:59798                                                                               │
Jun 16 07:14:13 mattlabs postfix/cleanup[31799]: 30DD9C003E76: message-id=<5B24DBF1.4060103@pro.wera.de>                                                                                                         │
Jun 16 07:14:13 mattlabs rspamd[26808]: <f8ea22>; proxy; rspamd_mime_text_to_utf8: converted from IBM850 to UTF-8 inlen: 799, outlen: 799                                                                        │
Jun 16 07:14:13 mattlabs rspamd[26808]: <f8ea22>; proxy; rspamd_mime_text_to_utf8: converted from IBM850 to UTF-8 inlen: 1039, outlen: 1039                                                                      │
Jun 16 07:14:13 mattlabs rspamd[26808]: <f8ea22>; proxy; rspamd_mime_part_detect_language: detected part language: de                                                                                            │
Jun 16 07:14:13 mattlabs rspamd[26808]: <f8ea22>; proxy; rspamd_message_parse: loaded message; id: <5B24DBF1.4060103@pro.wera.de>; queue-id: <30DD9C003E76>; size: 3150; checksum: <af47dca4e9c800e86c11a9ab1b170│
fa4>                                                                                                                                                                                                             │
Jun 16 07:14:13 mattlabs rspamd[26808]: <f8ea22>; proxy; rspamd_symbols_cache_check_symbol: slow rule: XM_UA_NO_VERSION: 102986751 ticks                                                                         │
Jun 16 07:14:13 mattlabs rspamd[26808]: <f8ea22>; lua; neural.lua:454: trained ANN rule RFANN, save spam vector, 151 bytes                                                                                       │
Jun 16 07:14:13 mattlabs rspamd[26808]: <f8ea22>; proxy; rspamd_task_write_log: id: <5B24DBF1.4060103@pro.wera.de>, qid: <30DD9C003E76>, ip: 213.211.170.105, from: <betakeq3@pro.wera.de>, (default: T (reject):│
 [15.67/15.00] [MSBL_EBL(7.50){saintaina01@gmail.com;c0738c3509c77564a18005985f6dc3c296b9363e;},DATE_IN_FUTURE(4.00){},RECEIVED_SPAMHAUS_XBL(3.00){4.113.98.37.zen.spamhaus.org : 127.0.0.4;},AUTH_NA(1.00){},IP_│
SCORE(0.21){ip: (0.43), ipnet: 213.211.160.0/20(0.35), asn: 9031(0.22), country: BE(0.04);},MIME_GOOD(-0.10){multipart/alternative;text/plain;},BAYES_SPAM(0.06){57.87%;},ASN(0.00){asn:9031, ipnet:213.211.160.0│
/20, country:BE;},DMARC_NA(0.00){wera.de;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},PREVIOUSLY_DELIVERED(0.00){myuser@gaillet.be;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_THREE(0.00){│
4;},RCVD_NO_TLS_LAST(0.00){},RECEIVED_SPAMHAUS(0.00){4.113.98.37.zen.spamhaus.org;},R_DKIM_NA(0.00){},R_SPF_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 3150, time: 440.008ms real, 10.226│
ms virtual, dns req: 23, digest: <af47dca4e9c800e86c11a9ab1b170fa4>, rcpts: <myuser@gaillet.be>, mime_rcpts: <myuser@gaillet.be>                                                                               │
Jun 16 07:14:13 mattlabs rspamd[26808]: <f8ea22>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 7 regexps matched, 172 regexps total, 93 regexps cached, 0B bytes scanned using p│
cre, 6.26k bytes scanned total                                                                                                                                                                                   │
Jun 16 07:14:13 mattlabs postfix/cleanup[31799]: 30DD9C003E76: milter-reject: END-OF-MESSAGE from 213.211.170.105.static.edpnet.net[213.211.170.105]: 5.7.1 Spam message rejected; from=<betakeq3@pro.wera.de> to│
=<myuser@gaillet.be> proto=ESMTP helo=<cloud.lebrass.be>                                                                                                                                                        │
Jun 16 07:14:13 mattlabs postfix/smtpd[31795]: disconnect from 213.211.170.105.static.edpnet.net[213.211.170.105]                                                                                                │
Jun 16 07:14:13 mattlabs rspamd[26808]: <d55b00>; proxy; proxy_milter_finish_handler: finished milter connection                                                                                                 │
Jun 16 07:14:40 mattlabs rspamd[26809]: <wsrwiw>; lua; neural.lua:813: check ANN tRFANNF87B4FFCD4397E85260                                                                                                       │
Jun 16 07:14:40 mattlabs rspamd[26809]: <wsrwiw>; lua; neural.lua:825: no need to learn ANN tRFANNF87B4FFCD4397E85260 120 learn vectors (1000 required)

And here is the non-delivery answer :

Jun 16 22:08:37 mattlabs postfix/smtpd[8021]: connect from 213.211.170.105.static.edpnet.net[213.211.170.105]                                                                                                    │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/worker-proxy port 0                                                                │
Jun 16 22:08:37 mattlabs postfix/smtpd[8021]: 722BDC003E76: client=213.211.170.105.static.edpnet.net[213.211.170.105]                                                                                            │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; milter; rspamd_milter_process_command: got connection from 213.211.170.105:36038                                                                               │
Jun 16 22:08:37 mattlabs postfix/cleanup[8026]: 722BDC003E76: message-id=<receipt-22830566@mxsc.fl-it.net>                                                                                                       │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; proxy; rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit                                                                                        │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; proxy; rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit                                                                                        │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; proxy; rspamd_mime_part_get_cte: detected missing CTE for part as: 7bit                                                                                        │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; proxy; rspamd_mime_part_detect_language: detected part language: en                                                                                            │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; proxy; rspamd_mime_part_detect_language: detected part language: en                                                                                            │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; proxy; rspamd_mime_part_detect_language: detected part language: en                                                                                            │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; proxy; rspamd_message_parse: loaded message; id: <receipt-22830566@mxsc.fl-it.net>; queue-id: <722BDC003E76>; size: 2585; checksum: <b659223f449a0b0416a0ea5197│
1f0c6a>                                                                                                                                                                                                          │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; proxy; fuzzy_generate_commands: <receipt-22830566@mxsc.fl-it.net>, part is shorter than 1000 bytes: 390 (195 * 2.00 bytes), skip fuzzy check                   │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; proxy; fuzzy_generate_commands: <receipt-22830566@mxsc.fl-it.net>, part is shorter than 1000 bytes: 680 (340 * 2.00 bytes), skip fuzzy check                   │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; proxy; fuzzy_generate_commands: <receipt-22830566@mxsc.fl-it.net>, part is shorter than 1000 bytes: 390 (195 * 2.00 bytes), use direct hash                    │
Jun 16 22:08:37 mattlabs rspamd[26808]: <efe725>; proxy; fuzzy_generate_commands: <receipt-22830566@mxsc.fl-it.net>, part is shorter than 1000 bytes: 680 (340 * 2.00 bytes), use direct hash                    │
Jun 16 22:08:38 mattlabs rspamd[26808]: <efe725>; lua; greylist.lua:255: Score too low - skip greylisting                                                                                                        │
Jun 16 22:08:38 mattlabs rspamd[26808]: <efe725>; proxy; rspamd_task_write_log: id: <receipt-22830566@mxsc.fl-it.net>, qid: <722BDC003E76>, ip: 213.211.170.105, (default: F (no action): [1.14/15.00] [AUTH_NA(1│
.00){},IP_SCORE(0.24){ip: (0.49), ipnet: 213.211.160.0/20(0.39), asn: 9031(0.25), country: BE(0.05);},MIME_GOOD(-0.10){text/plain;},ASN(0.00){asn:9031, ipnet:213.211.160.0/20, country:BE;},DMARC_NA(0.00){fl-it│
.net;},FROM_HAS_DN(0.00){},FROM_NEQ_ENVFROM(0.00){MAILER-DAEMON@mxsc.fl-it.net;;},MID_RHS_MATCH_FROM(0.00){},PREVIOUSLY_DELIVERED(0.00){myuser@gaillet.be;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_THREE(0.00){4;},│
RCVD_NO_TLS_LAST(0.00){},R_DKIM_NA(0.00){},R_SPF_NA(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 2585, time: 730.354ms real, 9.598ms virtual, dns req: 38, digest: <b659223f449a0b0416a0ea5197│
1f0c6a>, rcpts: <myuser@gaillet.be>, mime_rcpts: <myuser@gaillet.be>                                                                                                                                           │
Jun 16 22:08:38 mattlabs rspamd[26808]: <efe725>; proxy; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 172 regexps total, 89 regexps cached, 0B bytes scanned using p│
cre, 5.56k bytes scanned total                                                                                                                                                                                   │
Jun 16 22:08:38 mattlabs postfix/qmgr[29031]: 722BDC003E76: from=<>, size=2842, nrcpt=1 (queue active)                                                                                                           │
Jun 16 22:08:38 mattlabs postfix/smtpd[8021]: disconnect from 213.211.170.105.static.edpnet.net[213.211.170.105]                                                                                                 │
Jun 16 22:08:38 mattlabs rspamd[26808]: <a8c8c9>; proxy; proxy_milter_finish_handler: finished milter connection                                                                                                 │
Jun 16 22:08:38 mattlabs dovecot: lmtp(8029): Connect from local                                                                                                                                                 │
Jun 16 22:08:38 mattlabs dovecot: lmtp(8029, myuser@gaillet.be): qqyzEkZuJVtdHwAAj0go4A: sieve: msgid=<receipt-22830566@mxsc.fl-it.net>: stored mail into mailbox 'INBOX'                                       │
Jun 16 22:08:38 mattlabs postfix/lmtp[8028]: 722BDC003E76: to=<myuser@gaillet.be>, relay=mattlabs.gaillet.be[/var/run/dovecot/lmtp], delay=1, delays=0.84/0.02/0/0.18, dsn=2.0.0, status=sent (250 2.0.0 <etienn│
e@gaillet.be> qqyzEkZuJVtdHwAAj0go4A Saved)                                                                                                                                                                      │
Jun 16 22:08:38 mattlabs dovecot: lmtp(8029): Disconnect from local: Successful quit                                                                                                                             │
Jun 16 22:08:38 mattlabs postfix/qmgr[29031]: 722BDC003E76: removed 

Here are the spam tags in a more readable form :

For the record :

Backscatter (also known as outscatter, misdirected bounces, blowback or collateral spam) is incorrectly automated bounce messages sent by mail servers, typically as a side effect of incoming spam.

Recipients of such messages see them as a form of unsolicited bulk email or spam, because they were not solicited by the recipients, are substantially similar to each other, and are delivered in bulk quantities. Systems that generate email backscatter may be listed on various email blacklists and may be in violation of internet service providers’ Terms of Service.

source : https://en.wikipedia.org/wiki/Backscatter_(email)


(Stéphane de Labrusse) #9

PREVIOUSLY_DELIVERED(0.00){myuser@gaillet.be;}

maybe one clue, the email was forged as an answer to you and rspamd gave more interest on this enabled plugin (replies.conf)

https://rspamd.com/doc/modules/replies.html

we do not set predetermined action, but it could be enough to trick rspamd


(Matthieu Gaillet) #10

Mmmh given the nature of their business it looks unlikely that they were ever in contact before. The logs confirms that.

Isn’t it a way to simply discard the mail rejected when the header are forged ?

I read this :

Accordingly you won’t see this email in John’s inbox. This is a great advantage of using milters by the way. Imagine Postfix receiving a spam email and confirming its reception. What should it do when it finds out that it’s unwanted email? According to the SMTP protocol it must not throw away any emails. Would you create a bounce message telling the sender that you did not accept the email? That would be a bad idea because the pretended sender address is very likely not the real sender. You would send the bounce to an innocent person thus creating so called backscatter and make it even worse. So the right approach is to check the email while the sending server is still connected to your Postfix. This allows Postfix to reject the email with a 5.x.x error code and let the other side figure out what to do.

in https://workaround.org/ispmail/stretch/filtering-out-spam-with-rspamd


(Stéphane de Labrusse) #11

some actions against forged header

https://rspamd.com/doc/modules/spf.html
https://rspamd.com/doc/modules/dmarc.html
https://rspamd.com/doc/modules/dkim.html


(Matthieu Gaillet) #12

Oh. Does that means that none of those features are enabled by default ?


(Stéphane de Labrusse) #13

yes not enabled because on misconfigured dkim keys, spf & dmarc strict we could refuse email (originated often from spammer of course)

you could also enable this, just found it https://github.com/vstakhov/rspamd/blob/08e99bfde4713e6253ce705926851c6639f65437/conf/modules.d/ratelimit.conf

# Limit for all bounce mail (rate 2 per hour)
#bounce_to = "2 / 1h";
# Limit for bounce mail per one source ip (rate 1 per hour)
#bounce_to_ip = "1 / 1h";

(Stéphane de Labrusse) #14

googling on the topic, I could read that bounce and backscatter are not relevant (only) for rspamd but more generally to postfix

do i am wrong ?


(Michael Kicks) #15

Is possible to manage these messages with greylisting?


(Stéphane de Labrusse) #16

old website but still actual http://www.dontbouncespam.org/


(Michael Kicks) #17

I think that greylisting gets a different kind of approach.
Error 4.x.x is a temporary reject during delivery to Postfix. If it’s legitimate message, the MTA will try again in a correct time.
The greylisting should be bypassed when :

  • the message comes from an already know legitimate server as assured by SPF
  • the message comes with verified DKIM key
  • DMARC says “'verythingallright, pal!”

(Stéphane de Labrusse) #18

Mailling list could send your email from a not allowed IP

Sometime DKIM key is badly formated and you cannot verify

Not all servers use a really restricted dmarc policy, sometime it is really relaxed and in failed case you have no recommended action .

In short we have no absolute weapon :slight_smile:


(Matthieu Gaillet) #19

I think you are right @stephdl : we should simply not bounce mails « back » to spammers, at least not those with a very high score.
Maybe that’s a postfix job but it has to rely on rspamd to decide wether a mail is spam or not.


(Matthieu Gaillet) #20

Maybe I’m wrong. Postfix has features to recognize and discard forged sender adresses. Are they used on nethserver ?

From the official doc : http://www.postfix.org/BACKSCATTER_README.html#random

By the way : It just came to my mind that that issue (spam mails bounced) already plagued me in the past : I use a smarthost that decides from time to time that I’m a spammer because I send too many non delivery notifications for spammers ! Read my post I wrote at that time on this board : Postfix sending non-deliveries notifications because of spam?

That’s a real issue, we should handle it.


Postfix sending non-deliveries notifications because of spam?