Backscatter mails not catched by Mail2?

Is possible to manage these messages with greylisting?

old website but still actual http://www.dontbouncespam.org/

I think that greylisting gets a different kind of approach.
Error 4.x.x is a temporary reject during delivery to Postfix. If it’s legitimate message, the MTA will try again in a correct time.
The greylisting should be bypassed when :

  • the message comes from an already know legitimate server as assured by SPF
  • the message comes with verified DKIM key
  • DMARC says “'verythingallright, pal!”

Mailling list could send your email from a not allowed IP

Sometime DKIM key is badly formated and you cannot verify

Not all servers use a really restricted dmarc policy, sometime it is really relaxed and in failed case you have no recommended action .

In short we have no absolute weapon :slight_smile:

I think you are right @stephdl : we should simply not bounce mails « back » to spammers, at least not those with a very high score.
Maybe that’s a postfix job but it has to rely on rspamd to decide wether a mail is spam or not.

Maybe I’m wrong. Postfix has features to recognize and discard forged sender adresses. Are they used on nethserver ?

From the official doc : http://www.postfix.org/BACKSCATTER_README.html#random

By the way : It just came to my mind that that issue (spam mails bounced) already plagued me in the past : I use a smarthost that decides from time to time that I’m a spammer because I send too many non delivery notifications for spammers ! Read my post I wrote at that time on this board : Postfix sending non-deliveries notifications because of spam?

That’s a real issue, we should handle it.

1 Like

Ok, maybe i am the dumb one now.
@stephdl, in your opinion, what’s wrong, during the first connection during delivery, with a “temporary reject”?

I guess graylist does not help in this case because the backscatter source will try the delivery again after the temporary rejection.

Unless it gets blacklisted in the meantime… But we cannot rely on this event.

I just ended up disabling rspamd, as it sent almost everything to spam folder :smiley: probable as well as reject. It blocked online bill pay alerts, newsletters, you know, important emails. I just need to figure out how to get rspamd to learn from good emails it has marked as spam. I tried allowing the sender in the web gui but that did not work.

To learn ham it should be enough to just move the good mails to the inbox. You need 200 hams to make the filter work.

http://docs.nethserver.org/en/v7/mail.html#anti-spam

3 Likes

Thanks, I will give that a try!

1 Like

I agree. But also I can’t totally rely on that every backscatter source will try again the delivery.

Get into a Blacklist is a matter of time. Therefore, during backscatter firetime i am not sure than all the spam sources will manage the delivery according to RFC and best practices for email servers.

I think (and maybe i’m wrong :slight_smile: ) that SPF could ease at least 30% of backscatter sources. So, still not absolute weapon but… maybe another little brick into the “keep the thrash out of servers” wall.

Do I need to port forward sieve port since my mail server is behind a gateway? 200 spams/hams is an awful lot. I will keep on though!

It depends, if you use webmail it shouldn’t be necessary. Not local clients like thunderbird may need it.

ok I will add it…I use all non-local imap clients (bluemail on android and windows mail on windows).

NethServer does not bounce emails.
NethServer does not create backscatter.
To fight backscatter received by NethServer (sent by other mail servers) you need to know which mail servers can send email for your domain and discard messages not sent by them, or you will lose legitimate bounces. This can not be done automatically.

ATM, my only idea is to use http://www.backscatterer.org/ to refuse messages from server known to send backscatter.

3 Likes

Hi @filippo_carletti,

Reading the mail headers again, I believe that in that case you’re right : my user is actually victim of a backscatter mail, and therefore nethserver isn’t the culprit here. I misinterpreted the non delivery notification.

However I’m pretty sure that nethserver does send non deliveries in case of spam. Please read again that thread : Postfix sending non-deliveries notifications because of spam?

NethServer answers with smtp error code 554, you can check it sending you a gtube (http://spamassassin.apache.org/gtube/).

I see. I thought that a 554 could generate backscatter but it looks like it is actually not the case.

However, I’m positive that still there is a case where nethserver answers back to spammer, which triggers the anti spam policy of my smarthost. I’ll report back next time it happens.

Ehi @filippo_carletti

Regarding this backscatter potential issue. Look at this mail queue on a live system :

The recipients are obviously not connected in any way to our business. MAILER-DAEMON indicates that it is our server that tries to answer them some delivery report… for a mail we never sent.

How do you interpret this ? Personally I interpret this as the result of a backscatter attack involving our server.

Thanks for your insight.