Ok, maybe i am the dumb one now.
@stephdl, in your opinion, what’s wrong, during the first connection during delivery, with a “temporary reject”?
I guess graylist does not help in this case because the backscatter source will try the delivery again after the temporary rejection.
Unless it gets blacklisted in the meantime… But we cannot rely on this event.
I just ended up disabling rspamd, as it sent almost everything to spam folder 
probable as well as reject. It blocked online bill pay alerts, newsletters, you know, important emails. I just need to figure out how to get rspamd to learn from good emails it has marked as spam. I tried allowing the sender in the web gui but that did not work.
To learn ham it should be enough to just move the good mails to the inbox. You need 200 hams to make the filter work.
3 Likes
Thanks, I will give that a try!
1 Like
I agree. But also I can’t totally rely on that every backscatter source will try again the delivery.
Get into a Blacklist is a matter of time. Therefore, during backscatter firetime i am not sure than all the spam sources will manage the delivery according to RFC and best practices for email servers.
I think (and maybe i’m wrong 
) that SPF could ease at least 30% of backscatter sources. So, still not absolute weapon but… maybe another little brick into the “keep the thrash out of servers” wall.
Do I need to port forward sieve port since my mail server is behind a gateway? 200 spams/hams is an awful lot. I will keep on though!
It depends, if you use webmail it shouldn’t be necessary. Not local clients like thunderbird may need it.
ok I will add it…I use all non-local imap clients (bluemail on android and windows mail on windows).
NethServer does not bounce emails.
NethServer does not create backscatter.
To fight backscatter received by NethServer (sent by other mail servers) you need to know which mail servers can send email for your domain and discard messages not sent by them, or you will lose legitimate bounces. This can not be done automatically.
ATM, my only idea is to use http://www.backscatterer.org/ to refuse messages from server known to send backscatter.
3 Likes
Reading the mail headers again, I believe that in that case you’re right : my user is actually victim of a backscatter mail, and therefore nethserver isn’t the culprit here. I misinterpreted the non delivery notification.
However I’m pretty sure that nethserver does send non deliveries in case of spam. Please read again that thread : Postfix sending non-deliveries notifications because of spam?
NethServer answers with smtp error code 554, you can check it sending you a gtube (SpamAssassin: The GTUBE).
I see. I thought that a 554 could generate backscatter but it looks like it is actually not the case.
However, I’m positive that still there is a case where nethserver answers back to spammer, which triggers the anti spam policy of my smarthost. I’ll report back next time it happens.
Regarding this backscatter potential issue. Look at this mail queue on a live system :
The recipients are obviously not connected in any way to our business. MAILER-DAEMON indicates that it is our server that tries to answer them some delivery report… for a mail we never sent.
How do you interpret this ? Personally I interpret this as the result of a backscatter attack involving our server.
Thanks for your insight.
Those email seems bounces, seeing the full text would be useful (postcat -q < id >).
I can’t say more.
They are bounces 
I’ll issue that command next time this happens. I didn’t know that one.