Postfix Backscatter Howto
OverviewThis document describes features that require Postfix version 2.0 or later.
Topics covered in this document:
When a spammer or worm sends mail with forged sender addresses, innocent sites are flooded with undeliverable mail notifications. This is called backscatter mail, and if your system is flooded then you will find out soon enough.
If your machine receives backscatter mail to random addresses, configure Postfix to reject all mail for non-existent recipients as described in the LOCAL_RECIPIENT_README and STANDARD_CONFIGURATION_README documentation.
If your machine runs Postfix 2.0 and earlier, disable the "pause before reject" feature in the SMTP server. If your system is under stress then it should not waste time.
/usr/local/etc/postfix/main.cf: # Not needed with Postfix 2.1 and later. smtpd_error_sleep_time = 0
When backscatter mail passes the "unknown recipient" barrier, there still is no need to despair. Many mail systems are kind enough to attach the message headers of the undeliverable mail in the non-delivery notification. These message headers contain information that you can use to recognize and block forged mail.
Although my email address is "firstname.lastname@example.org", all my mail systems announce themselves with the SMTP HELO command as "hostname.porcupine.org". Thus, if returned mail has a Received: message header like this:
Received: from porcupine.org ...
Then I know that this is almost certainly forged mail. Mail that is really sent by my systems looks like this:
Received: from hostname.porcupine.org ...
For the same reason the following message headers are very likely to be the result of forgery:
Received: from host.example.com ([220.127.116.11] helo=porcupine.org) ... Received: from [18.104.22.168] (port=12345 helo=porcupine.org) ... Received: from host.example.com (HELO porcupine.org) ... Received: from host.example.com (EHLO porcupine.org) ...
/usr/local/etc/postfix/main.cf: header_checks = regexp:/usr/local/etc/postfix/header_checks body_checks = regexp:/usr/local/etc/postfix/body_checks /usr/local/etc/postfix/header_checks: /^Received: +from +(porcupine\.org) +/ reject forged client name in Received: header: $1 /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/ reject forged client name in Received: header: $2 /usr/local/etc/postfix/body_checks: /^[> ]*Received: +from +(porcupine\.org) / reject forged client name in Received: header: $1 /^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/ reject forged client name in Received: header: $2
Netscape Messenger (and reportedly, Mozilla) sends a HELO name that is identical to the sender address domain part. If you have such clients then the above patterns would block legitimate email.
My network has only one such machine, and to prevent its mail from being blocked I have configured it to send mail as email@example.com. On the Postfix server, a canonical mapping translates this temporary address into firstname.lastname@example.org.
/usr/local/etc/postfix/main.cf: canonical_maps = hash:/usr/local/etc/postfix/canonical /usr/local/etc/postfix/canonical: @hostname.porcupine.org @porcupine.org
This is of course practical only when you have very few systems that send HELO commands like this, and when you never have to send mail to a user on such a host.
An alternative would be to remove the hostname with address masquerading, as described in the ADDRESS_REWRITING_README document.
/usr/local/etc/postfix/main.cf: header_checks = regexp:/usr/local/etc/postfix/header_checks body_checks = regexp:/usr/local/etc/postfix/body_checks /usr/local/etc/postfix/header_checks: /^(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/ reject forged sender address in $1: message header: $2 /usr/local/etc/postfix/body_checks: /^[> ]*(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/ reject forged sender address in $1: message header: $2
Another sign of forgery can be found in the IP address that is recorded in Received: headers next to your HELO host or domain name. This information must be used with care, though. Some mail servers are behind a network address translator and never see the true client IP address.
With all the easily recognizable forgeries eliminated, there is one category of backscatter mail that remains, and that is notifications from virus scanner software. Unfortunately, some virus scanning software doesn't know that viruses forge sender addresses. To make matters worse, the software also doesn't know how to report a mail delivery problem, so that we cannot use the above techniques to recognize forgeries.
Recognizing virus scanner mail is an error prone process, because there is a lot of variation in report formats. The following is only a small example of message header patterns. For a large collection of header and body patterns that recognize virus notification email, see http://www.dkuug.dk/keld/virus/.
/usr/local/etc/postfix/header_checks: /^Subject: *Your email contains VIRUSES/ DISCARD virus notification /^Content-Disposition:.*VIRUS1_DETECTED_AND_REMOVED/ DISCARD virus notification /^Content-Disposition:.*VirusWarning.txt/ DISCARD virus notification
A plea to virus or spam scanner operators: please do not make the problem worse by sending return mail to forged sender addresses. You're only harassing innocent people.