1
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
2
"http://www.w3.org/TR/html4/loose.dtd">
8
<title>Postfix Backscatter Howto</title>
10
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
16
<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix
17
Backscatter Howto</h1>
23
This document describes features that require Postfix version 2.0
26
<p> Topics covered in this document: </p>
30
<li><a href="#wtf">What is backscatter mail?</a>
32
<li><a href="#random">How do I block backscatter mail to random
33
recipient addresses?</a>
35
<li><a href="#real">How do I block backscatter mail to real
36
recipient addresses?</a>
40
<li><a href="#forged_helo">Blocking backscatter mail with forged
43
<li><a href="#forged_sender">Blocking backscatter mail with forged
44
sender information</a>
46
<li><a href="#forged_other">Blocking backscatter mail with other
47
forged information</a>
49
<li><a href="#scanner">Blocking backscatter mail from virus
56
<h2><a name="wtf">What is backscatter mail?</a></h2>
58
<p> When a spammer or worm sends mail with forged sender addresses,
59
innocent sites are flooded with undeliverable mail notifications.
60
This is called backscatter mail, and if your system is flooded then
61
you will find out soon enough. </p>
63
<h2><a name="random">How do I block backscatter mail to random
64
recipient addresses?</a></h2>
66
<p> If your machine receives backscatter mail to random addresses,
67
configure Postfix to reject all mail for non-existent recipients
68
as described in the LOCAL_RECIPIENT_README and
69
STANDARD_CONFIGURATION_README documentation. </p>
71
<p> If your machine runs Postfix 2.0 and earlier, disable the "pause
72
before reject" feature in the SMTP server. If your system is under
73
stress then it should not waste time. </p>
78
# Not needed with Postfix 2.1 and later.
79
smtpd_error_sleep_time = 0
83
<h2><a name="real">How do I block backscatter mail to real
84
recipient addresses?</a></h2>
86
<p> When backscatter mail passes the "unknown recipient" barrier,
87
there still is no need to despair. Many mail systems are kind
88
enough to attach the message headers of the undeliverable mail in
89
the non-delivery notification. These message headers contain
90
information that you can use to recognize and block forged mail.
93
<h3><a name="forged_helo">Blocking backscatter mail with forged
94
HELO information</a></h3>
96
<p> Although my email address is "wietse@porcupine.org", all my
97
mail systems announce themselves with the SMTP HELO command as
98
"hostname.porcupine.org". Thus, if returned mail has a Received:
99
message header like this: </p>
103
Received: from porcupine.org ...
107
<p> Then I know that this is almost certainly forged mail. Mail
108
that is really sent by my systems looks like this: </p>
112
Received: from hostname.porcupine.org ...
116
<p> For the same reason the following message headers are very likely
117
to be the result of forgery:</p>
121
Received: from host.example.com ([1.2.3.4] helo=porcupine.org) ...
122
Received: from [1.2.3.4] (port=12345 helo=porcupine.org) ...
123
Received: from host.example.com (HELO porcupine.org) ...
124
Received: from host.example.com (EHLO porcupine.org) ...
128
<p> To block such backscatter I use header_checks and body_checks
129
patterns like this: </p>
133
/etc/postfix/main.cf:
134
header_checks = regexp:/etc/postfix/header_checks
135
body_checks = regexp:/etc/postfix/body_checks
137
/etc/postfix/header_checks:
138
/^Received: +from +(porcupine\.org) +/
139
reject forged client name in Received: header: $1
140
/^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
141
reject forged client name in Received: header: $2
143
/etc/postfix/body_checks:
144
/^[> ]*Received: +from +(porcupine\.org) /
145
reject forged client name in Received: header: $1
146
/^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
147
reject forged client name in Received: header: $2
155
<li> <p> The example is simplified for educational purposes. In
156
reality my patterns list multiple domain names, as
157
"<tt>(domain|domain|...)</tt>". </p>
159
<li> <p> The "<tt>\.</tt>" matches "<tt>.</tt>" literally. Without
160
the "<tt>\</tt>", the "<tt>.</tt>" would match any character. </p>
162
<li> <p> The "<tt>\(</tt>" and "<tt>\)</tt>" match "<tt>(</tt>"
163
and "<tt>)</tt>" literally. Without the "<tt>\</tt>", the "<tt>(</tt>"
164
and "<tt>)</tt>" would be grouping operators. </p>
168
<p><strong>Caveats</strong></p>
170
<p> Netscape Messenger (and reportedly, Mozilla) sends a HELO name
171
that is identical to the sender address domain part. If you have
172
such clients then the above patterns would block legitimate email.
175
<p> My network has only one such machine, and to prevent its mail
176
from being blocked I have configured it to send mail as
177
user@hostname.porcupine.org. On the Postfix server, a canonical
178
mapping translates this temporary address into user@porcupine.org.
183
/etc/postfix/main.cf:
184
canonical_maps = hash:/etc/postfix/canonical
186
/etc/postfix/canonical:
187
@hostname.porcupine.org @porcupine.org
191
<p> This is of course practical only when you have very few systems
192
that send HELO commands like this, and when you never have to send
193
mail to a user on such a host. </p>
195
<p> An alternative would be to remove the hostname with address
196
masquerading, as described in the ADDRESS_REWRITING_README document.
199
<h3><a name="forged_sender">Blocking backscatter mail with forged
200
sender information</a></h3>
202
Like many people I still have a few email addresses in domains that
203
I used in the past. Mail for those addresses is forwarded to my
204
current address. Most of the backscatter mail that I get claims
205
to be sent from these addresses. Such mail is obviously forged
206
and is very easy to stop.
210
/etc/postfix/main.cf:
211
header_checks = regexp:/etc/postfix/header_checks
212
body_checks = regexp:/etc/postfix/body_checks
214
/etc/postfix/header_checks:
215
/^(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/
216
reject forged sender address in $1: message header: $2
218
/etc/postfix/body_checks:
219
/^[> ]*(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/
220
reject forged sender address in $1: message header: $2
228
<li> <p> The example is simplified for educational purposes. In
229
reality, my patterns list multiple email addresses as
230
"<tt>(user1@domain1\.tld|user2@domain2\.tld)</tt>". </p>
232
<li> <p> The <tt>[[:<:]]</tt> matches the beginning of a word,
233
and the <tt>[[:>:]]</tt> matches the end. </p>
235
<li> <p> The "<tt>\.</tt>" matches "<tt>.</tt>" literally. Without
236
the "<tt>\</tt>", the "<tt>.</tt>" would match any character. </p>
240
<h3><a name="forged_other">Blocking backscatter mail with other
241
forged information</a></h3>
243
<p> Another sign of forgery can be found in the IP address that is
244
recorded in Received: headers next to your HELO host or domain name.
245
This information must be used with care, though. Some mail servers
246
are behind a network address translator and never see the true
247
client IP address. </p>
249
<h3><a name="scanner">Blocking backscatter mail from virus
252
<p> With all the easily recognizable forgeries eliminated, there
253
is one category of backscatter mail that remains, and that is
254
notifications from virus scanner software. Unfortunately, some
255
virus scanning software doesn't know that viruses forge sender
256
addresses. To make matters worse, the software also doesn't know
257
how to report a mail delivery problem, so that we cannot use the
258
above techniques to recognize forgeries. </p>
260
<p> Recognizing virus scanner mail is an error prone process,
261
because there is a lot of variation in report formats. The following
262
is only a small example of message header patterns. For a large
263
collection of header and body patterns that recognize virus
264
notification email, see http://www.dkuug.dk/keld/virus/. </p>
268
/etc/postfix/header_checks:
269
/^Subject: *Your email contains VIRUSES/ DISCARD virus notification
270
/^Content-Disposition:.*VIRUS1_DETECTED_AND_REMOVED/
271
DISCARD virus notification
272
/^Content-Disposition:.*VirusWarning.txt/ DISCARD virus notification
276
<p> A plea to virus or spam scanner operators: please do not make
277
the problem worse by sending return mail to forged sender addresses.
278
You're only harassing innocent people. </p>