Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Postfix Documentation
Previous Page Home Next Page

How do I block backscatter mail to real recipient addresses?

When backscatter mail passes the "unknown recipient" barrier, there still is no need to despair. Many mail systems are kind enough to attach the message headers of the undeliverable mail in the non-delivery notification. These message headers contain information that you can use to recognize and block forged mail.

Blocking backscatter mail with forged HELO information

Although my email address is "[email protected]", all my mail systems announce themselves with the SMTP HELO command as "hostname.porcupine.org". Thus, if returned mail has a Received: message header like this:

Received: from porcupine.org ...

Then I know that this is almost certainly forged mail (almost; see next section for the fly in the ointment). Mail that is really sent by my systems looks like this:

Received: from hostname.porcupine.org ...

For the same reason the following message headers are very likely to be the result of forgery:

Received: from host.example.com ([1.2.3.4] helo=porcupine.org) ...
Received: from [1.2.3.4] (port=12345 helo=porcupine.org) ...
Received: from host.example.com (HELO porcupine.org) ...
Received: from host.example.com (EHLO porcupine.org) ...

Another frequent sign of forgery is the Message-ID: header. My systems produce a Message-ID: of <stuff@hostname.porcupine.org>. The following are forgeries, especially the first one:

Message-ID: <[email protected]>
Message-ID: <[email protected]>

To block such backscatter I use header_checks and body_checks patterns like this:

/etc/postfix/
main.cf:
    
header_checks = 
regexp:/etc/postfix/header_checks
    
body_checks = 
regexp:/etc/postfix/body_checks

/etc/postfix/header_checks:
    /^Received: +from +(porcupine\.org) +/
        reject forged client name in Received: header: $1
    /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
        reject forged client name in Received: header: $2
    /^Message-ID:.*@(porcupine\.org)/
	reject forged domain name in Message-ID: header: $1

/etc/postfix/body_checks:
    /^[> ]*Received: +from +(porcupine\.org) /
        reject forged client name in Received: header: $1
    /^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(porcupine\.org)\)/
        reject forged client name in Received: header: $2
    /^[> ]*Message-ID:.*@(porcupine\.org)/
	reject forged domain name in Message-ID: header: $1

Notes:

  • The example is simplified for educational purposes. In reality my patterns list multiple domain names, as "(domain|domain|...)".

  • The "\." matches "." literally. Without the "\", the "." would match any character.

  • The "\(" and "\)" match "(" and ")" literally. Without the "\", the "(" and ")" would be grouping operators.

Caveats

Netscape Messenger (and reportedly, Mozilla) sends a HELO name that is identical to the sender address domain part. If you have such clients then the above patterns would block legitimate email.

My network has only one such machine, and to prevent its mail from being blocked I have configured it to send mail as [email protected]. On the Postfix server, a canonical mapping translates this temporary address into [email protected].

/etc/postfix/
main.cf:
    
canonical_maps = hash:/etc/postfix/canonical

/etc/postfix/canonical:
    @hostname.porcupine.org @porcupine.org

This is of course practical only when you have very few systems that send HELO commands like this, and when you never have to send mail to a user on such a host.

An alternative would be to remove the hostname from "hostname.porcupine.org" with address masquerading, as described in the ADDRESS_REWRITING_README document.

Blocking backscatter mail with forged sender information

Like many people I still have a few email addresses in domains that I used in the past. Mail for those addresses is forwarded to my current address. Most of the backscatter mail that I get claims to be sent from these addresses. Such mail is obviously forged and is very easy to stop.
/etc/postfix/
main.cf:
    
header_checks = 
regexp:/etc/postfix/header_checks
    
body_checks = 
regexp:/etc/postfix/body_checks

/etc/postfix/header_checks:
    /^(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/ 
        reject forged sender address in $1: header: $2

/etc/postfix/body_checks:
    /^[> ]*(From|Return-Path):.*[[:<:]](user@domain\.tld)[[:>:]]/ 
        reject forged sender address in $1: header: $2

Notes:

  • The example is simplified for educational purposes. In reality, my patterns list multiple email addresses as "(user1@domain1\.tld|user2@domain2\.tld)".

  • The "[[:<:]]" and "[[:>:]]" match the beginning and end of a word, respectively. On some systems you should specify "\<" and "\>" instead. For details see your system documentation.

  • The "\." matches "." literally. Without the "\", the "." would match any character.

Blocking backscatter mail with other forged information

Another sign of forgery can be found in the IP address that is recorded in Received: headers next to your HELO host or domain name. This information must be used with care, though. Some mail servers are behind a network address translator and never see the true client IP address.

Blocking backscatter mail from virus scanners

With all the easily recognizable forgeries eliminated, there is one category of backscatter mail that remains, and that is notifications from virus scanner software. Unfortunately, some virus scanning software doesn't know that viruses forge sender addresses. To make matters worse, the software also doesn't know how to report a mail delivery problem, so that we cannot use the above techniques to recognize forgeries.

Recognizing virus scanner mail is an error prone process, because there is a lot of variation in report formats. The following is only a small example of message header patterns. For a large collection of header and body patterns that recognize virus notification email, see https://www.dkuug.dk/keld/virus/ or https://www.t29.dk/antiantivirus.txt.

/etc/postfix/header_checks:
    /^Subject: *Your email contains VIRUSES/ DISCARD virus notification
    /^Content-Disposition:.*VIRUS1_DETECTED_AND_REMOVED/
        DISCARD virus notification
    /^Content-Disposition:.*VirusWarning.txt/ DISCARD virus notification

Note: these documents haven't been updated since 2004, so they are useful only as a starting point.

A plea to virus or spam scanner operators: please do not make the problem worse by sending return mail to forged sender addresses. You're only harassing innocent people. If you must return mail to the purported sender, please return the full message headers, so that the sender can filter out the obvious forgeries.

Postfix Documentation
Previous Page Home Next Page