Re: Wait if downstream MTA accepts mail - reject if not
On Fri, May 09, 2014 at 12:01:43AM +0200, Sebastian Wiesinger wrote: > I already have RBL checks any other policy in place that prevents most > of the SPAM/Malware being accepted, but sometimes Google is more > strict / has more advanced filtering it seems. You may also need content-based filters, though those are not perfect either, they should be able to cut the spam volume down further (if you're not already doing that too). -- Viktor.
RE: Wait if downstream MTA accepts mail - reject if not
RBLs will not protect you against exploited accounts sending malicious emails from popular providers (IPs with good reputation). In your particular case, gmail's rejection might be caused by a .zip file containing .exe or .scr file. Marius. -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Sebastian Wiesinger Sent: Friday, May 9, 2014 1:02 AM To: Postfix Users Subject: Re: Wait if downstream MTA accepts mail - reject if not * Wietse Venema [2014-05-08 23:36]: > Sebastian Wiesinger: > > Hello, > > > > I have some users that forward their mail to GMAIL. This is > > implemented with virtual alias maps. So postfix forwards: > > > > u...@example.com -> example.u...@gmail.com > > > > The problem is when SPAM mails get through all the postfix defences > > and get forwarded to GMAIL. GMAIL does some body checks and rejects > > the mail like this: > > It common for people to forward all mail including spam to Gmail, and > to discover that some of non-spam mail is not delivered as expected. I already have RBL checks any other policy in place that prevents most of the SPAM/Malware being accepted, but sometimes Google is more strict / has more advanced filtering it seems. > If you wait for Gmail to reject mail then it is already too late. > > The solution is "do not forward SPAM". Sorry, there is no simple > solution. Yeah, that was kind of expected. Thanks for the reply anyway. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: Wait if downstream MTA accepts mail - reject if not
* Wietse Venema [2014-05-08 23:36]: > Sebastian Wiesinger: > > Hello, > > > > I have some users that forward their mail to GMAIL. This is > > implemented with virtual alias maps. So postfix forwards: > > > > u...@example.com -> example.u...@gmail.com > > > > The problem is when SPAM mails get through all the postfix defences > > and get forwarded to GMAIL. GMAIL does some body checks and rejects > > the mail like this: > > It common for people to forward all mail including spam to Gmail, > and to discover that some of non-spam mail is not delivered as > expected. I already have RBL checks any other policy in place that prevents most of the SPAM/Malware being accepted, but sometimes Google is more strict / has more advanced filtering it seems. > If you wait for Gmail to reject mail then it is already too late. > > The solution is "do not forward SPAM". Sorry, there is no simple > solution. Yeah, that was kind of expected. Thanks for the reply anyway. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Re: Wait if downstream MTA accepts mail - reject if not
Sebastian Wiesinger: > Hello, > > I have some users that forward their mail to GMAIL. This is > implemented with virtual alias maps. So postfix forwards: > > u...@example.com -> example.u...@gmail.com > > The problem is when SPAM mails get through all the postfix defences > and get forwarded to GMAIL. GMAIL does some body checks and rejects > the mail like this: It common for people to forward all mail including spam to Gmail, and to discover that some of non-spam mail is not delivered as expected. If you wait for Gmail to reject mail then it is already too late. The solution is "do not forward SPAM". Sorry, there is no simple solution. Wietse
RE: Wait if downstream MTA accepts mail - reject if not
Filtering your inbound traffic for spam and malware will prevent these cases (malicious messages will not be forwarded). Marius. -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Sebastian Wiesinger Sent: Friday, May 9, 2014 12:02 AM To: Postfix Users Subject: Wait if downstream MTA accepts mail - reject if not Hello, I have some users that forward their mail to GMAIL. This is implemented with virtual alias maps. So postfix forwards: u...@example.com -> example.u...@gmail.com The problem is when SPAM mails get through all the postfix defences and get forwarded to GMAIL. GMAIL does some body checks and rejects the mail like this: relay=gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b]:25, delay=3.8, delays=2.7/0.01/0.51/0.6, dsn=5.7.0, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 http://support.google.com/mail/bin/answer.py?answer=6590 to review our 552 5.7.0 message content and attachment content guidelines. f45si10647314eet.279 - gsmtp (in reply to end of DATA command)) Now postfix generates a bounce message which 99.9% of the time will not be deliverable (because sender is faked) and just sit in the queue for five days. Question is, is there a way to prevent this from happening (if possible without using sender verification)? Something like relaying the error back to the client (delay accepting the mail until dowstream MTA has accepted it as well) or not generating a non-delivery notification... I can't figure out if that is possible with postfix. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant
Wait if downstream MTA accepts mail - reject if not
Hello, I have some users that forward their mail to GMAIL. This is implemented with virtual alias maps. So postfix forwards: u...@example.com -> example.u...@gmail.com The problem is when SPAM mails get through all the postfix defences and get forwarded to GMAIL. GMAIL does some body checks and rejects the mail like this: relay=gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b]:25, delay=3.8, delays=2.7/0.01/0.51/0.6, dsn=5.7.0, status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:4013:c01::1b] said: 552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit 552-5.7.0 http://support.google.com/mail/bin/answer.py?answer=6590 to review our 552 5.7.0 message content and attachment content guidelines. f45si10647314eet.279 - gsmtp (in reply to end of DATA command)) Now postfix generates a bounce message which 99.9% of the time will not be deliverable (because sender is faked) and just sit in the queue for five days. Question is, is there a way to prevent this from happening (if possible without using sender verification)? Something like relaying the error back to the client (delay accepting the mail until dowstream MTA has accepted it as well) or not generating a non-delivery notification... I can't figure out if that is possible with postfix. Regards Sebastian -- GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant