Hello list, dear Marc! I had have a "little problem" with a mailsystem.
A few days agoe a colleague received over 200 bounce-messages and this over 10 minutes. O.K., that was all backscatter from a software-company in Redmond :( All those messages had have an attachment (zip archive) with maleware. A few minutes I was shocked, 'cause how could all AMaVis-hosts at customer site, transport maleware in a zip-archive?! So, I tried to send a new mail, with this zip-archive to all of our 5 MX and nowhere it was possible to trespass our borderfilters. :) So I tried to understand, why our AMaVis's allowed those faked bounce-messages with mailware. The only thing I found was those maillog-entries: Sep 8 13:17:10 amavis-cluster-by amavis[23088]: (23088-10) bounce rescued by domain (DSN), <> -> <redac...@example.com>, date: Tue, 8 Sep 2015 12:41:24 +0200, from: Rosenbaum Group <redac...@example.com>, message-id: <hdmuibrrpv7zej2q0r2t...@example.com>, return-path: redac...@example.com "bounce rescued by domain (DSN)"? What's that? So I tried to ask google, wether or not there are existing news known by others. The only things I found was: https://www.mail-archive.com/amavis-user@lists.sourceforge.net/msg11245. html http://sourceforge.net/p/amavis/mailman/amavis-user/thread/201010051713. 38050.ste...@localside.net/ and http://www.ijs.si/software/amavisd/ " ... bounce killer feature (requires pen pals SQL logging) checks a header section attached to received non-delivery status notifications, and discards bounces to fake mail which do not refer to our genuine outgoing mail;" I'm not so fimilar with this, how p@trick told it "spam and maleware over backscatter as esoteric problem ;)", and your "bounce killer feature". May you tell me a few more points, what this feature can do and if it the right point, to ban those attacks? Or there exists an unknown feature for banning attachments (i.e. zip-archives with maleware)? Every hint is useful! On AMaViS 2.10 have you marked "do_ascii": @decoders = ( ['mail', \&do_mime_decode], # [[qw(asc uue hqx ync)], \&do_ascii], # not safe In RELEASE_NOTES you wrote: - amavisd.conf: commented-out calls to do_ascii to match defaults in the amavisd program; the uulib code (as invoked by Convert::UUlib) has a history of stability problems, seems it is causing more grief compared to the benefits it brings; Safe or stability? What happens if I activate this encoder for recognize those faked bounces? Is the prize high? Thanx4help! Have a nice day! Django -- "Bonnie & Clyde der Postmaster-Szene!" approved by Postfix-God http://wetterstation-pliening.info http://dokuwiki.nausch.org http://wiki.piratenpartei.de/Benutzer:Django
