Find the answer to your Linux question:
Results 1 to 3 of 3
I am running a server primarily for mailman using postfix as the MTA. I have signed up for the feedback reports from AO L where they send you notification when ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2009
    Posts
    2

    Postfix, AOL, Spam?


    I am running a server primarily for mailman using postfix as the MTA. I have signed up for the feedback reports from AO L where they send you notification when they receive mail from your server that appears to be spam. Suddenly today I have been receiving 3 or 4 notifications a minute.

    All of the notifications appear to be spam from my server from a non-existent email address but in my domain. The partial header information they provide seem to show an incoming connection from my server to theirs. They send the original message back to me as an attachment with some of the header redacted. All of the messages are a variant of this spam message that seems to be going around lately:

    ***
    Your link!

    Your discount code #b upr um.
    ***

    The problem is that what I find in the logs doesn't add up to me. I am seeing a lot of entries like this:

    ***
    May 6 16:35:48 mailman postfix/smtpd[30404]: connect from (aolserver)[aolip]
    May 6 16:35:49 mailman postfix/smtpd[30404]: NOQUEUE: reject: RCPT from (aolserver)[aolip]: 550 511 <sfink(at)(mydomain)>: Recipient address rejected: User unknown in local recipient table; from=<Grinderdude(at)aol> to=<sfink(at)(mydomain)> proto=ESMTP helo=<aoldomain>
    ***
    (domains edited to get through the forum filter)

    I'm kind of a postfix noob but doesn't this mean that my server rejected an incoming (highly dubious) connection *from* an AO L address? I'm not seeing anything in the log that would indicate my server initiating hundreds of connections *to* AO L.

    Any thoughts or advice? Thanks.

  2. #2
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    Location
    North Carolina
    Posts
    1,077
    is postfix rejecting them on the spot or are you doing some post-processing (amavis, clam, greylist)?

    What could be happening is someone is using your box as a hopto to send spam, they send it from a bogus address to your server, and if your server doesn't drop it in the conversation and instead does some processing and then rejects it, you just created backscatter

    here are some very good links on handling that
    postfix backscatter - Google Search

  3. #3
    Just Joined!
    Join Date
    May 2009
    Posts
    2
    Quote Originally Posted by jledhead View Post
    is postfix rejecting them on the spot or are you doing some post-processing (amavis, clam, greylist)?
    Thanks for the reply.

    No, I don't have any post-processing on this box.

    Thanks for the backscatter link; I'll have too look at that more closely. At first glance that certainly looks like what I am seeing in the log.

    I'm still confused about what AOL is reporting. If AOL was getting a multiple spams messages from me a minute wouldn't that show up in the log?

    Thanks

  4. $spacer_open
    $spacer_close

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •