Postfix, AOL, Spam?
I am running a server primarily for mailman using postfix as the MTA. I have signed up for the feedback reports from AO L where they send you notification when they receive mail from your server that appears to be spam. Suddenly today I have been receiving 3 or 4 notifications a minute.
All of the notifications appear to be spam from my server from a non-existent email address but in my domain. The partial header information they provide seem to show an incoming connection from my server to theirs. They send the original message back to me as an attachment with some of the header redacted. All of the messages are a variant of this spam message that seems to be going around lately:
Your discount code #b upr um.
The problem is that what I find in the logs doesn't add up to me. I am seeing a lot of entries like this:
May 6 16:35:48 mailman postfix/smtpd: connect from (aolserver)[aolip]
May 6 16:35:49 mailman postfix/smtpd: NOQUEUE: reject: RCPT from (aolserver)[aolip]: 550 511 <sfink(at)(mydomain)>: Recipient address rejected: User unknown in local recipient table; from=<Grinderdude(at)aol> to=<sfink(at)(mydomain)> proto=ESMTP helo=<aoldomain>
(domains edited to get through the forum filter)
I'm kind of a postfix noob but doesn't this mean that my server rejected an incoming (highly dubious) connection *from* an AO L address? I'm not seeing anything in the log that would indicate my server initiating hundreds of connections *to* AO L.
Any thoughts or advice? Thanks.
is postfix rejecting them on the spot or are you doing some post-processing (amavis, clam, greylist)?
What could be happening is someone is using your box as a hopto to send spam, they send it from a bogus address to your server, and if your server doesn't drop it in the conversation and instead does some processing and then rejects it, you just created backscatter
here are some very good links on handling that
postfix backscatter - Google Search
Thanks for the reply.
Originally Posted by jledhead
No, I don't have any post-processing on this box.
Thanks for the backscatter link; I'll have too look at that more closely. At first glance that certainly looks like what I am seeing in the log.
I'm still confused about what AOL is reporting. If AOL was getting a multiple spams messages from me a minute wouldn't that show up in the log?