Prev-20 Home Next-20 5 msg postconf not displaying all options 3 msg empty_address_recipient not mapped by virtual o... 5 msg stop smtp from anyone unless sasl auth? 2 msg 'piped' aliases & DSNs 12 msg Strange From: in headers 5 msg Mail - Access Denied 4 msg qpsmtpd support service for postfix 39 msg pix workaround broken? 2 msg X-Original-To after bcc contains wrong address 8 msg /usr/lib/sendmail delivery status/message id's ... 23 msg Recommended Filesystems? 8 msg Mail going to backup server instead main server 3 msg outgoing rate control mail forwarding loop: how do I prevent this? \ Justin Piszcz (21 Jul 2007) . \ (Wietse Venema) (21 Jul 2007) . . \ Justin Piszcz (21 Jul 2007) . . . \ mouss (21 Jul 2007) . \ Bill Weiss (21 Jul 2007) 5 msg Server relaying existing virtual mailbox 1 msg how can I rewrite the Mail From 3 msg Constant connections from user unknown sending ... 2 msg sporadic deferrals 8 msg transport_maps: different behavior if discard o... 4 msg Address verification questions Prev-20 Home Next-20

Prev-Msg Prev-Thread Postfix-users Jul-2007 Next-Thread Next-Msg Subject: Re: mail forwarding loop: how do I prevent this? Group: Postfix-users From: mouss Date: 21 Jul 2007 Justin Piszcz wrote: > >> > > Thanks for the detailed response! My guess is it is most likely > malware as the IP was listed in several RBLs. most probably some ratevelopper thought his spam would have more chances to get into inbox if it resembles normal mail, but he took as an example a delivered mail, instead of a "just sent" mail. I bet that spam also contains a Return-Path and headers added by filters/relays. up so far, this has been only rarely reported, so it doesn't deserve a real defense. I doubt it would become popular, because it has appeared a long time ago and didn't "catch". one defense is to use "internal" aliases and deliver to (so each foo is delivered to foo-blahblah) so that the locally generated Delivered-To header is not guessed by the spammer. a simple approach that works for "small sites" is to reject mail if it contains a delivered-to header with an address in a domain handled by the site: /^Delivered-To: (.*@domain\.example)$/ REJECT: loop or forged Delivered-To header ($1) Caution: if multiple MTAs handle mail for a domain and mail may be forwarded between them (.forward, ... ), then this approach will reject legitimate mail. Another approach is to rewrite the header instead of rejecting mail: /^(Delivered-To: .*@domain\.example)$/ REPLACE X-$1 Caution: if the site forwards delivered mail to outside, this will prevent postfix from detecing a loop. (if in addition, some relay removes Received headers, then the loop may not be detected at all). yet another approach is to write a proxy_filter (before the queue filter) that rejects mail if it contains a Delivered-To header containing the address of one of the recipients or an expanded alias. This is however too expensive (it requires expanding aliases at smtp time). Also, it will not prevent the attack if used on a relay that doesn't know all site aliases (mail will be bounced by a later MTA). Prev-Msg Prev-Thread Postfix-users Jul-2007 Next-Thread Next-Msg

© 2004-2008 readlist.com