Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

BACKSCATTERER - Is Smtp 554 a problem ?

23 views
Skip to first unread message

Feuille

unread,
Sep 10, 2009, 3:58:19 PM9/10/09
to
Hello,
I am being blacklisted as a backscatterer. However I have checked
again and again, and I am NOT sending non-delivery reports. What my
antispam does, when it detects an incoming email as spam, is to send
back a 554 Smtp error code and then abort the transmission; but it
does NOT send an NDR.

Could someone at backscatterer.org confirm that this behaviour will
also get me blacklisted ? (If so I have a problem because I have no
option to change this behaviour on my antispam !!! But that's another
discussion).

Thanks in advance!

--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.

Seth

unread,
Sep 10, 2009, 5:16:58 PM9/10/09
to
In article <8176b53e-42aa-450e...@j39g2000yqh.googlegroups.com>,
Feuille <philippe.f...@gmail.com> wrote:

>I am being blacklisted as a backscatterer. However I have checked
>again and again, and I am NOT sending non-delivery reports. What my
>antispam does, when it detects an incoming email as spam, is to send
>back a 554 Smtp error code and then abort the transmission; but it
>does NOT send an NDR.
>
>Could someone at backscatterer.org confirm that this behaviour will
>also get me blacklisted ?

No, it will not.

There must be something else that's causing the listing. Did you
examine your logs around the time they said?

Seth

Feuille

unread,
Sep 11, 2009, 10:23:58 AM9/11/09
to
On 10 sep, 23:16, se...@panix.com (Seth) wrote:
> In article <8176b53e-42aa-450e-a9d9-56388075d...@j39g2000yqh.googlegroups.com>,


Hrrrmmmm..... My mistake, sorry.
The first-level antispam (an UTM appliance) indeed does NOT send any
NDR. But the backend server is Exchange and NDRs were activated. I
turned them off now...

My problem is that the firewall will drop detected spams, but its
settings are not very paranoid, because I don't want to have false
positives. So, it's stopping around 95% of spams, but a few still
reach the mail server. I guess that NDRs generated for this small
amount of spam entering the server was enough to make me listed.

It's a pity that Exchange is not very clever about NDRs... It's ON or
OFF... My users really would like to have the NDR feature for real
mail (eg: a mail was refused because email address is misspelled, or
attachments are too big, or the mailbox is full...). I wonder if
someone has a solution (like an exchange smtp event sink) to make
exchange more clever about this, and help it decide whether an NDR
should be sent or not... If it is at all possible...

Fallout

unread,
Sep 11, 2009, 10:24:21 AM9/11/09
to


NDR's are not the only way to get listed there. You can also get
listed if you're using SAV (verifying senders with rcpt to: then
disconnecting) or it can also be triggered by autoresponders

Seth

unread,
Sep 12, 2009, 8:19:53 PM9/12/09
to
In article <14a33a6c-1330-4537...@l13g2000yqb.googlegroups.com>,
Feuille <philippe.f...@gmail.com> wrote:

>Hrrrmmmm..... My mistake, sorry.
>The first-level antispam (an UTM appliance) indeed does NOT send any
>NDR. But the backend server is Exchange and NDRs were activated. I
>turned them off now...
>
>My problem is that the firewall will drop detected spams, but its
>settings are not very paranoid, because I don't want to have false
>positives. So, it's stopping around 95% of spams, but a few still
>reach the mail server. I guess that NDRs generated for this small
>amount of spam entering the server was enough to make me listed.
>
>It's a pity that Exchange is not very clever about NDRs... It's ON or
>OFF... My users really would like to have the NDR feature for real
>mail (eg: a mail was refused because email address is misspelled,

Easy: let the firewall know the valid accounts, and reject invalid
ones.

> or attachments are too big,

Likewise: let the firewall know the rules about attachments and do the
rejecting itself.

> or the mailbox is full...).

That one is harder, if you can't have the firewall proxy in realtime
(while the connection is open).

> I wonder if
>someone has a solution (like an exchange smtp event sink) to make
>exchange more clever about this, and help it decide whether an NDR
>should be sent or not... If it is at all possible...

When exchange sends to the outside world, how does it go? If exchange
uses a smarter machine as a proxy to handle the outside communication,
that machine can do the right thing (e.g. allow NDRs to addresses
inside your network, and not to the outside world).

Feuille

unread,
Sep 12, 2009, 8:16:28 PM9/12/09
to
>        http://www.blocklisting.com/faq.htmlbefore posting.- Masquer le texte des messages précédents -
>
> - Afficher le texte des messages précédents -

Thanks for the info. I'm not doing SAV. "Out of office" autoresponders
are indeed enabled but they are seldom used, and since I do stop 95%
of the spams I receive, I think I will try leaving them for a while;
the probabilty that out of office is the cause of my listing is small -
because it will only happen for the 5% of spam reaching the 0.5% of
users having out of office turned on.

I must say that I find all of this frustrating. Although I DO
understand the backscatter pain -we are sometimes victims of it, I'm
stuck (company policy) with Exchange which is not very clever dealing
with that. So I'm forced to turned off otherwise useful features (NDR,
autoresponders...).

E-Mail Sent to this address will be added to the BlackLists

unread,
Sep 13, 2009, 9:34:54 PM9/13/09
to
Feuille wrote:
> I am being blacklisted as a backscatterer.
> However I have checked again and again, and I am NOT
> sending non-delivery reports.
> What my antispam does, when it detects an incoming email
> as spam, is to send back a 554 Smtp error code and then
> abort the transmission; but it does NOT send an NDR.

What does it do for invalid senders?
... mail box full, ...?


Are you using SAV?

Bounces through your server from a forward that rejected
back to you?


--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.

William Reitwiesner

unread,
Sep 13, 2009, 9:38:45 PM9/13/09
to
In article
<ff4141a3-f6f7-4c54...@s39g2000yqj.googlegroups.com>,
Feuille <philippe.f...@gmail.com> wrote:

> I must say that I find all of this frustrating. Although I DO
> understand the backscatter pain -we are sometimes victims of it, I'm
> stuck (company policy) with Exchange which is not very clever dealing
> with that. So I'm forced to turned off otherwise useful features (NDR,
> autoresponders...).

Tell your pointy-haired boss that this decision (connecting Exchange to
the public Internet) is the reason the rest of the Internet is blocking
mail from you.

Try putting something which *is* clever (or, more accurately, which can
be configured to be clever), such as Sendmail, between your Exchange
server and the public Internet. Set up your network so that all of the
mail *from* the public Internet goes through Sendmail before it gets to
Exchange, and any mail *to* the public Internet is sent from Exchange to
Sendmail before it leaves your network. Then you can configure Sendmail
to (for example) drop all outbound autoresponder messages. Then you can
have the best of both worlds -- your idiot boss can have all the
gee-whiz features of Exchange for all internal communication, and you
won't plague the rest of us with crap.

Fred Mobach

unread,
Sep 13, 2009, 9:37:10 PM9/13/09
to
Feuille wrote:

> On 10 sep, 23:16, se...@panix.com (Seth) wrote:
>> In article
>> <8176b53e-42aa-450e-a9d9-56388075d...@j39g2000yqh.googlegroups.com>,
>>
>> Feuille  <philippe.feuilleb...@gmail.com> wrote:
>> >I am being blacklisted as a backscatterer. However I have checked
>> >again and again, and I am NOT sending non-delivery reports. What my
>> >antispam does, when it detects an incoming email as spam, is to send
>> >back a 554 Smtp error code and then abort the transmission; but it
>> >does NOT send an NDR.
>>
>> >Could someone at backscatterer.org confirm that this behaviour will
>> >also get me blacklisted ?
>>
>> No, it will not.
>>
>> There must be something else that's causing the listing.  Did you
>> examine your logs around the time they said?
>

> Hrrrmmmm..... My mistake, sorry.
> The first-level antispam (an UTM appliance) indeed does NOT send any
> NDR. But the backend server is Exchange and NDRs were activated. I
> turned them off now...
>
> My problem is that the firewall will drop detected spams, but its
> settings are not very paranoid, because I don't want to have false
> positives. So, it's stopping around 95% of spams, but a few still
> reach the mail server. I guess that NDRs generated for this small
> amount of spam entering the server was enough to make me listed.

If you can check the existence of the destination mailbox on the
firewall and reject / accept the message based on that you're done.

I've deployed such solutions in Linux firewalls with Sendmail.
--
Fred Mobach - fr...@mobach.nl
website : https://fred.mobach.nl
.... In God we trust ....
.. The rest we monitor ..

Rob

unread,
Sep 13, 2009, 9:38:17 PM9/13/09
to
Feuille <philippe.f...@gmail.com> wrote:
> Thanks for the info. I'm not doing SAV. "Out of office" autoresponders
> are indeed enabled but they are seldom used, and since I do stop 95%
> of the spams I receive, I think I will try leaving them for a while;
> the probabilty that out of office is the cause of my listing is small -
> because it will only happen for the 5% of spam reaching the 0.5% of
> users having out of office turned on.

Please note the listing policy of backscatterer.org: you need to send
only a SINGLE piece of backscatter to get listed for A MONTH.

So even when you have only 5% * 0.5% backscatter rate, you can get listed.

Shmuel (Seymour J.) Metz

unread,
Sep 14, 2009, 12:05:50 PM9/14/09
to
In <slrnhapchm...@xs7.xs4all.nl>, on 09/14/2009

at 01:38 AM, Rob <nom...@example.com> said:

>Please note the listing policy of backscatterer.org: you need to send
>only a SINGLE piece of backscatter to get listed for A MONTH.

Why are you sending that single e-mail to a UCEPROTECT spam trap. It's
dollars to donuts that the backscatter hitting UCEPROTECT is only a tiny
fraction of what you sent.

>So even when you have only 5% * 0.5% backscatter rate, you can get
>listed.

Sounds good to me; your BS rate should be a lot lower than that.

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

Claus v. Wolfhausen

unread,
Sep 16, 2009, 9:53:41 AM9/16/09
to
Rob wrote:

> Please note the listing policy of backscatterer.org: you need to send
> only a SINGLE piece of backscatter to get listed for A MONTH.

Oh there are multiple things that can get you in trouble even if done
the very first time.

Please note the law of the USA:
You need to murder only a SINGLE person to get in prison for the rest of
your life:-)

> So even when you have only 5% * 0.5% backscatter rate, you can get listed.

Yes that is intended any then you clearly deserve the listing.

--
Claus von Wolfhausen
Technical Director
UCEPROTECT-Network
http://www.uceprotect.net

Fallout

unread,
Sep 16, 2009, 9:54:29 AM9/16/09
to
On Sep 14, 4:38 am, Rob <nom...@example.com> wrote:


Wrong. You need to send one piece of backscatter to their *spamtrap* -
which means it's highly likely you're sending alot more to random
addresses on the internet. Of course, you know this but choose to
ignore it just to make your attacks sound more valid...

Rob

unread,
Sep 16, 2009, 1:25:05 PM9/16/09
to
Claus v. Wolfhausen <use-reply-...@remove-this.com> wrote:
> Rob wrote:
>
>> Please note the listing policy of backscatterer.org: you need to send
>> only a SINGLE piece of backscatter to get listed for A MONTH.
>
> Oh there are multiple things that can get you in trouble even if done
> the very first time.
>
> Please note the law of the USA:
> You need to murder only a SINGLE person to get in prison for the rest of
> your life:-)

You are making a complete fool of yourself by comparing sending a
single piece of backscatter to committing a murder.

>> So even when you have only 5% * 0.5% backscatter rate, you can get listed.
>
> Yes that is intended any then you clearly deserve the listing.

I only want to make clear that your policy is not at all considering
whether you make a best effort. Only a perfect result counts. This
seems unclear to many posters: they think that if they do their best
to prevent backscatter, it will be noticed by backscatterer.org. This
is not at all the case. Your opinion is that everybody is a criminal
(compared even to a murderer) unless they achieve a perfect record of
no backscatter.

Note that I don't express an opinion about this fact, I only want to
make it very clear. Everyone else can make up their mind about it.

Seth

unread,
Sep 18, 2009, 3:00:08 PM9/18/09
to
In article <slrnhb23ne...@xs7.xs4all.nl>,
Rob <nom...@example.com> wrote:

>I only want to make clear that your policy is not at all considering
>whether you make a best effort.

That's right. I'd prefer a mediocre effort from an extremely
competent admin (that does the right thing) than the best possible
effort from someone not competent (that results in me getting
spammed).

> Only a perfect result counts.

That's right.

> This seems unclear to many posters: they think that if they do
>their best to prevent backscatter, it will be noticed by
>backscatterer.org. This is not at all the case.

It doesn't matter if they do *their best*. It matters if they do
*well enough*. The Internet isn't a self-improvement club where if
you reduce your backscatter by 2% everybody applauds.

> Your opinion is that everybody is a criminal (compared even to a
>murderer) unless they achieve a perfect record of no backscatter.

His statement is that anyone who ever emits backscatter is someone who
emits backscatter. That seems obviously true to me.

I don't see anything about "criminal" on backscatterer.org; where is
it?

>Note that I don't express an opinion about this fact, I only want to
>make it very clear. Everyone else can make up their mind about it.

What is clear is that he says he lists IP addresses that emit NDNs to
him for email addresses that never send mail, and he does list those
IP addresses (and no others). I've seen no statements about
criminality or anything similar.

Seth

E-Mail Sent to this address will be added to the BlackLists

unread,
Sep 19, 2009, 1:34:56 AM9/19/09
to
Rob wrote:

> Claus v. Wolfhausen wrote:
>>> So even when you have only 5% * 0.5% backscatter rate,
>>> you can get listed.
>> Yes that is intended any then you clearly deserve the listing.
>
> I only want to make clear that your policy is not at all
> considering whether you make a best effort.
> Only a perfect result counts.
> This seems unclear to many posters: they think that if
> they do their best to prevent backscatter, it will be
> noticed by backscatterer.org.
> This is not at all the case.

Nor is it with many DNSbls.

> Your opinion is that everybody is a criminal (compared
> even to a murderer) unless they achieve a perfect
> record of no backscatter.

If you want to invoke some legalese,
{not that those outside the US could care less}

I think a paraphrase I've used in the past {mostly borrowed
from US, TITLE 47, CHAPTER 5, SUBCHAPTER II, Part I,
Sec. 230, c.2.A} is relevant.

DNSbl listings are "action voluntarily taken in good
faith to restrict access to or availability of material
that the provider or user considers to be objectionable.

The maintainers of backscatterer appear to find
backscatter objectionable.

The users of backscatterer appear to have similar opinions.

Barring incompetent / negligent mail server admins
(that lack the necessary knowledge, skills, or experience)
implementing features their users don't like,
I don't see the issue.

In either case where the recipients don't like their
mail servers' policies, or the mail server has
incompetent / negligent mail server admins,
the recipient can decide to use a different ISP.

{It happens all the time, e.g. why did vast amounts
of AOL users leave? Some one else was offering them
what they wanted more.}

--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.

--

Michelle Sullivan

unread,
Sep 19, 2009, 10:14:29 AM9/19/09
to
Fallout wrote:
>
> NDR's are not the only way to get listed there. You can also get
> listed if you're using SAV (verifying senders with rcpt to: then
> disconnecting) or it can also be triggered by autoresponders
>

It can also be triggered by a completely valid "Data error" return.

Shells

Michelle Sullivan

unread,
Sep 19, 2009, 11:11:04 AM9/19/09
to


Riddle me this....

A SORBS host got listed for backscatter. After 6 months of *continual*
listing I finally tracked it down to a script that validly will send a
"Data Format Error" reply should someone send something to a particular
email address that does not match the required input format. The server
sole job is to process the incoming requests as specified. It is set to
554 unknown addresses and there are no auto-responders. I tracked it
down in the end, and found the the timestamp on the backscatter website
was exactly 1 hour, 2 minutes and 34 seconds off my GPS time syncronised
logs.

Now here is the trick... I monitored the address and found that there
were a string of individual emails getting sent into the script with
return addresses that delivered back to the same server. The odd thing
was, the regularity of the messages and the fact there was only one. I
should really capture a message to see if it is really spam.... or a
"test" message.

I have decided not to attempt to re-write postfix so that the "data
format error" is returned at SMTP time, and instead just watched it be
listed by backscatterer.org continually until the network was relocated
to a new IP block... as the server has the same name and the email
address hasn't changed I'll be looking to see if it's been listed again
in the new position now.

The script concerned is the bulk proxy retester script for SORBS, so the
people using it are postmasters in the majority of cases. I guess
they'll stop using backscatterer.org if they can't get delisted because
of this auto-responder....

Shells

Seth

unread,
Sep 20, 2009, 10:52:25 AM9/20/09
to
In article <h92qq3$mj$1...@nemesis.sorbs.net>,
Michelle Sullivan <michell...@sorbs.net> wrote:

>Riddle me this....
>
>A SORBS host got listed for backscatter. After 6 months of *continual*
>listing I finally tracked it down to a script that validly will send a
>"Data Format Error" reply should someone send something to a particular
>email address that does not match the required input format.

That is, you send an autoreply to bad email, instead of rejecting it.

> The server sole job is to process the incoming requests as
> specified.

Apparently the other part of the "sole job" is to send email to
purported senders.

> It is set to 554 unknown addresses and there are no
>auto-responders.

There _is_ an auto-responder, you just described it: send a message
with a particular format (that is, anything other than the "required
input format") and get an auto-response.

> I tracked it down in the end, and found the the timestamp on the
>backscatter website was exactly 1 hour, 2 minutes and 34 seconds off
>my GPS time syncronised logs.

That's bad. Are you sure they had the right zone (with daylight
savings time)?

>Now here is the trick... I monitored the address and found that there
>were a string of individual emails getting sent into the script with
>return addresses that delivered back to the same server.

The "same server" as which?

> The odd thing was, the regularity of the messages and the fact
>there was only one. I should really capture a message to see if it
>is really spam.... or a "test" message.

Or someone who figured out a way to get anti-spam lists to annoy each
other. Where are the messages coming from?

Seth

Shmuel (Seymour J.) Metz

unread,
Sep 21, 2009, 12:49:07 PM9/21/09
to
In <h92qq3$mj$1...@nemesis.sorbs.net>, on 09/19/2009

at 03:11 PM, Michelle Sullivan <michell...@sorbs.net> said:

>I have decided not to attempt to re-write postfix so that the "data
>format error" is returned at SMTP time,

You don't have to; run your validation in a milter.

--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>

I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org

--

Michelle Sullivan

unread,
Sep 21, 2009, 12:46:17 PM9/21/09
to
Seth wrote:
> In article <h92qq3$mj$1...@nemesis.sorbs.net>,
> Michelle Sullivan <michell...@sorbs.net> wrote:
>
>> Riddle me this....
>>
>> A SORBS host got listed for backscatter. After 6 months of *continual*
>> listing I finally tracked it down to a script that validly will send a
>> "Data Format Error" reply should someone send something to a particular
>> email address that does not match the required input format.
>
> That is, you send an autoreply to bad email, instead of rejecting it.


Read below.


>> It is set to 554 unknown addresses and there are no
>> auto-responders.
>
> There _is_ an auto-responder, you just described it: send a message
> with a particular format (that is, anything other than the "required
> input format") and get an auto-response.

No. The response is a numeric code that means "Data Format Error" (65)
postfix, sendmail (and I haven't confirmed, but I suspect it will be the
same - Exim) generate an NDR based on that numeric. For information if
the system is already running the script for other requests the other
response is 75 (Temp Fail) which will cause it to be queue'd and
re-tried later.


Now, if you believe that this is an invalid response (completely RFC
compliant) feel free to show me any MTA that will response with 'Data
Format Error' at the End-of-Data command that runs on FreeBSD and I will
happily replace the mail server on that host.

You'll note that there are other restrictions on the software like LDAP
etc.. However, I will put them all to one side, just find me a server
that will respond correctly to a (65) Data-Format-Error response at SMTP
time.....


>
>> I tracked it down in the end, and found the the timestamp on the
>> backscatter website was exactly 1 hour, 2 minutes and 34 seconds off
>> my GPS time syncronised logs.
>
> That's bad. Are you sure they had the right zone (with daylight
> savings time)?


2 minutes 34 seconds negates any daylight savings issues. The one hour
could be a DST issue (I don't have DST being in Brisbane).


>
>> Now here is the trick... I monitored the address and found that there
>> were a string of individual emails getting sent into the script with
>> return addresses that delivered back to the same server.
>
> The "same server" as which?

The same UCEProtect server. ie the one message every 7 days that was
causing the listing, was going back to the same listing server. Which
makes me think it's a test message and not a spam.

>> The odd thing was, the regularity of the messages and the fact
>> there was only one. I should really capture a message to see if it
>> is really spam.... or a "test" message.
>
> Or someone who figured out a way to get anti-spam lists to annoy each
> other. Where are the messages coming from?


Doesn't annoy me any more. Not concerned with it, it's not sending
reponses to spam, it's 100% RFC compliant and the NDRs that it is
sending, are being sent because of the way Postfix is written (and would
also do the same with sendmail, and I suspect exim) all of which are
what *we* recommend to put infront of M$ Exchange to avoid backscatter.


Shells

Claus v. Wolfhausen

unread,
Sep 22, 2009, 10:59:28 AM9/22/09
to
In article <slrnhb23ne...@xs7.xs4all.nl>, nom...@example.com says...

>
>Claus v. Wolfhausen <use-reply-...@remove-this.com> wrote:
>> Rob wrote:
>>
>>> Please note the listing policy of backscatterer.org: you need to send
>>> only a SINGLE piece of backscatter to get listed for A MONTH.
>>
>> Oh there are multiple things that can get you in trouble even if done
>> the very first time.
>>
>> Please note the law of the USA:
>> You need to murder only a SINGLE person to get in prison for the rest of
>> your life:-)
>
>You are making a complete fool of yourself by comparing sending a
>single piece of backscatter to committing a murder.
>

No you are making a fool out of yourself by willfully misunderstanding what was
the core meaning of my posting:

Right: There are errors you will do once and you will get punished immediatley.

Lets give you soem examples:

You are not carefull while climbing some rocks - You might pay with your life
for not being carefull ONCE....

You do not stop at a red traffic light - It is also possible that you will have
no chance to do it again (if a bus hits you)....

Got it now? My point was against your whining that " a single NDR to the
wrong people will get you listed".


--
Claus von Wolfhausen
Technical Director
UCEPROTECT-Network
http://www.uceprotect.net

--

Michelle Sullivan

unread,
Sep 22, 2009, 11:00:17 AM9/22/09
to
Shmuel (Seymour J.) Metz wrote:
> In <h92qq3$mj$1...@nemesis.sorbs.net>, on 09/19/2009
> at 03:11 PM, Michelle Sullivan <michell...@sorbs.net> said:
>
>> I have decided not to attempt to re-write postfix so that the "data
>> format error" is returned at SMTP time,
>
> You don't have to; run your validation in a milter.
>


You do realise that the *spec*, for milter specifically denies anything
but an SMFI_CONTINUE at the xxfi_emo() call? That said, I know it works
(because I have already implemented such elsewhere) and I can't find the
doco that says that in the current spec, so it might have changed....


Either way... who will write the milter for me? I might as well
re-write postfix to do it... (way less resource intensive than running
a Milter and don't need two chunks of memory (or diskspace) to do the
checks...


Shells

Seth

unread,
Sep 23, 2009, 8:30:09 PM9/23/09
to
In article <h967tk$1ql$1...@nemesis.sorbs.net>,

Michelle Sullivan <michell...@sorbs.net> wrote:
>Seth wrote:
>> In article <h92qq3$mj$1...@nemesis.sorbs.net>,
>> Michelle Sullivan <michell...@sorbs.net> wrote:
>>
>>> Riddle me this....
>>>
>>> A SORBS host got listed for backscatter. After 6 months of *continual*
>>> listing I finally tracked it down to a script that validly will send a
>>> "Data Format Error" reply should someone send something to a particular
>>> email address that does not match the required input format.
>>
>> That is, you send an autoreply to bad email, instead of rejecting it.
>
>Read below.
>
>>> It is set to 554 unknown addresses and there are no
>>> auto-responders.
>>
>> There _is_ an auto-responder, you just described it: send a message
>> with a particular format (that is, anything other than the "required
>> input format") and get an auto-response.
>
>No. The response is a numeric code that means "Data Format Error" (65)
>postfix, sendmail (and I haven't confirmed, but I suspect it will be the
>same - Exim) generate an NDR based on that numeric.

That is, your system as a whole (postfix plus script doing handling
for that special email address) is an auto-responder.

>Now, if you believe that this is an invalid response (completely RFC
>compliant) feel free to show me any MTA that will response with 'Data
>Format Error' at the End-of-Data command that runs on FreeBSD and I will
>happily replace the mail server on that host.

The script that produce the 65 is in the position of an MDA, right?
So your MTA should get the response from that script _before_
accepting the mail, so the sender can get a 55x instead of an NDR.

>>> Now here is the trick... I monitored the address and found that there
>>> were a string of individual emails getting sent into the script with
>>> return addresses that delivered back to the same server.
>>
>> The "same server" as which?
>
>The same UCEProtect server.

Same as what? Was the UCEProtect server the one that was sending the
misformatted email? Or was it the victim of forgery?

>>> The odd thing was, the regularity of the messages and the fact
>>> there was only one. I should really capture a message to see if it
>>> is really spam.... or a "test" message.
>>
>> Or someone who figured out a way to get anti-spam lists to annoy each
>> other. Where are the messages coming from?
>
>Doesn't annoy me any more.

But it did for a while.

> Not concerned with it, it's not sending reponses to spam,

It's sending auto"responses" to an address that didn't send the email
in the first place, right?

> it's 100% RFC compliant and the NDRs that it is
>sending, are being sent because of the way Postfix is written

Why should that matter?

Seth

Michelle Sullivan

unread,
Sep 24, 2009, 12:14:01 PM9/24/09
to
Seth wrote:
> In article <h967tk$1ql$1...@nemesis.sorbs.net>,
> Michelle Sullivan <michell...@sorbs.net> wrote:
>> Seth wrote:
>>> In article <h92qq3$mj$1...@nemesis.sorbs.net>,
>>> Michelle Sullivan <michell...@sorbs.net> wrote:
>>>
>>>> Riddle me this....
>>>>
>>>> A SORBS host got listed for backscatter. After 6 months of *continual*
>>>> listing I finally tracked it down to a script that validly will send a
>>>> "Data Format Error" reply should someone send something to a particular
>>>> email address that does not match the required input format.
>>> That is, you send an autoreply to bad email, instead of rejecting it.
>> Read below.
>>
>>>> It is set to 554 unknown addresses and there are no
>>>> auto-responders.
>>> There _is_ an auto-responder, you just described it: send a message
>>> with a particular format (that is, anything other than the "required
>>> input format") and get an auto-response.
>> No. The response is a numeric code that means "Data Format Error" (65)
>> postfix, sendmail (and I haven't confirmed, but I suspect it will be the
>> same - Exim) generate an NDR based on that numeric.
>
> That is, your system as a whole (postfix plus script doing handling
> for that special email address) is an auto-responder.


No the script is rejecting the message with an exit value of 65.

The script has 3 possible returns:

Exit "0" - OK - I've accepted responsibility for this message.
Exit "75" - TEMPFAIL - I can't handle this message at the moment, please
try later.
Exit "65" - PERMFAIL (Data Format Error) - Sorry I will not accept that
message at all.

In the case of 0 and 75 exits Postfix will respond appropriately at SMTP
time.
In the case of 65 Postfix generates an NDR.

The script is not an auto-responder that this point. If the message is
accepted for delivery then it becomes an auto-responder as it will
generate a message to send to the sender. The NDR (Exit 65) is causing
the backscatterer listings.


>> Now, if you believe that this is an invalid response (completely RFC
>> compliant) feel free to show me any MTA that will response with 'Data
>> Format Error' at the End-of-Data command that runs on FreeBSD and I will
>> happily replace the mail server on that host.
>
> The script that produce the 65 is in the position of an MDA, right?
> So your MTA should get the response from that script _before_
> accepting the mail, so the sender can get a 55x instead of an NDR.


Take a look at the source... That doesn't happen for after-data
response codes in postfix (and I think the others though haven't tested.)

>>>> Now here is the trick... I monitored the address and found that there
>>>> were a string of individual emails getting sent into the script with
>>>> return addresses that delivered back to the same server.
>>> The "same server" as which?
>> The same UCEProtect server.
>
> Same as what? Was the UCEProtect server the one that was sending the
> misformatted email? Or was it the victim of forgery?


I'd have to re-check to be 100%, but IIRC it was the same server (or at
least the same subnet.)


>>>> The odd thing was, the regularity of the messages and the fact
>>>> there was only one. I should really capture a message to see if it
>>>> is really spam.... or a "test" message.
>>> Or someone who figured out a way to get anti-spam lists to annoy each
>>> other. Where are the messages coming from?
>> Doesn't annoy me any more.
>
> But it did for a while.


It did, till I worked out that it was expected behavior and possibly
deliberate listing. What annoyed me was the fact that my server could
be abusing others by sending backscatter... it wasn't, not concerned now.


>> Not concerned with it, it's not sending reponses to spam,
>
> It's sending auto"responses" to an address that didn't send the email
> in the first place, right?


I don't believe so. Though it has the potential to.


>
>> it's 100% RFC compliant and the NDRs that it is
>> sending, are being sent because of the way Postfix is written
>
> Why should that matter?


As I said before, show me a single MTA that runs on FreeBSD that I can
replace postfix with, that requires no extra programming on my behalf
(eg writing a milter is not an answer.) That will allow the exit code
of 65 to send an End-Of-Date failure message, and I'll replace that MTA.

Our argument with exchange is that other are better in that they allow
the appropriate at-SMTP-time responses, and Exchange hasn't honored or
generated them until recently. We have told people to use Postfix
(amongst others) as the way to stop NDRs and therefore stop the
backscatter and the backscatterer listings.... I have found a case
where Postfix fails to meet this "standard" ... tell me another MTA that
will meet the requirement and I'll replace that postfix server.

Michelle

Seth

unread,
Oct 22, 2009, 12:26:12 AM10/22/09
to
In article <h9eu4n$slm$1...@nemesis.sorbs.net>,

I don't know about the script; that's internal to your systems. I'm
looking at things from the viewpoint of your external interface.
Exactly how stuff moves around within your systems is not relevant to
me.

>The script has 3 possible returns:

. . .


>In the case of 65 Postfix generates an NDR.

That is, your system is an auto-responder when the incoming message is
such that the script returns 65.

>The script is not an auto-responder that this point.

The auto-responder is your system as a whole, not any piece of it that
can't be observed from the outside.

> If the message is
>accepted for delivery then it becomes an auto-responder as it will
>generate a message to send to the sender. The NDR (Exit 65) is causing
>the backscatterer listings.

That's because there's an auto-response.

>>> Now, if you believe that this is an invalid response (completely RFC
>>> compliant) feel free to show me any MTA that will response with 'Data
>>> Format Error' at the End-of-Data command that runs on FreeBSD and I will
>>> happily replace the mail server on that host.
>> The script that produce the 65 is in the position of an MDA, right?
>> So your MTA should get the response from that script _before_
>> accepting the mail, so the sender can get a 55x instead of an NDR.
>Take a look at the source... That doesn't happen for after-data
>response codes in postfix (and I think the others though haven't tested.)

So fix the code.

>> Same as what? Was the UCEProtect server the one that was sending the
>> misformatted email? Or was it the victim of forgery?
>
>I'd have to re-check to be 100%, but IIRC it was the same server (or at
>least the same subnet.)

Then the incoming mail (to you) wasn't forged, so the response
wouldn't be backscatter. Interesting; backscatterer.org claims that
the addresses they use don't send mail, and apparently they are
sending mail from at least one of those addresses.

>> It's sending auto"responses" to an address that didn't send the email
>> in the first place, right?
>
>I don't believe so. Though it has the potential to.

Good point.

Seth

0 new messages