I just found that my IP was listed at SORBS as hacked.

They claim it was because an email containing spam / trojan / virus was received by "amplitudeuoh@<something>".

I looked through my mail logs [which go back to Oct 25] and all I found was this:

mmiller@linode ~$ grep amplitudeuoh  /var/log/mail.log*
/var/log/mail.log:Nov  5 09:07:59 linode postfix/cleanup[914]: BBA201BBE1: message-id=<000d01ca5de6$b4652830$6400a8c0@amplitudeuoh>
/var/log/mail.log:Nov  5 09:08:01 linode postfix/qmgr[3621]: BBA201BBE1: from=<amplitudeuoh@clipmove.com>, size=33236, nrcpt=1 (queue active)
/var/log/mail.log:Nov  5 09:09:02 linode postfix/smtp[916]: ECA261BBED: to=<amplitudeuoh@clipmove.com>, relay=none, delay=60, delays=0/0/60/0, dsn=4.4.1, status=deferred (connect to grey-area.mailhostingserver.com[209.62.85.74]:25: Connection timed out)
/var/log/mail.log:Nov  5 09:17:56 linode postfix/smtp[1233]: ECA261BBED: to=<amplitudeuoh@clipmove.com>, relay=grey-area.mailhostingserver.com[67.15.149.233]:25, delay=595, delays=575/0.05/20/0.09, dsn=5.7.1, status=bounced (host grey-area.mailhostingserver.com[67.15.149.233] said: 554 5.7.1 <>: Sender address rejected: Access denied (in reply to RCPT TO command))

Is this the reason why email was blacklisted, or did I already lose the relevant part of my logs?

[ironically, when I registered for SORBS, GMail identified the email as spam...]

SORBS is irrelevant. Nobody has cared about them in a long time. If you have mail being blocked by a recipient server because of SORBS then I highly recommend using a gmail account to tell the recipient server admin that SORBS is of little value due to the high FP rate and impossible criteria.

As for the message in question, seeing the full logs for the two message IDs may be helpful. Try grepping the logs for 'BBA201BBE1' and 'ECA261BBED' then posting the results here.

I've heard that SORBS is useless, my concern was that even so, I might not realize if someone is using them.

mikeage@linode /tmp$ grep ECA261BBED mail.log*
mail.log:Nov  5 09:08:01 linode postfix/cleanup[914]: ECA261BBED: message-id=<20091105070801.ECA261BBED@linode>
mail.log:Nov  5 09:08:01 linode postfix/bounce[938]: BBA201BBE1: sender non-delivery notification: ECA261BBED
mail.log:Nov  5 09:08:01 linode postfix/qmgr[3621]: ECA261BBED: from=<>, size=35510, nrcpt=1 (queue active)
mail.log:Nov  5 09:09:02 linode postfix/smtp[916]: ECA261BBED: to=<amplitudeuoh@clipmove.com>, relay=none, delay=60, delays=0/0/60/0, dsn=4.4.1, status=deferred (connect to grey-area.mailhostingserver.com[209.62.85.74]:25: Connection timed out)
mail.log:Nov  5 09:17:36 linode postfix/qmgr[3621]: ECA261BBED: from=<>, size=35510, nrcpt=1 (queue active)
mail.log:Nov  5 09:17:56 linode postfix/smtp[1233]: ECA261BBED: to=<amplitudeuoh@clipmove.com>, relay=grey-area.mailhostingserver.com[67.15.149.233]:25, delay=595, delays=575/0.05/20/0.09, dsn=5.7.1, status=bounced (host grey-area.mailhostingserver.com[67.15.149.233] said: 554 5.7.1 <>: Sender address rejected: Access denied (in reply to RCPT TO command))
mail.log:Nov  5 09:17:57 linode postfix/qmgr[3621]: ECA261BBED: removed
mikeage@linode /tmp$ grep BBA201BBE1 mail.log*
mail.log:Nov  5 09:07:58 linode postfix/smtpd[911]: BBA201BBE1: client=83-64-133-130.feldbach.xdsl-line.inode.at[83.64.133.130]
mail.log:Nov  5 09:07:59 linode postfix/cleanup[914]: BBA201BBE1: message-id=<000d01ca5de6$b4652830$6400a8c0@amplitudeuoh>
mail.log:Nov  5 09:08:01 linode postfix/qmgr[3621]: BBA201BBE1: from=<amplitudeuoh@clipmove.com>, size=33236, nrcpt=1 (queue active)
mail.log:Nov  5 09:08:01 linode postfix/smtp[916]: BBA201BBE1: to=<mikeage@gmail.com>, orig_to=<avodah@mikeage.net>, relay=gmail-smtp-in.l.google.com[209.85.212.43]:25, delay=3.3, delays=2.5/0/0.11/0.66, dsn=5.7.0, status=bounced (host gmail-smtp-in.l.google.com[209.85.212.43] said: 552-5.7.0 Our system detected an illegal attachment on your message. Please 552-5.7.0 visit http://mail.google.com/support/bin/answer.py?answer=6590 to 552 5.7.0 review our attachment guidelines. 9si2474704vws.88 (in reply to end of DATA command))
mail.log:Nov  5 09:08:01 linode postfix/bounce[938]: BBA201BBE1: sender non-delivery notification: ECA261BBED
mail.log:Nov  5 09:08:01 linode postfix/qmgr[3621]: BBA201BBE1: removed

Usually mail servers tell you why they're rejecting your email when they do. For instance, the last one there says you sent an attachment that Google, in their infinite wisdom, decided its users don't need. The other rejection doesn't say anything about Sorbs, so it could be something as simple as an invalid email address.

Right, but those weren't messages I sent [myself]. I have postfix set up to forward mail to my gmail account; gmail rejected them, they got bounced back, and the recipient [who might not have been the one who connected in the first place] complained via SORBS

If those are complete logs then it looks like a few things happened:

1) someone at 83-64-133-130.feldbach.xdsl-line.inode.at[83.64.133.130] pretended to send a message from amplitudeuoh@clipmove.com to avodah@mikeage.net
2) Your server accepted this message and tried to forward it to mikeage@gmail.com
3) gmail rejected it (bad attachment; virus?)
4) You sent a bounce message to amplitudeuoh@clipmove.com. The nature of the bounce message means that it would have contained the original bad attachment (virus?)

Congratulations, you attempted to send a virus to an innocent. This process is commonly known as "backscatter".

You need to be _very_ careful when forwarding mail on like this.

It _loooks_ like you're wildcard forwarding all email sent to mikeage.net onto google. Are you? If so, why not set up a google-apps account and have the mail go directly there. If you have a reason to want the mail to go to your linode first, then set up specific forwarding rules for each mail address you actually use (don't wildcard). That'll cut down on backscatter a lot.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

That's my understanding as well. However, in this case, avodah@mikeage.net is a perfectly legitimate address, which sometimes receives spam.

The way I see it, there are three things I could be doing

1. Reject the original message since 83-64-133-130.feldbach.xdsl-line.inode.at isn't authorized to send mail from amplitudeuoh@clipmove.com. The problem with that, of course, is that there's no good way to do that
2. Not send bounce messages if gmail rejects it. This seems like a reasonable option [as it, my server shouldn't ever bounce messages on it's own; all addresses are either forwarded or sent silently to /dev/null
3. Strip the attachment from the bounce [probably the most standards compliant thing to do].

Any suggestions for either achieving one of these goals, or another option?

[incidentally, I forward most of my email on to gmail, but not all, which is why I want to have it go via my VPS]

1. You can use SPF.

-bash-3.2# host -tTXT clipmove.com
clipmove.com descriptive text "v=spf1 -all"

If you had SPF enabled on your server, it would reject all email from clipmove.com, since that domain is not permitted to send email.


2. Because of SPF, I would rewrite the sender to a bit bucket in your VPS. That way, any bounces will be discarded. This rewrite is also important so that Google doesn't apply the SPF rules of senders to your IP address and toss the mail in the spam bucket cause your IP isn't allowed to send email for that domain.

Can you elaborate a little more on your second point? I've learned that SPF totally breaks the concept of forwarding [and indeed, I see that gmail notes, for each message, that mikeage.net is neither permitted or denied to send messages on behalf of whoever the original sender is]. How can I do this using postfix?

I used to use sendmail and procmail. Not sure if it works with postfix.

/home/barkerjr/.procmailrc:

:0 fw
* !^X-Loop: barkerjrexample@gmail.com
| /usr/bin/formail -A'X-Loop: barkerjrexample@gmail.com'

:0 A
! barkerjrexample@gmail.com

Anti-spam and anti-virus on receiving is a good start, so you don't even accept the message (if you don't accept it then you don't generate a bounce message; you're not responsible).

Not bouncing stuff you (fail to) relay is really important and is the best answer (because some things will get through the anti-spam rules).

Stripping out attachments is good, but you'll still be sending backscatter, so I don't rate that as a priority.

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

How would I go about not generating a bounce for messages that are rejected by the forwarding rule using postfix?

I'd look at the softbounce option.

http://archives.neohapsis.com/archives/ ... /1404.html

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

Or you could use exim which is designed to behave appropriately.

Xan -- how does exim behave "appropriately"? What does it do that Postfix does not / cannot?