How can I stop sending D_BOUNCE's to the alleged sender of a message with DKIM failures?

Michael D. Wood mike at itsecuritypros.org
Tue Sep 18 17:43:59 CEST 2012


Have a look at this Steve

https://groups.google.com/forum/?fromgroups=#!topic/mailing.unix.amavis-user
/me_1o4k-qVc

--
Michael D. Wood
ITSecurityPros.org
www.itsecuritypros.org

-----Original Message-----
From: amavis-users-bounces+mike=itsecuritypros.org at amavis.org
[mailto:amavis-users-bounces+mike=itsecuritypros.org at amavis.org] On Behalf
Of Steve Scotter
Sent: Tuesday, September 18, 2012 11:07 AM
To: amavis-users at amavis.org
Subject: How can I stop sending D_BOUNCE's to the alleged sender of a
message with DKIM failures?

Hi all,

Today my mail servers started to get bombarded with emails alleading to be
from randomname at facebook.com. All had a subject of "Your friend wants to
share photos and updates with you" and all with an attachment
"Your_Friend_New_photos-updates_id[random number].zip". All ZIP files had a
file called "Your_Friend_New_photos-updates.jpeg.exe" inside them.

All these messages where blocked by amavis-new because they had an
attachment with a .exe filename. However, it generated a a DSN to
randomname at facebook.com because I have $final_banned_destiny = D_BOUNCE;

These DSN's were getting rejected by Facebook's mailservers with the
following error "554 5.7.1 POL-P3
http://postmaster.facebook.com/response_codes?ip=x.x.x.x#pol-t"

Looking at my logs I also noticed that the original messages which were
causing the DSN to be created where failing DKIM. I began to look into how
to prevent sending DSN's created by $final_banned_destiny being set D_BOUNCE
to alleadged senders who's message fails DKIM and came accross this
explaination of what D_BOUNCE means...

D_BOUNCE    
Mail will not be delivered to its recipients. A non-delivery notification
(bounce) will be created by amavisd-new and sent to the sender by
amavisd-new. Exceptions: bounce (DSN) will not be sent if a virus name
matches @viruses_that_fake_sender_maps , or to messages from mailing lists
(Precedence: bulk|list|junk), or for spam level that exceeds the
$sa_dsn_cutoff_level. If a quarantine is configured, a copy of the mail will
go there. If not, we have lost the mail, but if the mail was legitimate, the
sender should receive notification of the disposition of the message. 

The interesting bit for me is "or for spam level that exceeds the
$sa_dsn_cutoff_level". I have $sa_dsn_cutoff_level = 20.0 on my servers. I
created a spamassassin rule to catch messages with a subject of "Your friend
wants to share photos and updates with you" and to score it 30 (lint'd and
tested fine) but still the DSN's were getting created. It seems to me that
spamassassin wasn't being run against the message because in my logs all of
the messages had a SA score of 0.00 and non had any tests triggered.

I realise a lot of people will say set $final_banned_destiny = D_DISCARD,
and it may come to that. But I would like to notifiy a real sender of a
BANNED message, while not casuing backscatter by notifiying fake senders of
banned messages. Is there a way to do it safely?

Regards

Steve

# uname - a
FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:46:30 UTC 2012

# amavisd -V
amavisd-new-2.7.0 (20110701)

# perl -v
This is perl 5, version 14, subversion 2 (v5.14.2) built for amd64-freebsd



DISCLAIMER
This email is for the use of the intended recipient(s) only. If you have
received this email in error, please notify the sender immediately and then
delete it. 
If you are not the intended recipient, you must not keep, use, disclose,
copy or distribute this email without the author's prior permission. 
We have taken precautions to minimise the risk of transmitting software
viruses, but we advise you to carry out your own virus checks on any
attachment to this message.
We cannot accept liability for any loss or damage caused by software
viruses.
The information contained in this communication may be confidential and may
be subject to the attorney-client privilege. 
If you are the intended recipient and you do not wish to receive similar
electronic messages from us in future then please respond to the sender to
this effect.





More information about the amavis-users mailing list