faked bonces (backscatter) with maleware (amavisd-new 2.8.0-1.el6.rf

Django Django
Thu Sep 10 16:39:31 CEST 2015

HI Marc,

I've a "little problem" with a mailsystem.

Last day a colleague received over 200 bounce-messages and this over 10
minutes. O.K., that was all backscatter from a software-company in
Redmond :( All those messages had have an attachment (zip archive) with

A few minutes I was shocked, 'cause how could all AMaVis-hosts at
customer site, transport maleware in a zip-archive?! So, I tried to send
a new mail, with this zip-archive to all of our 5 MX and nowhere it was
possible to trespass our borderfilters. :)

So I tried to understand, why our AMaVis's allowed those faked
bounce-messages with mailware.

The only thing I found was those maillog-entries:

Sep  8 13:17:10 amavis-cluster-by amavis[23088]: (23088-10) bounce
rescued by domain (DSN), <> -> <redacted at example.com>, date: Tue, 8 Sep
2015 12:41:24 +0200, from: Rosenbaum Group <redacted at example.com>,
message-id: <HDmUIBRrPV7ZeJ2q0r2ttvv at example.com>, return-path:
redacted at example.com

"bounce rescued by domain (DSN)"? What's that? So I tried to ask google,
wether or not there are existing news known by others.

The only things I found was:

" ... bounce killer feature (requires pen pals SQL logging) checks a
header section attached to received non-delivery status notifications,
and discards bounces to fake mail which do not refer to our genuine
outgoing mail;"

I'm not so fimilar with this, how p at trick told it "spam and maleware
over backscatter as esoteric problem ;)", and your "bounce killer
feature". May you tell me a few more points, what this feature can do
and if it the right point, to ban those attacks? Or there exists an
unknown feature for banning attachments (i.e. zip-archives with
maleware)? Every hint is useful!

Thanx4help! Have a nice day!

"Bonnie & Clyde der Postmaster-Szene!" approved by Postfix-God

More information about the amavis-users mailing list