Apparently, for the first time in 4 or 5 years; I've never had a report of this before.
First: to confirm that I understand what backscatter is: it appears that people are sending spam to my domain, *some* of which has invalid recipient addresses. If the address is valid, then it just delivers, gets junk-filed or not, and all is well. But if the recipient address is invalid on my domain, it appears my Z instance is *sending a bounce message*, and it is my understanding from reading the 9 ZForum threads y'all are going to send me to, and the underlying Postfix doco, that that's not supposed to happen.
Herewith, an example (logs trimmed to the appropriate entries):
[root@benjamin tmp]# cat backscatter
Dec 4 13:21:19 benjamin postfix/cleanup[7756]: 6B4401F002E9: message-id=
Dec 4 13:21:25 benjamin postfix/cleanup[5945]: 778541F0026E: message-id=
Dec 4 13:21:25 benjamin amavis[11829]: (11829-02) Passed SPAM, [178.167.27.41] [178.167.27.41] -> , Message-ID: , mail_id: BAtxUG4aqHbk, Hits: 25.67, size: 30959, queued_as: 778541F0026E, 5038 ms
Dec 4 13:23:29 benjamin postfix/cleanup[8018]: 5F1591F001F0: message-id=
Dec 4 13:23:41 benjamin postfix/cleanup[8018]: 81AA3EF008A: message-id=
Dec 4 13:23:41 benjamin amavis[12622]: (12622-12) Passed SPAM, [1.53.102.133] [1.53.102.133] -> , Message-ID: , mail_id: NGO+spd3Y1Nl, Hits: 25.281, size: 30916, queued_as: 81AA3EF008A, 11028 ms
Dec 4 13:50:47 benjamin postfix/cleanup[10895]: E8C9E1F0026E: message-id=
Dec 4 13:50:55 benjamin postfix/cleanup[10895]: 276271F004E9: message-id=
Dec 4 13:50:55 benjamin amavis[14397]: (14397-13) Passed SPAM, [94.20.173.76] [94.20.173.76] -> ,, Message-ID: , mail_id: gqVOVaHZk14s, Hits: 28.188, size: 30910, queued_as: 276271F004E9, 5013 ms
Dec 4 15:41:34 benjamin postfix/cleanup[25415]: 1D9711F0015C: message-id=
Dec 4 15:41:40 benjamin postfix/cleanup[25415]: 90C241F001A6: message-id=
Dec 4 15:41:40 benjamin amavis[6738]: (06738-01) Passed SPAM, [134.17.140.21] [134.17.140.21] -> , Message-ID: , mail_id: ZyJjTqPq2-Ag, Hits: 29.535, size: 30915, queued_as: 90C241F001A6, 5366 ms
Dec 4 20:57:39 benjamin postfix/cleanup[30438]: F0CBF1F001BD: message-id=
Dec 4 20:57:44 benjamin postfix/cleanup[997]: B4CE31F001E5: message-id=
Dec 4 20:57:44 benjamin amavis[3013]: (03013-03) Passed SPAM, [85.29.140.166] [85.29.140.166] -> , Message-ID: , mail_id: 9zyTQrITlY90, Hits: 16.808, size: 30928, queued_as: B4CE31F001E5, 4914 ms
Dec 4 20:57:44 benjamin postfix/smtpd[25903]: B4CE31F001E5: client=localhost.localdomain[127.0.0.1]
Dec 4 20:57:44 benjamin postfix/cleanup[997]: B4CE31F001E5: message-id=
Dec 4 20:57:44 benjamin postfix/qmgr[15322]: B4CE31F001E5: from=, size=31395, nrcpt=1 (queue active)
Dec 4 20:57:44 benjamin amavis[3013]: (03013-03) FWD via SMTP: -> ,BODY=7BIT 250 2.0.0 Ok, id=03013-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B4CE31F001E5
Dec 4 20:57:44 benjamin postfix/error[988]: B4CE31F001E5: to=, relay=none, delay=0.01, delays=0.01/0/0/0, dsn=5.0.0, status=bounced (baylink.com)
Dec 4 20:57:44 benjamin amavis[3013]: (03013-03) Passed SPAM, [85.29.140.166] [85.29.140.166] -> , Message-ID: , mail_id: 9zyTQrITlY90, Hits: 16.808, size: 30928, queued_as: B4CE31F001E5, 4914 ms
Dec 4 20:57:44 benjamin postfix/smtp[994]: F0CBF1F001BD: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=7.2, delays=2.3/0/0/4.9, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=03013-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as B4CE31F001E5)
Dec 4 20:57:44 benjamin postfix/bounce[998]: B4CE31F001E5: sender non-delivery notification: B6D751F002C5
Dec 4 20:57:44 benjamin postfix/qmgr[15322]: B4CE31F001E5: removed
I left the first 3 in there because, though they had a valid address, I noted that the Message IDs were strikingly similar; I infer a botnet client, since the MXs were different (though I admittedly haven't looked up the IPs for them).
The last one, though, is for an address with no mailbox. It appears to *me* that Zimbra is generating a bounce, as I understand that it is not supposed to.
I cannot speak to whether this has been happening forever or it's a change; nonetheless my upstream (Road Runner) would very much like for me to stop it. It *feels* to me as if there are two layers of Zimbra involved here, and the one answering the incomings can't check for valid mailbox -- which would of course be fatal for me on this point, and I can't imagine that's so.
So what am I missing, folks?
My Z6 is generating backscatter
My Z6 is generating backscatter
[quote user="Baylink"]So what am I missing, folks?[/QUOTE]Perhaps "reject_unlisted_recipients" as mentioned in all (or most) of the documents you've read.
My Z6 is generating backscatter
So, Postfix gets this right, and Zimbra comes along behind them and gets it wrong?