Well I got a lesson in properly configuring your e-mail server’s error messages. Since setting up postfix as a anti-spam and anti-virus gateway for my exchange system (see my article Postfix as proxy to exchange server), I had left the option
soft_bounce = yes
enabled in my postfix configuration.
This worked fine for months. However, I was then “joe jobbed” – which means that some spammer used my domain name as the “from” or “reply to” address on their e-mails. This causes a flood of e-mails from mail servers, which messages such as, no user exists, this account has been deleted, etc. These e-mails are completely valid and authentic responses from e-mail servers.
Now – it is my personal opinion that mail servers should reject connections to users who are not real – not generate more messages and bandwidth sending out their rejection response. But I understand why some e-mail providers wish to keep this option on, and I think Exchange has it on by default. So trying to change peoples minds is not going to work – we need to deal with these rejection messages responsibly.
Here is where my server configuration showed its flaws. Here is the official definition of the 450 and 550 error messages:
450 Requested mail action not taken: mailbox unavailable (e.g., mailbox busy)
550 Requested action not taken: mailbox unavailable (e.g., mailbox not found, no access, or command rejected for policy reasons)
The difference between the two error codes is not really apparent at first glance. However, 400 level commands tells the remote servers that there is a temporary error, and it should try again later. How much later depends on each server’s settings. The 500 level commands tell the remote server that it is a permanent failure, and it should not try again later.
In the case of a joe job – you have thousands of servers responding to your server that addresses can’t be found (or any other error). When you have each of those servers “retrying” their e-mail connects every 10 minutes or so, your server will quickly find itself rejecting a whole lot of messages.
Fortunately, the fix is easy. Fix your server to respond with a 550 instead of 450. Look at the change in the graph below – almost immediately after I switched to the 550 message:
You can see the benefits of keeping the 550 message. In postfix, the change is simple, change the soft_bounce line to:
soft_bounce = no
You can also customize your rejection codes for particular errors as below.
unknown_local_recipient_reject_code = 550
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
For more codes: Postconf manual
7 comments
There is a part of me that agrees with this method. If you are getting a ton of connection attempts, then this will reduce DNS lookups (assuming the previous lookup cache expired) and will prevent excessive RBL lookups.
On the other hand, I prefer to keep using 450 especially as it pertains to spammers. For zombie machines, this won’t do much other than tie up some more connections in my tarpit. For improperly confirgured mail servers or servers owned by spammers, this means their queues will fill up. The more they have in their queue, the less spam they will be able to send and the bigger mail servers they will need to buy.
This also means that if people are trying to send mail to my company from a mis-configured mail server and the mail is legit, then both they and I have more time to work out their misconfiguration (usually FcrDNS) and then the world is better off because less people have to leave their mail servers wide open to receive mail from them. I for one use some very tough and taboo regex filters to blacklist DSL and Cable modems, so I like to have some room for error. In fact, I could probably shut off spamassassin and stop checking with the RBL’s and I would still stop about 95% of the spam… so it is nice to keep them retrying just in case one of them happens to just be an ignorant DNS admin.
I do get some joe-jabs from time to time, simply because I have been poisoning spammer databases for about 8 years now and some of the get kindof pissed off about it. That is another tarpit that they don’t realize they are getting into. If my mail server starts receiving automated bounces from poorly configured mail server, it then sends a single email to each domains abuse and postmaster explaining them that they are replying to forged emails and that they can simply avoid that (at least as it pertains to my domains and any real domains) by checking SPF records. The spammers jabs are actually so counter-productive that I have actually helped several hundred small companies and organizations to start publishing SPF because of them. They simply can’t win. :-)
There is a part of me that agrees with this method. If you are getting a ton of connection attempts, then this will reduce DNS lookups (assuming the previous lookup cache expired) and will prevent excessive RBL lookups.
On the other hand, I prefer to keep using 450 especially as it pertains to spammers. For zombie machines, this won’t do much other than tie up some more connections in my tarpit. For improperly confirgured mail servers or servers owned by spammers, this means their queues will fill up. The more they have in their queue, the less spam they will be able to send and the bigger mail servers they will need to buy.
This also means that if people are trying to send mail to my company from a mis-configured mail server and the mail is legit, then both they and I have more time to work out their misconfiguration (usually FcrDNS) and then the world is better off because less people have to leave their mail servers wide open to receive mail from them. I for one use some very tough and taboo regex filters to blacklist DSL and Cable modems, so I like to have some room for error. In fact, I could probably shut off spamassassin and stop checking with the RBL’s and I would still stop about 95% of the spam… so it is nice to keep them retrying just in case one of them happens to just be an ignorant DNS admin.
I do get some joe-jabs from time to time, simply because I have been poisoning spammer databases for about 8 years now and some of the get kindof pissed off about it. That is another tarpit that they don’t realize they are getting into. If my mail server starts receiving automated bounces from poorly configured mail server, it then sends a single email to each domains abuse and postmaster explaining them that they are replying to forged emails and that they can simply avoid that (at least as it pertains to my domains and any real domains) by checking SPF records. The spammers jabs are actually so counter-productive that I have actually helped several hundred small companies and organizations to start publishing SPF because of them. They simply can’t win. :-)
Hi,
I have to admit that I know next to nothing on fixing problems on my computer. The problem I have is when trying to post a comment on a certain blog site, I get the message “The website cannot display HTTP 450 most likely the cause. It goes on to this wesite is under maintance, the website has a program error.
What you can do is; refresh the page, still doing it.
Go back to previous page. Nothing.
I can read the blog & there are new comments happining but I can’t without the above message happening. This has gone on for 2 days. I have posted many times before on this site with no problem. No my comments are not offensive & I have not been kicked off. Could this be a virus on that blog? Please advice if you have any info to help fix the problem. Easy steps tp do?
Thanks
Hi,
I have to admit that I know next to nothing on fixing problems on my computer. The problem I have is when trying to post a comment on a certain blog site, I get the message “The website cannot display HTTP 450 most likely the cause. It goes on to this wesite is under maintance, the website has a program error.
What you can do is; refresh the page, still doing it.
Go back to previous page. Nothing.
I can read the blog & there are new comments happining but I can’t without the above message happening. This has gone on for 2 days. I have posted many times before on this site with no problem. No my comments are not offensive & I have not been kicked off. Could this be a virus on that blog? Please advice if you have any info to help fix the problem. Easy steps tp do?
Thanks
Yet another reason to reply with a 550 instead of a 450 – if a person sends a message to an address with a typo (ie. an invalid domain), they’ll get the bounce immediately if the server is responding w/ a 550; if the mail server is using a 450 it might take 3-5 days for the bounce to go back to the sender (during which time they think the message was delivered).
Yet another reason to reply with a 550 instead of a 450 – if a person sends a message to an address with a typo (ie. an invalid domain), they’ll get the bounce immediately if the server is responding w/ a 550; if the mail server is using a 450 it might take 3-5 days for the bounce to go back to the sender (during which time they think the message was delivered).
Comments are closed.