How might I stop BACKSCATTER using qmail?
I have a Linux box acting as Virtual Host for domain hosting. It runs CentOS and Parallels Plesk 9.x. Regardless of the following, the SPAM keeps flowing in at 1-3 / second.
An explanation of the problem
The xinetd service listens for SMTP connections and forwards to qmail-smtpd. The qmail service only process the queue, but does not control messages coming into the queue... that's why stopping it has no effect. If you stop xinetd AND qmail, then kill any open qmail-smtpd processes, all mail flow comes to a stop SOMETIMES.
Problem is, qmail-smtpd is not smart enough to check for valid mailboxes on the localhost before accepting the mail. So, it accepts bad mail with a forged replyto address which gets processed in the queue by qmail. Qmail cannot deliver locally and bounces to the forged replyto address.
We believe the fix is to patch the qmail-smtpd process to give it the intelligence to check for the existence of local mailboxes BEFORE accepting the message. The problem is when we try to compile the chkuser patch we run into failures due to the Plesk Control Panel.
Is anyone aware of something we could do differently or better?
Other things that have NOT worked thus far:
Turning off any and all mail processes (to check as an indicator that an individual account has been compromised. This has been verified as NOT the case.)
Turning off mail AND http server processes (in the case of a compromised formmail)
Running Exim in lieu of qmail (easy/quick install, but xinetd forces exim to close and restarts qmail on its own)
Turned on SPF protection via Plesk GUI. Does not help.
Turned on Greylisting via Plesk GUI. Does not help.
Disabled Bounce notifications via command line
Things which MIGHT work but have complications:
Use Postfix instead of qmail (No knowledge of Postfix and don't want to bother with it unless anyone knows it has potential to handle backscatter WELL before investing time)
As mentioned above, compiling a chkusr patch, we believe will STOP this problem, along with qmail (because of Plesk in the mix, the compile fails every time and Parallels Plesk support is unresponsive unless I cough up money)
If I don't clear out the SPAM from the outgoing mail queue nightly, then it clogs up with millions of SPAMs and will bring down the OUTGOING email services.
Solution 1:
You can replace the stock qmail-smtpd with qpsmtpd. Then you can use the plugin check_badrcptto to validate recipient address and reject emails if it is not valid.
Solution 2:
Check out this useful patch as well:
http://qmail.jms1.net/patches/validrcptto.cdb.shtml
Uses a cdb file to list valid recipients. Might be a good alternative to using qpsmtpd.
Solution 3:
As a long time qmail admin, I chose to use this 'realrcpto' patch (http://code.dogmap.org./qmail/#realrcptto) because it best integrated with my users' existing dot-qmail files and didn't require any maintenance of other configuration files or databases.
(If only the anti-spam server we now use in front of qmail could do RCPT verification via SMTP... Sigh!)