2

I noticed a mail is hanging in the mailq, so my question is if that is backscatter.

The mail in question:

 Jul  1 10:38:48 a1a postfix/qmgr[30971]: F2C95230470: from=<compromiseh42@ebok.upc.pl>,size=125817,
 nrcpt=1 (queue active)
 Jul  1 10:38:53 a1a amavis[24301]: (24301-10) Blocked BANNED (.exe,.exe-ms,dokument
 0503279005.xml.exe), ORIGINATING LOCAL [197.254.27.150] [219.69.130.6] <compromiseh42@ebok.upc.pl> 
 -> <foerster@domain.com>, quarantine: t/banned-tdxHoTNjn7FG, Message-ID: 
 <7316761242.25598.116038936739@lmxmxtcv.ftirrejnsjg.su>, mail_id: tdxHoTNjn7FG, Hits: -, size: 
 125817, 4642 ms

Now postfix is trying to connect to ebok.upc.pl and the connection gets refused.

 Jul  1 10:47:14 a1a postfix/smtp[23733]: connect to ebok.upc.pl[81.18.192.65]:25: Connection refused

 Jul  1 10:47:14 a1a postfix/smtp[23733]: 4D1BA2304EF: to=<compromiseh42@ebok.upc.pl>, 
 relay=none, delay=501, delays=501/0.02/0.03/0, dsn=4.4.1, status=deferred (connect to 
 ebok.upc.pl[81.18.192.65]:25: Connection refused)

and it keeps trying to connect.

user345234674567
  • 205
  • 1
  • 2
  • 6

1 Answers1

3

Yes, that is a backscatter. Your antivirus caught the virus (or a simple ban on exe's), so it sends a bounce saying the email was rejected since it contained a virus (a typical response from an innocent mailserver). The bounce fails as you see, and Postfix will keep trying to deliver it until it times out.

Nathan C
  • 15,059
  • 4
  • 43
  • 62
  • Should I ignore it or can I do anything on my side that it doesn't try to deliver the mail again and again? – user345234674567 Jul 01 '14 at 12:46
  • You can dump the postfix queue with `postfix flush`. Use `mailq` to see what's pending first. You can safely ignore it as the mail will eventually time out on its own, but I agree that it can be annoying. – Nathan C Jul 01 '14 at 12:47