Quite some time ago I used to host update.ressukka.net which was a service for certain Jabber clients that allowed the clients to query the latest released version and offer it to the client without using any other protocol than XMPP. It was a useful service at the time, but over time it became easier to just do the same thing over HTTP (since the download was done through HTTP too)
Over time I've noticed mail coming in to that domain, which is kind of natural since mail harvesters quickly pick up Jabber IDs as e-mail addresses since they use the same format. Recently I received a massive scan for to that domain and since it's not hosted on the server that receives my mail, it gets queued for delivery. This is where things go wrong.
Mails for that domain should never be queued in the first place. I've configured my mail server to accept mails to ressukka.net. Apparently historically postfix has accepted mails for subdomains automatically, so if you configure mydestination to "localhost" mails are accepted for "invalid.localhost" too. Apparently the devs have noticed this problem and have added an option to control this behaviour. There is an option called parent_domain_matches_subdomains (how logical is that?) that allows you to define which features behave this way.
The fix for me was to change the default setting:
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
By removing the relay_domains setting I was able to limit incoming mails to just the domains that are actually on the server.
Problem solved? Not quite...
I still have ~2500 mails waiting to be delivered to update.ressukka.net (and various other removed hosts). Luckily there are tools out there to remove certain mails from the postfix queue. By (ab)using the script mentioned in Postfix: The definitive guide (download script) I was able to easily clear the offending mails from the queue. The trick was to use a regexp as the mail address for the script.
In any other script I would call this a security problem, but here it's a feature =)