Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
how to block annoying spammer
44 views
Skip to first unread message
the_bat
Mar 4, 2013, 10:20:52 AM3/4/13
to
I have postfix / amavis / dovecot / vmails via postgresdb stack for office website
Sending/receiving emails works fine but
The problem: (domainname changed)
all the emails in the domain are affected by spam with modified header
I put the example header from the message delivered to jo...@abc.com.pl which is an alias of real mailbox jo...@abc.pl
other emails "used" in the header doesn't exists
The question:
Which recipient_rule I should use to block the spam sent like that?
is there easy way to detect header manipulation where from is set to my domain mailbox but return-path is some strange email ?
# actual postfix recipient rules
smtpd_recipient_restrictions =
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
permit_mynetworks,
permit_sasl_authenticated,
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rbl_client relays.ordb.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org,
permit
it has in header:
from: jo...@abc.com.pl
Return-path: perspi...@yahoo.nl <<--- strange different emails there not only from yahoo.nl
// sample email header
Return-Path: <perspi...@yahoo.nl>
Delivered-To: jo...@abc.pl
Received: from localhost (localhost [127.0.0.1])
by mail.abc.pl (Postfix) with ESMTP id F0B1BC23F5
for <jo...@abc.com.pl>; Mon, 4 Mar 2013 14:53:20 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mail.beta.abc.pl
Received: from mail.abc.pl ([127.0.0.1])
by localhost (mail.beta.abc.pl [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id yr5z+PA+MpgL for <jo...@abc.com.pl>;
Mon, 4 Mar 2013 14:53:20 +0100 (CET)
Received: from host-091-097-103-119.ewe-ip-backbone.de (host-091-097-103-119.ewe-ip-backbone.de [91.97.103.119])
by mail.abc.pl (Postfix) with ESMTP id 3D862C2038
for <jo...@abc.com.pl>; Mon, 4 Mar 2013 14:53:11 +0100 (CET)
Received: from [134.101.167.119] (helo=wwwxckwnpivishf.sxcmbdnlrui.va)
by host-091-097-103-119.ewe-ip-backbone.de with esmtpa (Exim 4.69)
(envelope-from )
id 1MMXB8-0615ad-UV
for jo...@abc.com.pl; Mon, 4 Mar 2013 14:52:23 +0100
Date: Mon, 4 Mar 2013 14:52:23 +0100
From: <jo...@abc.com.pl>,
<danu...@abc.com.pl>,
<don...@abc.com.pl>,
<topeho...@abc.com.pl>,
<ty...@abc.com.pl>
X-Mailer: The Bat! (v3.0.0.15) Educational
X-Priority: 3 (Normal)
Message-ID: <8568708347.X...@zvaqnzhiad.qyjosnrnjw.tv>
To: <jo...@abc.com.pl>,
<danu...@abc.com.pl>,
<don...@abc.com.pl>,
<topeho...@abc.com.pl>,
<ty...@abc.com.pl>
Subject: New offer
MIME-Version: 1.0
Content-Type: text/html;
charset=iso-8859-2
Content-Transfer-Encoding: 7bit
X-EsetId: C4D88C2843B77F37DBDE8C7A4BE7336C
// end of sample email header
Sending/receiving emails works fine but
The problem: (domainname changed)
all the emails in the domain are affected by spam with modified header
I put the example header from the message delivered to jo...@abc.com.pl which is an alias of real mailbox jo...@abc.pl
other emails "used" in the header doesn't exists
The question:
Which recipient_rule I should use to block the spam sent like that?
is there easy way to detect header manipulation where from is set to my domain mailbox but return-path is some strange email ?
# actual postfix recipient rules
smtpd_recipient_restrictions =
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
permit_mynetworks,
permit_sasl_authenticated,
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rbl_client relays.ordb.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org,
permit
it has in header:
from: jo...@abc.com.pl
Return-path: perspi...@yahoo.nl <<--- strange different emails there not only from yahoo.nl
// sample email header
Return-Path: <perspi...@yahoo.nl>
Delivered-To: jo...@abc.pl
Received: from localhost (localhost [127.0.0.1])
by mail.abc.pl (Postfix) with ESMTP id F0B1BC23F5
for <jo...@abc.com.pl>; Mon, 4 Mar 2013 14:53:20 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mail.beta.abc.pl
Received: from mail.abc.pl ([127.0.0.1])
by localhost (mail.beta.abc.pl [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id yr5z+PA+MpgL for <jo...@abc.com.pl>;
Mon, 4 Mar 2013 14:53:20 +0100 (CET)
Received: from host-091-097-103-119.ewe-ip-backbone.de (host-091-097-103-119.ewe-ip-backbone.de [91.97.103.119])
by mail.abc.pl (Postfix) with ESMTP id 3D862C2038
for <jo...@abc.com.pl>; Mon, 4 Mar 2013 14:53:11 +0100 (CET)
Received: from [134.101.167.119] (helo=wwwxckwnpivishf.sxcmbdnlrui.va)
by host-091-097-103-119.ewe-ip-backbone.de with esmtpa (Exim 4.69)
(envelope-from )
id 1MMXB8-0615ad-UV
for jo...@abc.com.pl; Mon, 4 Mar 2013 14:52:23 +0100
Date: Mon, 4 Mar 2013 14:52:23 +0100
From: <jo...@abc.com.pl>,
<danu...@abc.com.pl>,
<don...@abc.com.pl>,
<topeho...@abc.com.pl>,
<ty...@abc.com.pl>
X-Mailer: The Bat! (v3.0.0.15) Educational
X-Priority: 3 (Normal)
Message-ID: <8568708347.X...@zvaqnzhiad.qyjosnrnjw.tv>
To: <jo...@abc.com.pl>,
<danu...@abc.com.pl>,
<don...@abc.com.pl>,
<topeho...@abc.com.pl>,
<ty...@abc.com.pl>
Subject: New offer
MIME-Version: 1.0
Content-Type: text/html;
charset=iso-8859-2
Content-Transfer-Encoding: 7bit
X-EsetId: C4D88C2843B77F37DBDE8C7A4BE7336C
// end of sample email header
Lemat
Dec 25, 2013, 7:28:27 AM12/25/13
to
W dniu poniedziałek, 4 marca 2013 16:20:52 UTC+1 użytkownik the_bat napisał:
>
> is there easy way to detect header manipulation where from is set to my domain mailbox but return-path is some strange email ?
1) make your users to use port 587 or 465 ONLY
>
> is there easy way to detect header manipulation where from is set to my domain mailbox but return-path is some strange email ?
2) in master.cf put an override -o no_header_body_checks for ports above
3) in header_checks put an pcre map containing:
/From:.*your.domain/ REJECT
0 new messages