Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Spammer getting through despite RBL use
5 views
Skip to first unread message
Peter Berghold
Apr 27, 2015, 11:12:30 AM4/27/15
to
On Sun, Apr 26, 2015 at 12:43 PM Robert Schetterer <r...@sys4.de> wrote:
show the log related to that host, show the whole main.cf
Apr 27 10:58:50 chicweb0 postfix/smtpd[13505]: connect from oldmule.templefindwindow.com[23.89.2.18]
Apr 27 10:58:50 chicweb0 postfix/smtpd[13505]: 7DC243FC1CC: client=oldmule.templefindwindow.com[23.89.2.18]
Apr 27 10:58:50 chicweb0 postfix/cleanup[13673]: 7DC243FC1CC: message-id=<Brianna-201504270...@oldmule.templefindwindow.com>
Apr 27 10:58:50 chicweb0 postfix/qmgr[13496]: 7DC243FC1CC: from=<Briann...@oldmule.templefindwindow.com>, size=2828, nrcpt=1 (queue active)
Apr 27 10:58:50 chicweb0 spamd[9564]: spamd: processing message <Brianna-201504270...@oldmule.templefindwindow.com> for filter:488
Apr 27 10:58:50 chicweb0 postfix/smtpd[13505]: disconnect from oldmule.templefindwindow.com[23.89.2.18]
Apr 27 10:58:54 chicweb0 spamd[9564]: spamd: result: . 3 - BAYES_50,DNS_FROM_AHBL_RHSBL,T_RP_MATCHES_RCVD scantime=3.8,size=2813,user=filter,uid=488,required_score=5.0,rhost=berghold.net,raddr=127.0.0.1,rport=41292,mid=<Brianna-201504270...@oldmule.templefindwindow.com>,bayes=0.472740,autolearn=no
Apr 27 10:58:54 chicweb0 postfix/pickup[13495]: 963B93FC1D2: uid=488 from=<Briann...@oldmule.templefindwindow.com>
Apr 27 10:58:54 chicweb0 postfix/cleanup[13673]: 963B93FC1D2: message-id=<Brianna-201504270...@oldmule.templefindwindow.com>
Apr 27 10:58:54 chicweb0 postfix/qmgr[13496]: 963B93FC1D2: from=<Briann...@oldmule.templefindwindow.com>, size=3182, nrcpt=1 (queue active)
Apr 27 10:58:54 chicweb0 postfix/cleanup[13599]: A3C523FC1CC: message-id=<Brianna-201504270...@oldmule.templefindwindow.com>
Apr 27 10:58:54 chicweb0 postfix/qmgr[13496]: A3C523FC1CC: from=<Briann...@oldmule.templefindwindow.com>, size=3408, nrcpt=1 (queue active)
Apr 27 10:58:54 chicweb0 clamsmtpd: 106A9B: from=Briann...@oldmule.templefindwindow.com, to=al...@berghold.net, status=CLEAN
[root@chicweb0 log]# clear
[root@chicweb0 log]# grep oldmule.templefindwindow.com maillog
Apr 27 10:58:50 chicweb0 postfix/smtpd[13505]: connect from oldmule.templefindwindow.com[23.89.2.18]
Apr 27 10:58:50 chicweb0 postfix/smtpd[13505]: 7DC243FC1CC: client=oldmule.templefindwindow.com[23.89.2.18]
Apr 27 10:58:50 chicweb0 postfix/cleanup[13673]: 7DC243FC1CC: message-id=<Brianna-201504270...@oldmule.templefindwindow.com>
Apr 27 10:58:50 chicweb0 postfix/qmgr[13496]: 7DC243FC1CC: from=<Briann...@oldmule.templefindwindow.com>, size=2828, nrcpt=1 (queue active)
Apr 27 10:58:50 chicweb0 spamd[9564]: spamd: processing message <Brianna-201504270...@oldmule.templefindwindow.com> for filter:488
Apr 27 10:58:50 chicweb0 postfix/smtpd[13505]: disconnect from oldmule.templefindwindow.com[23.89.2.18]
Apr 27 10:58:54 chicweb0 spamd[9564]: spamd: result: . 3 - BAYES_50,DNS_FROM_AHBL_RHSBL,T_RP_MATCHES_RCVD scantime=3.8,size=2813,user=filter,uid=488,required_score=5.0,rhost=berghold.net,raddr=127.0.0.1,rport=41292,mid=<Brianna-201504270...@oldmule.templefindwindow.com>,bayes=0.472740,autolearn=no
Apr 27 10:58:54 chicweb0 postfix/pickup[13495]: 963B93FC1D2: uid=488 from=<Briann...@oldmule.templefindwindow.com>
Apr 27 10:58:54 chicweb0 postfix/cleanup[13673]: 963B93FC1D2: message-id=<Brianna-201504270...@oldmule.templefindwindow.com>
Apr 27 10:58:54 chicweb0 postfix/qmgr[13496]: 963B93FC1D2: from=<Briann...@oldmule.templefindwindow.com>, size=3182, nrcpt=1 (queue active)
Apr 27 10:58:54 chicweb0 postfix/cleanup[13599]: A3C523FC1CC: message-id=<Brianna-201504270...@oldmule.templefindwindow.com>
Apr 27 10:58:54 chicweb0 postfix/qmgr[13496]: A3C523FC1CC: from=<Briann...@oldmule.templefindwindow.com>, size=3408, nrcpt=1 (queue active)
Apr 27 10:58:54 chicweb0 clamsmtpd: 106A9B: from=Briann...@oldmule.templefindwindow.com, to=al...@berghold.net, status=CLEAN
Output of postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = scan:127.0.0.1:10025
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 30
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = www.sharkrivertech.com,sharkrivertech.com,berghold.net,$myhostname,www.$mydomain, localhost.$mydomain, localhost
myhostname = smtp.berghold.net
mynetworks = 98.158.185.135/32,127.0.0.1/32,206.217.196.75/32
mynetworks_style = host
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
receive_override_options = no_address_mappings
relay_domains = berghold.net,localhost
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
smtp_tls_CApath = $smtpd_tls_CAPath
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, check_sender_access hash:/etc/postfix/access, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unauth_destination, check_recipient_access pcre:/etc/postfix/recipient_checks.pcre, reject_rbl_client ubl.unsubscore.com, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.dronebl.org, reject_rbl_client bl.spamcop.net , reject_rbl_client dnsbl.sorbs.net, reject_rbl_client noptr.spamrats.com, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/postfix/ssl/ca-bundle.pem
smtpd_tls_CApath = /etc/postfix/ssl
smtpd_tls_cert_file = /etc/postfix/ssl/server.crt
smtpd_tls_key_file = /etc/postfix/ssl/berghold.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
Viktor Dukhovni
Apr 27, 2015, 11:52:39 AM4/27/15
to
On Mon, Apr 27, 2015 at 03:12:04PM +0000, Peter Berghold wrote:
> Apr 27 10:58:50 chicweb0 postfix/smtpd[13505]: 7DC243FC1CC: client=
> oldmule.templefindwindow.com[23.89.2.18]
When was this address added to any of the RBLs you're using?
> Apr 27 10:58:50 chicweb0 postfix/smtpd[13505]: 7DC243FC1CC: client=
> oldmule.templefindwindow.com[23.89.2.18]
> > Output of postconf -n
> receive_override_options = no_address_mappings
Make sure that receive_override_options is set empty in the port
10025 post-filter SMTP service.
> smtp_tls_security_level = may
> smtp_use_tls = yes
> smtpd_helo_restrictions = reject_unknown_helo_hostname
That's likely to reject more than a negligible amount of legitimate
mail.
> smtpd_recipient_restrictions =
> permit_sasl_authenticated,
> permit_mynetworks,
> reject_sender_login_mismatch,
> check_sender_access hash:/etc/postfix/access,
> reject_invalid_hostname,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_pipelining,
> reject_unauth_destination,
[ That is, move reject_unauth_destination, up above check_sender_access. ]
> check_recipient_access pcre:/etc/postfix/recipient_checks.pcre,
Which recipients match the regular expressions and what is the
action in that case?
> reject_rbl_client ubl.unsubscore.com,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client dnsbl.dronebl.org,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client dnsbl.sorbs.net,
> reject_rbl_client noptr.spamrats.com,
> permit
Instead:
smtpd_tls_security_level = may
--
Viktor.
pe...@ixp.jp
Apr 29, 2015, 7:04:11 PM4/29/15
to
On Apr/27.15:52:21, Viktor Dukhovni wrote:
> On Mon, Apr 27, 2015 at 03:12:04PM +0000, Peter Berghold wrote:
> > Apr 27 10:58:50 chicweb0 postfix/smtpd[13505]: 7DC243FC1CC: client=
> > oldmule.templefindwindow.com[23.89.2.18]
> When was this address added to any of the RBLs you're using?
templefindwindow.com
> On Mon, Apr 27, 2015 at 03:12:04PM +0000, Peter Berghold wrote:
> > Apr 27 10:58:50 chicweb0 postfix/smtpd[13505]: 7DC243FC1CC: client=
> > oldmule.templefindwindow.com[23.89.2.18]
> When was this address added to any of the RBLs you're using?
2015.04.27 3pm (UTC I think.)
Which probably means it was listed just after they got
through to you. This is probably what you are seeing.
P
This happens to match when it was created too:
Domain Name: TEMPLEFINDWINDOW.COM
Registrar: ENOM, INC.
Sponsoring Registrar IANA ID: 48
Whois Server: whois.enom.com
Updated Date: 27-apr-2015
Creation Date: 27-apr-2015
Expiration Date: 27-apr-2016
Registrant Name: STEVE HERNANDEZ
Registrant Organization: SHER INDUSTRIES
Registrant Street: 531 E PALMETTO ST
Registrant City: FLORENCE
Registrant State/Province: SC
Registrant Postal Code: 29506
Registrant Country: US
Registrant Phone: +1.2901118888
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: SH...@BIZTRENDSERV.COM
Registry Admin ID:
Viktor Dukhovni
Apr 29, 2015, 7:09:36 PM4/29/15
to
On Thu, Apr 30, 2015 at 08:03:42AM +0900, pe...@ixp.jp wrote:
> On Apr/27.15:52:21, Viktor Dukhovni wrote:
> > On Mon, Apr 27, 2015 at 03:12:04PM +0000, Peter Berghold wrote:
> > > Apr 27 10:58:50 chicweb0 postfix/smtpd[13505]: 7DC243FC1CC: client=
> > > oldmule.templefindwindow.com[23.89.2.18]
>
> > When was this address added to any of the RBLs you're using?
>
> templefindwindow.com
>
> 2015.04.27 3pm (UTC I think.)
>
> Which probably means it was listed just after they got
> through to you. This is probably what you are seeing.
>
> P
>
> This happens to match when it was created too:
>
> Domain Name: TEMPLEFINDWINDOW.COM
> Registrar: ENOM, INC.
> Sponsoring Registrar IANA ID: 48
> Whois Server: whois.enom.com
> Updated Date: 27-apr-2015
ENOM and its resellers are responsible for the vast majority of
> On Apr/27.15:52:21, Viktor Dukhovni wrote:
> > On Mon, Apr 27, 2015 at 03:12:04PM +0000, Peter Berghold wrote:
> > > Apr 27 10:58:50 chicweb0 postfix/smtpd[13505]: 7DC243FC1CC: client=
> > > oldmule.templefindwindow.com[23.89.2.18]
>
> > When was this address added to any of the RBLs you're using?
>
> templefindwindow.com
>
> 2015.04.27 3pm (UTC I think.)
>
> Which probably means it was listed just after they got
> through to you. This is probably what you are seeing.
>
> P
>
> This happens to match when it was created too:
>
> Domain Name: TEMPLEFINDWINDOW.COM
> Registrar: ENOM, INC.
> Sponsoring Registrar IANA ID: 48
> Whois Server: whois.enom.com
> Updated Date: 27-apr-2015
the spam seen at my mailserver from "freshly minted" domains that
spam on the first day they are created, and are mostly not used
again after that.
--
Viktor.
0 new messages