Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

Elijah Savage

I am seeing thousands of spam messages beginning on Thursday of last week from the same subnet. I know it is not best practice to fight spam by outright blocking ip addresses but I am seeing this across multiple domains in different parts of the country. The easy and immediate thought was just block the subnet but I do not like utilizing that practice. I think I know the answer but will ask anyway, do you all think there is a high probability to get false positives from those with incorrect DNS setups in using

 

reject_non_fqdn_hostname,

 

And will that parameter stop the traffic from below? Or should I just go ahead and try filtering the email with a spamassassin custom rule using the subject line? Across all domains the subject is really close.

 

Received: from dewqatuse.us (unknown [75.75.227.95])

Received: from grewazum.us (unknown [75.75.227.102])

Received: from hilpoatye.us (unknown [75.75.227.96])

Received: from dewqatuse.us (unknown [75.75.227.95])

Received: from reodocito.us (unknown [75.75.227.103])

Received: from uuvicto.us (unknown [75.75.227.93])

Received: from toqdj.us (unknown [75.75.227.89])

Received: from ioprty.us (unknown [75.75.227.86])

Received: from hompart.us (unknown [75.75.227.73])

Received: from muas.us (unknown [75.75.227.79])

 

Reply | Threaded
Open this post in threaded view
|

Re: Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

Noel Jones-2
On 6/1/2015 11:09 AM, Elijah Savage wrote:

> I am seeing thousands of spam messages beginning on Thursday of last
> week from the same subnet. I know it is not best practice to fight
> spam by outright blocking ip addresses but I am seeing this across
> multiple domains in different parts of the country. The easy and
> immediate thought was just block the subnet but I do not like
> utilizing that practice. I think I know the answer but will ask
> anyway, do you all think there is a high probability to get false
> positives from those with incorrect DNS setups in using
>
>  
>
> reject_non_fqdn_hostname,
>
>  
>
> And will that parameter stop the traffic from below? Or should I
> just go ahead and try filtering the email with a spamassassin custom
> rule using the subject line? Across all domains the subject is
> really close.
>
>  
>
> Received: from dewqatuse.us (unknown [75.75.227.95])
...

The reject_non_fqdn_hostname restriction will not block any of
these.  OTOH, I consider that a moderately safe restriction, so feel
free to try it for other spam.  Use it with warn_if_reject for a
while to see what it would block.

and I don't see anything wrong with blocking a netblock that sends a
high volume of nothing but spam.  Just don't get caught up in
spending too much time on trying to identify spamblocks.

Are you using some dns blocklists?  Looks as if these are listed by
zen.spamhaus.org and others.



  -- Noel Jones

Reply | Threaded
Open this post in threaded view
|

RE: Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

Elijah Savage
Thank you for the reply. And apologies to everyone about the borderline
post.

I believe these have been recently added to DNSBL list because I am starting
to see this in my log as of about an hour ago and inbound traffic have
definitely returned to normal levels.

Jun  1 12:46:53 <mail.info> vader2 postfix/smtpd[12319]: NOQUEUE: reject:
RCPT from unknown[75.75.227.113]: 554 5.7.1 Service unavailable; Helo
command [dutiwesd.us] blocked using black.uribl.com; Blacklisted, see
http://lookup.uribl.com/?domain=dutiwesd.us;

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Noel Jones
Sent: Monday, June 01, 2015 1:30 PM
To: [hidden email]
Subject: Re: Anyone else seeing an increase in spam? -- Sort of off topic
but there is a postfix question

On 6/1/2015 11:09 AM, Elijah Savage wrote:

> I am seeing thousands of spam messages beginning on Thursday of last
> week from the same subnet. I know it is not best practice to fight
> spam by outright blocking ip addresses but I am seeing this across
> multiple domains in different parts of the country. The easy and
> immediate thought was just block the subnet but I do not like
> utilizing that practice. I think I know the answer but will ask
> anyway, do you all think there is a high probability to get false
> positives from those with incorrect DNS setups in using
>
>  
>
> reject_non_fqdn_hostname,
>
>  
>
> And will that parameter stop the traffic from below? Or should I just
> go ahead and try filtering the email with a spamassassin custom rule
> using the subject line? Across all domains the subject is really
> close.
>
>  
>
> Received: from dewqatuse.us (unknown [75.75.227.95])
...

The reject_non_fqdn_hostname restriction will not block any of these.  OTOH,
I consider that a moderately safe restriction, so feel free to try it for
other spam.  Use it with warn_if_reject for a while to see what it would
block.

and I don't see anything wrong with blocking a netblock that sends a high
volume of nothing but spam.  Just don't get caught up in spending too much
time on trying to identify spamblocks.

Are you using some dns blocklists?  Looks as if these are listed by
zen.spamhaus.org and others.



  -- Noel Jones


Reply | Threaded
Open this post in threaded view
|

Re: Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

Wietse Venema
In reply to this post by Elijah Savage
Elijah Savage:
> I am seeing thousands of spam messages beginning on Thursday of last week
> from the same subnet. I know it is not best practice to fight spam by
> outright blocking ip addresses but I am seeing this across multiple domains
> in different parts of the country. The easy and immediate thought was just
> block the subnet but I do not like utilizing that practice. I think I know
> the answer but will ask anyway, do you all think there is a high probability
> to get false positives from those with incorrect DNS setups in using

Sometimes I can block multiple spam campaigns with a single
check_sender_ns_access or check_sender_mx_access rule.

These work against spammers who change sender address domains and
client IP addresses, but who reuse DNS or other infrastructure.

Running this shell command may reveal common elements:

    while read domain
    do
        for type in ns mx a; do dig +noall +answer -t $type $domain; done
    done < file-with-domain-names

As input, use a list of sender domain names or helo domain names
(including parent domains).

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

Rich Wales
In reply to this post by Noel Jones-2

> The reject_non_fqdn_hostname restriction will not block any of these.

How about reject_unknown_reverse_client_hostname instead?  This one is
supposed to reject clients with no IP-address-to-name mapping.

Rich Wales
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

Noel Jones-2
On 6/1/2015 1:28 PM, Rich Wales wrote:
>
>> The reject_non_fqdn_hostname restriction will not block any of these.
>
> How about reject_unknown_reverse_client_hostname instead?  This one is
> supposed to reject clients with no IP-address-to-name mapping.
>
> Rich Wales
> [hidden email]
>


Yes, reject_unknown_reverse_client_hostname will block these, and is
(mostly) safe as many big mail providers refuse service to clients
with no rDNS.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

RE: Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

Elijah Savage
Again thanks for all the great recommendations, I now have a few ways of trying to combat this if my plan doesn't work.

I have a utilized my spam filtering agent combined with a no rDNS rule and increased the score of that rule.

If this along with DNSRBL doesn't work then I will give some of the others a try.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Noel Jones
Sent: Monday, June 01, 2015 2:52 PM
To: [hidden email]
Subject: Re: Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

On 6/1/2015 1:28 PM, Rich Wales wrote:
>
>> The reject_non_fqdn_hostname restriction will not block any of these.
>
> How about reject_unknown_reverse_client_hostname instead?  This one is
> supposed to reject clients with no IP-address-to-name mapping.
>
> Rich Wales
> [hidden email]
>


Yes, reject_unknown_reverse_client_hostname will block these, and is
(mostly) safe as many big mail providers refuse service to clients with no rDNS.



  -- Noel Jones

Reply | Threaded
Open this post in threaded view
|

Re: Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

Steve Jenkins-2
On Mon, Jun 1, 2015 at 12:58 PM, Elijah Savage <[hidden email]> wrote:
Again thanks for all the great recommendations, I now have a few ways of trying to combat this if my plan doesn't work.

I have a utilized my spam filtering agent combined with a no rDNS rule and increased the score of that rule.

If this along with DNSRBL doesn't work then I will give some of the others a try.

 This is expanding a bit on Elijah's OP, but here are my current restrictions that I've been running for a while:

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        permit_dnswl_client list.dnswl.org=127.0.[2..14].[2..3],
        reject_invalid_helo_hostname,
        warn_if_reject reject_unknown_helo_hostname,
        warn_if_reject reject_non_fqdn_helo_hostname,
        reject_unknown_reverse_client_hostname,
        check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
        check_helo_access hash:/etc/postfix/helo_access,
        check_sender_access hash:/etc/postfix/sender_access,
        reject_rbl_client zen.spamhaus.org,
        reject_rhsbl_client dbl.spamhaus.org,
        reject_rhsbl_sender dbl.spamhaus.org,
        reject_rhsbl_helo dbl.spamhaus.org,
        permit

smtpd_relay_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination

Sanity checks welcome. :)

SteveJ
Reply | Threaded
Open this post in threaded view
|

Re: Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

furio ercolessi
On Mon, Jun 01, 2015 at 06:08:40PM -0700, Steve Jenkins wrote:

>
>  This is expanding a bit on Elijah's OP, but here are my current
> restrictions that I've been running for a while:
>
> smtpd_recipient_restrictions =
> [...]
>         reject_rbl_client zen.spamhaus.org,
>         reject_rhsbl_client dbl.spamhaus.org,
>         reject_rhsbl_sender dbl.spamhaus.org,
>         reject_rhsbl_helo dbl.spamhaus.org,
> [...]
> Sanity checks welcome. :)

Their recommended setting is

         reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99],
         reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
         reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99]

Return codes above 127.0.1.100 are the "abused legit" codes,
referring to good domains that were hacked by spammers,
typically to host bad contents on the web site.
So you apply the whole of DBL on content scanning, but limit
yourself to the real bad domains on the SMTP checks,
otherwise you increase the risk of false positives with
probably little benefit.

Also, it is always a good idea to include a range check
for the return code, so also zen.spamhaus.org=127.0.0.[2..255]
won't hurt.

furio

Reply | Threaded
Open this post in threaded view
|

connexion outook to postfix

emmanuel

I try to connect my outlook with my postfix server and i got this errors:

Jun  2 12:14:00 ns204035 courier-imapd: Connection, ip=[::ffff:x.x.x.x]
Jun  2 12:14:01 ns204035 courier-imapd: Disconnected,
ip=[::ffff:x.x.x.x], time=1
Jun  2 12:14:02 ns204035 courier-imapd: Connection, ip=[::ffff:x.x.x.x]
Jun  2 12:14:03 ns204035 courier-imapd: Disconnected,
ip=[::ffff:x.x.x.x], time=1
Jun  2 12:14:03 ns204035 courier-imapd: Connection, ip=[::ffff:x.x.x.x]
Jun  2 12:14:04 ns204035 courier-imapd: Disconnected,
ip=[::ffff:x.x.x.x], time=1
Jun  2 12:14:04 ns204035 courier-imapd: Connection, ip=[::ffff:x.x.x.x]
Jun  2 12:14:04 ns204035 courier-imapd: Disconnected,
ip=[::ffff:x.x.x.x], time=0

i need help to solve it

Reply | Threaded
Open this post in threaded view
|

Re: connexion outook to postfix

Koko Wijatmoko
courier-imapd ???
this is postfix mailing list...

On Tue, 02 Jun 2015 10:15:24 +0000
emmanuel <[hidden email]> wrote:

> I try to connect my outlook with my postfix server and i got this
> errors:
>
> Jun  2 12:14:00 ns204035 courier-imapd: Connection, ip=
> [::ffff:x.x.x.x] Jun  2 12:14:01 ns204035 courier-imapd:
> Disconnected, ip=[::ffff:x.x.x.x], time=1
> Jun  2 12:14:02 ns204035 courier-imapd: Connection, ip=
> [::ffff:x.x.x.x] Jun  2 12:14:03 ns204035 courier-imapd:
> Disconnected, ip=[::ffff:x.x.x.x], time=1
> Jun  2 12:14:03 ns204035 courier-imapd: Connection, ip=
> [::ffff:x.x.x.x] Jun  2 12:14:04 ns204035 courier-imapd:
> Disconnected, ip=[::ffff:x.x.x.x], time=1
> Jun  2 12:14:04 ns204035 courier-imapd: Connection, ip=
> [::ffff:x.x.x.x] Jun  2 12:14:04 ns204035 courier-imapd:
> Disconnected, ip=[::ffff:x.x.x.x], time=0
>
> i need help to solve it
Reply | Threaded
Open this post in threaded view
|

Re: Anyone else seeing an increase in spam? -- Sort of off topic but there is a postfix question

Steve Jenkins-2
In reply to this post by furio ercolessi
On Tue, Jun 2, 2015 at 2:33 AM, furio ercolessi <[hidden email]> wrote:

Their recommended setting is

         reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99],
         reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
         reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99]

Return codes above 127.0.1.100 are the "abused legit" codes,
referring to good domains that were hacked by spammers,
typically to host bad contents on the web site.
So you apply the whole of DBL on content scanning, but limit
yourself to the real bad domains on the SMTP checks,
otherwise you increase the risk of false positives with
probably little benefit.

Also, it is always a good idea to include a range check
for the return code, so also zen.spamhaus.org=127.0.0.[2..255]
won't hurt.

Thanks. So:

        reject_rbl_client zen.spamhaus.org=127.0.0.[2..255],
        reject_rhsbl_client dbl.spamhaus.org=127.0.1.[2..99],
        reject_rhsbl_sender dbl.spamhaus.org=127.0.1.[2..99],
        reject_rhsbl_helo dbl.spamhaus.org=127.0.1.[2..99],

Better?

SteveJ