Chinese Spam

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Chinese Spam

wa6vvv
My server is being hit pretty hard by spam from China.  Every email is from a different IP address.  The only common item is the message id ends in @qq.com.  Is there any way to block those with that ID?

-- Doug

Reply | Threaded
Open this post in threaded view
|

Re: Chinese Spam

pgndev
It ain't pretty, or recommended for the long term, but something like this should slow it down

    /etc/postfix/main.cf
        header_checks = pcre:/etc/postfix/header_checks.pcre

    /etc/postfix/header_checks.pcre
        IF /^(To|From|Cc|Reply-To|Sender|Return-Path): /
        /@qq\.com/i   REJECT
        ENDIF

​(check the syntax!)​

Reply | Threaded
Open this post in threaded view
|

Re: Chinese Spam

wa6vvv

> On 7 September 2017, at 15:28, pgndev <[hidden email]> wrote:
>
> It ain't pretty, or recommended for the long term, but something like this should slow it down
>
>     /etc/postfix/main.cf
>         header_checks = pcre:/etc/postfix/header_checks.pcre
>
>     /etc/postfix/header_checks.pcre
>         IF /^(To|From|Cc|Reply-To|Sender|Return-Path): /
>         /@qq\.com/i   REJECT
>         ENDIF
>
> ​(check the syntax!)​
>

To block the message-id field shouldn't that be:

IF /(Message-id):/
/@qq\.com/i REJECT
ENDIF

The qq.com only appears in the message-id, never in any of the addresses.
Reply | Threaded
Open this post in threaded view
|

Re: Chinese Spam

pgndev
​I missed the "message id" ...

You should be able to match/block any valid header name.

Add it to, or replace, what's in the match -- up to you.  Personally, I've never received a valid email from 'anything' @qq.com.  YMMV.

If you're shutting down a flood, more extreme, blunt instrument measures @ the firewall (e.g. GeoIP blocking) can be put in place.
Reply | Threaded
Open this post in threaded view
|

Re: Chinese Spam

wa6vvv
Thanks.  I went with:

IF /^Message-id:/
/@qq\.com/     Reject
ENDIF

It's not all that pretty, but it works fine.  I have been watching the logs and those messages are now being rejected.  Thanks for all the help.

-- Doug

> On 7 September 2017, at 15:50, pgndev <[hidden email]> wrote:
>
> ​I missed the "message id" ...
>
> You should be able to match/block any valid header name.
>
> Add it to, or replace, what's in the match -- up to you.  Personally, I've never received a valid email from 'anything' @qq.com.  YMMV.
>
> If you're shutting down a flood, more extreme, blunt instrument measures @ the firewall (e.g. GeoIP blocking) can be put in place.

Reply | Threaded
Open this post in threaded view
|

Re: Chinese Spam

pgndev
​Fwiw I keep a pre-queue instance of milter-regex


in place, for just such 'emergencies', as well as longer-term header match/action.

Although it's a bit long in the tooth, and not actively supported, it still works well enough.

It's a clean, easy config & relatively lightweight.

Takes the burden off Postfix for header checking, and disposes of these before any heavy post-queue processing (Amavis, SA, etc).