ISP being blocked by us

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

ISP being blocked by us

Ignacio Garcia-4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there. We use in our postfix servers several programs to prevent spam
(amavisd-new + spamassassin, postgrey, and policyd-weight). We like very
much policyd-weight because it bases its blocking decissions on a score
calculated by the number of blacklists a server is in. We are, however,
puzzled by the fact that we are blocking all incoming email from
terra.es, a division of telefonica, the largest ISP in Spain. Before we
contact terra's postmaster, we are trying to figure out where the
problem is. Although this is a postfix list (and not policyd-weight's),
I humbly ask you all email gurus for help since this is more related to
rbl and dns stuff than policyd-weight malfunctioning. Here's the log:

Jun 25 20:36:24 isp0 postfix/policyd-weight[7542]: weighted check:
NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 IN_UCEPROTECT1=3.25
NOT_IN_BL_NJABL=-1.5 IN_IX_MANITU=4.35 CL_IP_EQ_HELO_IP=-2 (check from:
.terra. - helo: .impaqm2.telefonica. - helo-domain: .telefonica.)
FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.9 CLIENT_NOT_MX/A_FROM_DOMAIN=9.1;
<client=213.4.149.62> <helo=impaqm2.telefonica.net>
<from=[hidden email]> <to=[hidden email]>; rate: 13.1
Jun 25 20:36:24 isp0 postfix/policyd-weight[7542]: decided action=550
Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to
correct HELO and DNS MX settings or to get removed from DNSBLs; please
relay via your ISP (terra.es); <client=213.4.149.62>
<helo=impaqm2.telefonica.net> <from=[hidden email]>
<to=[hidden email]>; delay: 1s
Jun 25 20:36:24 isp0 postfix/smtpd[11556]: NOQUEUE: reject: RCPT from
impaqm2.telefonica.net[213.4.149.62]: 550 5.7.1 <[hidden email]>:
Recipient address rejected: Mail appeared to be SPAM or forged. Ask your
Mail/DNS-Administrator to correct HELO and DNS MX settings or to get
removed from DNSBLs; please relay via your ISP (terra.es);
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<IMPaqm2.telefonica.net>

Please know that although terra.es show listed twice in rbl lists, we do
not block them for that particular reason (we block when anyone is
listed 3 times in rbl lists). We are blocking them because of this line:

FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.9 CLIENT_NOT_MX/A_FROM_DOMAIN=9.1

we have checked their dns entries and seem normal (I'm no dns expert though)

Any help is much appreciated.

Regards,

Ignacio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpEwVUACgkQoYMx3fsuWupUeQCcCkh2bXy6F0Wkozgh2S0CSl5i
5SUAnAxCHbND8FcVeZV3K9r5tRkly/5A
=8KGC
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: ISP being blocked by us

José Luis Tallón
Hi,

Ignacio Garcia wrote:
> Hi there. We use in our postfix servers several programs to prevent spam
> (amavisd-new + spamassassin, postgrey, and policyd-weight). We like very
> much policyd-weight because it bases its blocking decissions on a score
> calculated by the number of blacklists a server is in. We are, however,
> puzzled by the fact that we are blocking all incoming email from
> terra.es, a division of telefonica, the largest ISP in Spain. Before we
> contact terra's postmaster,
Just forget about that... they won't even hear you since they are the
largest (and so, must do everything right -- bullshit)
> we are trying to figure out where the
> problem is. Although this is a postfix list (and not policyd-weight's),
> I humbly ask you all email gurus for help since this is more related to
> rbl and dns stuff than policyd-weight malfunctioning. Here's the log:
Not a mail guru, but the approach below does work
> [snip]
> Please know that although terra.es show listed twice in rbl lists, we do
> not block them for that particular reason (we block when anyone is
> listed 3 times in rbl lists). We are blocking them because of this line:
>
> FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.9 CLIENT_NOT_MX/A_FROM_DOMAIN=9.1
>
> we have checked their dns entries and seem normal (I'm no dns expert
> though)
What we do (without policyd-weight, however):

Redirect these "problematic domains" to a special restriction class (we
call it from_freemail)
Then, we match the sending server with *any* valid sending server for
that domain.

Something along the lines:
ACCESS (check_sender_access somewhere)
    terra.es   from_telefonica

from_telefonica = check_client_access
hash:$config_directory/access_from_telefonica

/etc/postfix/access_from_telefonica
terra.es      reject_unauth_destination
telefonica.net   reject_unauth_destination

> Any help is much appreciated.
That will do the trick, when placed BEFORE check_policy_service (in the
recipient_restrictions list, in order to have as much info available for
the checks)


Cheers,
Reply | Threaded
Open this post in threaded view
|

Re: ISP being blocked by us

Jan P. Kessler-2
In reply to this post by Ignacio Garcia-4
Ignacio Garcia schrieb:
> FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.9

The helo_name (IMPaqm2.telefonica.net) did not match the sender_domain
(terra.es) nor the mx (mx.terra.es).

> CLIENT_NOT_MX/A_FROM_DOMAIN=9.1

The client_name (IMPaqm2.telefonica.net) did not match the sender_domain
(terra.es) nor the mx (mx.terra.es).

If you ask me, both tests score by far too high. Afaik it is perfectly
valid that sending and receiving hosts differ and that the sender_domain
is not related to them.


Reply | Threaded
Open this post in threaded view
|

Re: ISP being blocked by us

Jan P. Kessler-2
In reply to this post by José Luis Tallón
José Luis Tallón schrieb:

>
> What we do (without policyd-weight, however):
>
> Redirect these "problematic domains" to a special restriction class (we
> call it from_freemail)
> Then, we match the sending server with *any* valid sending server for
> that domain.
>
> Something along the lines:
> ACCESS (check_sender_access somewhere)
>     terra.es   from_telefonica
>
> from_telefonica = check_client_access
> hash:$config_directory/access_from_telefonica
>
> /etc/postfix/access_from_telefonica
> terra.es      reject_unauth_destination
> telefonica.net   reject_unauth_destination
>  

Is it possible that you meant permit_auth_destination instead of
reject_unauth_destination? Also this requires that you (manually)
determine the valid sending hosts of terra.es which can not be compared
to the things policyd-weight does.


Reply | Threaded
Open this post in threaded view
|

Re: ISP being blocked by us

Jorey Bump
In reply to this post by Ignacio Garcia-4
Ignacio Garcia wrote, at 06/26/2009 08:38 AM:

> FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.9 CLIENT_NOT_MX/A_FROM_DOMAIN=9.1

Both of these rules are absurd. An MX record is only relevant when
determining the destination for a domain's email. It has *nothing* to do
with relaying to other sites. You should remove these silly checks.

Reply | Threaded
Open this post in threaded view
|

Re: ISP being blocked by us

Ignacio Garcia-4
In reply to this post by José Luis Tallón
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

José Luis Tallón escribió:

> Hi,
>
> Ignacio Garcia wrote:
>> Hi there. We use in our postfix servers several programs to prevent spam
>> (amavisd-new + spamassassin, postgrey, and policyd-weight). We like very
>> much policyd-weight because it bases its blocking decissions on a score
>> calculated by the number of blacklists a server is in. We are, however,
>> puzzled by the fact that we are blocking all incoming email from
>> terra.es, a division of telefonica, the largest ISP in Spain. Before we
>> contact terra's postmaster,
> Just forget about that... they won't even hear you since they are the
> largest (and so, must do everything right -- bullshit)
>> we are trying to figure out where the
>> problem is. Although this is a postfix list (and not policyd-weight's),
>> I humbly ask you all email gurus for help since this is more related to
>> rbl and dns stuff than policyd-weight malfunctioning. Here's the log:
> Not a mail guru, but the approach below does work
>> [snip]
>> Please know that although terra.es show listed twice in rbl lists, we do
>> not block them for that particular reason (we block when anyone is
>> listed 3 times in rbl lists). We are blocking them because of this line:
>>
>> FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.9 CLIENT_NOT_MX/A_FROM_DOMAIN=9.1
>>
>> we have checked their dns entries and seem normal (I'm no dns expert
>> though)
> What we do (without policyd-weight, however):
>
> Redirect these "problematic domains" to a special restriction class (we
> call it from_freemail)
> Then, we match the sending server with *any* valid sending server for
> that domain.
>
> Something along the lines:
> ACCESS (check_sender_access somewhere)
>     terra.es   from_telefonica
>
> from_telefonica = check_client_access
> hash:$config_directory/access_from_telefonica
>
> /etc/postfix/access_from_telefonica
> terra.es      reject_unauth_destination
> telefonica.net   reject_unauth_destination
>
>> Any help is much appreciated.
> That will do the trick, when placed BEFORE check_policy_service (in the
> recipient_restrictions list, in order to have as much info available for
> the checks)
>
>
> Cheers,
>
Thanks all for your reply.

Ok, terra.es sends through telefonica.net. However, emails coming from
telefonica.net go through policyd-weight without any trouble, so I guess
the second entry in $config_directory/access_from_telefonica
(telefonica.net ...) is not necessary, right?


our smtpd_recipient_restrictions is as follows:

smtpd_recipient_restrictions = reject_unauth_pipelining,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, check_recipient_access
mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_unauth_destination, check_client_access
hash:/etc/postfix/host_whitelist, check_client_access
hash:/etc/postfix/relay_whitelist, check_policy_service
inet:127.0.0.1:12525, check_client_access
regexp:/etc/postfix/check_client_fqdn, check_sender_access
regexp:/etc/postfix/filter_catchall_10024

where heck_policy_service inet:127.0.0.1:12525 is policyd-weight

Therefore, after declaring in main.cf:

from_telefonica = check_client_access
hash:$config_directory/access_from_telefonica

I'd leave it like this:

mtpd_recipient_restrictions = reject_unauth_pipelining,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, check_recipient_access
mysql:/etc/postfix/mysql-virtual_recipient.cf,
reject_unauth_destination, check_client_access
hash:/etc/postfix/host_whitelist, check_client_access
hash:/etc/postfix/relay_whitelist, from_telefonica, check_policy_service
inet:127.0.0.1:12525, check_client_access
regexp:/etc/postfix/check_client_fqdn, check_sender_access
regexp:/etc/postfix/filter_catchall_10024

I added from_telefonica right before policyd-weight

Now, I understand that after going to from_telefonica, the rest of the
declarations will be ignored. If that is correct, I'll have to add them
to the file /etc/postfix/access_from_telefonica. In that case, can I add
 several statements for terra.es as in?

terra.es check_client_access regexp:/etc/postfix/check_client_fqdn,
check_sender_access regexp:/etc/postfix/filter_catchall_10024

(all in one line, of course)

Thanks very much in advance

Ignacio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpE2fAACgkQoYMx3fsuWuq0/ACgj8oS0CbU7i2ieFsw0QAfa7VR
3OQAn3ZghzY/tGKyt1EFBulXtUiNDYbe
=TunR
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: ISP being blocked by us

Ignacio Garcia-4
In reply to this post by Jorey Bump
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jorey Bump escribió:
> Ignacio Garcia wrote, at 06/26/2009 08:38 AM:
>
>> FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.9 CLIENT_NOT_MX/A_FROM_DOMAIN=9.1
>
> Both of these rules are absurd. An MX record is only relevant when
> determining the destination for a domain's email. It has *nothing* to do
> with relaying to other sites. You should remove these silly checks.
>
>


yeah. To be honest, I was thinking the same, but since this problem has
appeared only once in 5 years, I guess I was too lazy to get into the
policyd-weight script and modify it to disable those tests. I just
finally did.

Nevertheless, terra.es seems to have some dns problems.
ix.dnsbl.manitu.net confirms it. They should fix their problems as well.

Thanks to everybody

Ignacio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpE7RAACgkQoYMx3fsuWupTMQCfeUSP2VSYaNWa0yICcBZYTRDi
wiEAoM1ki35dGmYSg4W6vG22VDOXZl0C
=YV7u
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: ISP being blocked by us

mouss-4
Ignacio Garcia a écrit :
> Jorey Bump escribió:
>> Ignacio Garcia wrote, at 06/26/2009 08:38 AM:
>
>>> FROM/MX_MATCHES_NOT_HELO(DOMAIN)=2.9 CLIENT_NOT_MX/A_FROM_DOMAIN=9.1
>> Both of these rules are absurd. An MX record is only relevant when
>> determining the destination for a domain's email. It has *nothing* to do
>> with relaying to other sites. You should remove these silly checks.
>

or at least, set a decent score. I doubt the default config has these
scores.

also, use dnswl to skip checking whitelisted IPs. see dsnwl.org.

>
>
>
> yeah. To be honest, I was thinking the same, but since this problem has
> appeared only once in 5 years, I guess I was too lazy to get into the
> policyd-weight script and modify it to disable those tests. I just
> finally did.
>
> Nevertheless, terra.es seems to have some dns problems.
> ix.dnsbl.manitu.net confirms it. They should fix their problems as well.
>

how? like many large ISPs, they relay both ham and spam. Blocking
outbound spam is a hard problem.

> Thanks to everybody
>
> Ignacio