Recent upsurge of spam messages rate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Recent upsurge of spam messages rate

Daniele Nicolodi
Hello,

this is not strictly Postfix related, but I don't know how to get in
contact with a similar crowd of experienced folks. Please direct me to a
more suitable mailing list, it one exist.

In the last two weeks I've seen an upsurge of the rate to which spam
messages are delivered to my domain inboxes. Nothing is changed in my
quite standard configuration, thus I guess that spammers found a way to
circumvent the basic protections I have in place. Did anyone notice
something similar? What are the possible countermeasures?

I use Postfix with this simple configuration:

header_checks = pcre:/etc/postfix/header_checks.pcre
smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions =
        permit_sasl_authenticated
        reject_invalid_hostname
        reject_non_fqdn_hostname
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unknown_sender_domain
        reject_unknown_recipient_domain
        permit_mynetworks
        reject_unauth_destination
        permit_dnswl_client list.dnswl.org
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client b.barracudacentral.org
        reject_rbl_client dul.dnsbl.sorbs.net
        reject_rhsbl_reverse_client dbl.spamhaus.org
        reject_rhsbl_sender dbl.spamhaus.org
        reject_rhsbl_helo dbl.spamhaus.org
        permit

with header_checks.pcre containing:

/^X-Delivered-To: .*@grinta\.net$/  REJECT Mail forwarding loop detected
/^(Delivered-To: .*@grinta\.net)$/  REPLACE X-$1
/^X-Spam-Status: Yes/  REJECT Looks like spam

and SpamAssassin as a SMTP proxy filter via spampd.

Thanks for any comment.

Best,
Daniele
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Recent upsurge of spam messages rate

allenc
I have also noticed an increase of "bad connections" to my server.

Fortunately, very few get past postscreen - I heartily recommend its use.

Allen C

On 28/03/17 22:00, Daniele Nicolodi wrote:

> Hello,
>
> this is not strictly Postfix related, but I don't know how to get in
> contact with a similar crowd of experienced folks. Please direct me to a
> more suitable mailing list, it one exist.
>
> In the last two weeks I've seen an upsurge of the rate to which spam
> messages are delivered to my domain inboxes. Nothing is changed in my
> quite standard configuration, thus I guess that spammers found a way to
> circumvent the basic protections I have in place. Did anyone notice
> something similar? What are the possible countermeasures?
>
> I use Postfix with this simple configuration:
>
> header_checks = pcre:/etc/postfix/header_checks.pcre
> smtpd_helo_required = yes
> smtpd_delay_reject = yes
> disable_vrfy_command = yes
> smtpd_recipient_restrictions =
>         permit_sasl_authenticated
>         reject_invalid_hostname
>         reject_non_fqdn_hostname
>         reject_non_fqdn_sender
>         reject_non_fqdn_recipient
>         reject_unknown_sender_domain
>         reject_unknown_recipient_domain
>         permit_mynetworks
>         reject_unauth_destination
>         permit_dnswl_client list.dnswl.org
>         reject_rbl_client zen.spamhaus.org
>         reject_rbl_client b.barracudacentral.org
>         reject_rbl_client dul.dnsbl.sorbs.net
>         reject_rhsbl_reverse_client dbl.spamhaus.org
>         reject_rhsbl_sender dbl.spamhaus.org
>         reject_rhsbl_helo dbl.spamhaus.org
>         permit
>
> with header_checks.pcre containing:
>
> /^X-Delivered-To: .*@grinta\.net$/  REJECT Mail forwarding loop detected
> /^(Delivered-To: .*@grinta\.net)$/  REPLACE X-$1
> /^X-Spam-Status: Yes/  REJECT Looks like spam
>
> and SpamAssassin as a SMTP proxy filter via spampd.
>
> Thanks for any comment.
>
> Best,
> Daniele
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Recent upsurge of spam messages rate

allenc
In reply to this post by Daniele Nicolodi
I have a script that does a simple "head-count" over the last 1500
maillog entries.

Just now it showed the following results:

<QUOTE>

Nuisance hosts blocked by firewall:    97

Connections handled by Postscreen:    134
        Black-listed Locally:    10
        Black-listed by DNSBL:    94
        Pre-Greets:        1
        Hang-ups:        78
        No-Queues:        7

Connections passed on to mail server:    21
        Auth Probes:        2
        No-Queues:        1

Messages actually received:        18

Ratio of bad connections is        86 percent

</QUOTE>

Allen C


On 28/03/17 22:00, Daniele Nicolodi wrote:

> Hello,
>
> this is not strictly Postfix related, but I don't know how to get in
> contact with a similar crowd of experienced folks. Please direct me to a
> more suitable mailing list, it one exist.
>
> In the last two weeks I've seen an upsurge of the rate to which spam
> messages are delivered to my domain inboxes. Nothing is changed in my
> quite standard configuration, thus I guess that spammers found a way to
> circumvent the basic protections I have in place. Did anyone notice
> something similar? What are the possible countermeasures?
>
> I use Postfix with this simple configuration:
>
> header_checks = pcre:/etc/postfix/header_checks.pcre
> smtpd_helo_required = yes
> smtpd_delay_reject = yes
> disable_vrfy_command = yes
> smtpd_recipient_restrictions =
>         permit_sasl_authenticated
>         reject_invalid_hostname
>         reject_non_fqdn_hostname
>         reject_non_fqdn_sender
>         reject_non_fqdn_recipient
>         reject_unknown_sender_domain
>         reject_unknown_recipient_domain
>         permit_mynetworks
>         reject_unauth_destination
>         permit_dnswl_client list.dnswl.org
>         reject_rbl_client zen.spamhaus.org
>         reject_rbl_client b.barracudacentral.org
>         reject_rbl_client dul.dnsbl.sorbs.net
>         reject_rhsbl_reverse_client dbl.spamhaus.org
>         reject_rhsbl_sender dbl.spamhaus.org
>         reject_rhsbl_helo dbl.spamhaus.org
>         permit
>
> with header_checks.pcre containing:
>
> /^X-Delivered-To: .*@grinta\.net$/  REJECT Mail forwarding loop detected
> /^(Delivered-To: .*@grinta\.net)$/  REPLACE X-$1
> /^X-Spam-Status: Yes/  REJECT Looks like spam
>
> and SpamAssassin as a SMTP proxy filter via spampd.
>
> Thanks for any comment.
>
> Best,
> Daniele
>

Loading...