Regular expression with fighting against spam

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Regular expression with fighting against spam

Jaroslaw Grzabel
Hi.

As I'm new on that group I would like to welcome everyone.

I've noticed that  in my SMTP filtering server a lot of spam try to get
through. I want to block it but the problem is all these emails starts
from | (pipe). How to block it then ?

I've tried to add /^From: |(*)/ REJECT in access file but it doesn't work.

Can somebody shed a light for me how to block it ?

Thank you very much.

Regards,
Jarek
Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Terry Carmen

> Hi.
>
> As I'm new on that group I would like to welcome everyone.
>
> I've noticed that  in my SMTP filtering server a lot of spam try to get
> through. I want to block it but the problem is all these emails starts
> from | (pipe). How to block it then ?
>
> I've tried to add /^From: |(*)/ REJECT in access file but it doesn't work.

> Can somebody shed a light for me how to block it ?

Post some log entires showing the unwanted mail entering your system.

Terry




Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Michael Tokarev
In reply to this post by Jaroslaw Grzabel
Jaroslaw Grzabel wrote:
> Hi.
>
> As I'm new on that group I would like to welcome everyone.
>
> I've noticed that  in my SMTP filtering server a lot of spam try to get
> through. I want to block it but the problem is all these emails starts
> from | (pipe). How to block it then ?

Please provide an example.  Actual header if it's really header.

> I've tried to add /^From: |(*)/ REJECT in access file but it doesn't work.

Several points.

  - for regex-like tables (regex and pcre), the vertical bar (|) char
    has special meaning.
  - the sequence (*) is meaningless in regex (and probably in pcre too)
    context

for the above two, please read some regex examples/tutorials/manuals.

  - what's an "access table"?  It in order to match for headers has to
    be added to header_checks.  Please show where exactly you placed it.

And please actually read this mailing list welcome message.

/mjt
Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Jaroslaw Grzabel
In reply to this post by Terry Carmen
Hi Terry,

Thank you for your reply.

It's not full log just only grepped by pattern and it's just only one
example:

Jun 19 02:32:47 smtp66 gld: Greylist activated for
recipient=<|[hidden email]> sender=<|[hidden email]>
ip=<201.62.213.153>
Jun 19 02:32:47 smtp66 postfix/smtpd[5721]: NOQUEUE: reject: RCPT from
bca201062213153.res-com.wayinternet.com.br[201.62.213.153]: 450 4.7.1
<|[hidden email]>: Recipient address rejected: Greylisting in
action, please try later ; from=<|[hidden email]>
to=<|[hidden email]> proto=ESMTP
helo=<bca201062213153.res-com.wayinternet.com.br>
Jun 19 03:12:35 smtp66 postfix/smtpd[13327]: NOQUEUE: reject: RCPT from
unknown[222.114.87.100]: 450 4.7.1 Client host rejected: cannot find
your reverse hostname, [222.114.87.100];
from=<|[hidden email]> to=<|[hidden email]>
proto=ESMTP helo=<[222.114.87.100]>
Jun 19 04:32:44 smtp66 gld: Greylist activated for
recipient=<|[hidden email]> sender=<|[hidden email]>
ip=<201.82.219.32>
Jun 19 04:32:44 smtp66 postfix/smtpd[27760]: NOQUEUE: reject: RCPT from
unknown[201.82.219.32]: 450 4.7.1 <|[hidden email]>: Recipient
address rejected: Greylisting in action, please try later ;
from=<|[hidden email]> to=<|[hidden email]>
proto=ESMTP helo=<c952db20.virtua.com.br>
Jun 19 04:53:51 smtp66 postfix/smtpd[6009]: NOQUEUE: reject: RCPT from
unknown[116.39.15.133]: 450 4.7.1 Client host rejected: cannot find your
reverse hostname, [116.39.15.133]; from=<|[hidden email]>
to=<|[hidden email]> proto=ESMTP helo=<[116.39.15.133]>
Jun 19 05:35:19 smtp66 postfix/smtpd[17787]: NOQUEUE: reject: RCPT from
unknown[60.243.38.239]: 450 4.7.1 Client host rejected: cannot find your
reverse hostname, [60.243.38.239]; from=<|[hidden email]>
to=<|[hidden email]> proto=ESMTP helo=<[60.243.38.239]>
Jun 19 06:09:04 smtp66 postfix/smtpd[22006]: NOQUEUE: reject: RCPT from
unknown[220.70.211.81]: 450 4.7.1 Client host rejected: cannot find your
reverse hostname, [220.70.211.81]; from=<|[hidden email]>
to=<|[hidden email]> proto=ESMTP helo=<[220.70.211.81]>
Jun 19 08:22:19 smtp66 gld: Greylist activated for
recipient=<|[hidden email]> sender=<|[hidden email]>
ip=<88.245.200.195>
Jun 19 08:22:19 smtp66 postfix/smtpd[15376]: NOQUEUE: reject: RCPT from
unknown[88.245.200.195]: 450 4.7.1 <|[hidden email]>:
Recipient address rejected: Greylisting in action, please try later ;
from=<|[hidden email]> to=<|[hidden email]>
proto=ESMTP helo=<dsl88.245-51143.ttnet.net.tr>
Jun 19 11:17:25 smtp66 gld: Greylist activated for
recipient=<|[hidden email]> sender=<|[hidden email]>
ip=<77.114.152.106>
Jun 19 11:17:25 smtp66 postfix/smtpd[7566]: NOQUEUE: reject: RCPT from
apn-77-114-152-106.dynamic.gprs.plus.pl[77.114.152.106]: 450 4.7.1
<|[hidden email]>: Recipient address rejected: Greylisting in
action, please try later ; from=<|[hidden email]>
to=<|[hidden email]> proto=ESMTP
helo=<apn-77-114-152-106.dynamic.gprs.plus.pl>
Jun 19 12:14:48 smtp66 gld: Greylist activated for
recipient=<|[hidden email]> sender=<|[hidden email]>
ip=<122.161.10.253>
Jun 19 12:14:48 smtp66 postfix/smtpd[17821]: NOQUEUE: reject: RCPT from
unknown[122.161.10.253]: 450 4.7.1 <|[hidden email]>:
Recipient address rejected: Greylisting in action, please try later ;
from=<|[hidden email]> to=<|[hidden email]>
proto=ESMTP helo=<ABTS-North-Dynamic-253.10.161.122.airtelbroadband.in>
Jun 19 13:33:47 smtp66 gld: Greylist activated for
recipient=<|[hidden email]> sender=<|[hidden email]>
ip=<189.73.88.106>
Jun 19 13:33:47 smtp66 postfix/smtpd[27887]: NOQUEUE: reject: RCPT from
unknown[189.73.88.106]: 450 4.7.1 <|[hidden email]>: Recipient
address rejected: Greylisting in action, please try later ;
from=<|[hidden email]> to=<|[hidden email]>
proto=ESMTP helo=<189-73-88-106.e.ccoce700.brasiltelecom.net.br>
Jun 19 14:07:41 smtp66 gld: Greylist activated for
recipient=<|[hidden email]> sender=<|[hidden email]>
ip=<62.177.85.63>
Jun 19 14:07:41 smtp66 postfix/smtpd[32219]: NOQUEUE: reject: RCPT from
ost1-v-4-63.static.adsl.vol.cz[62.177.85.63]: 450 4.7.1
<|[hidden email]>: Recipient address rejected: Greylisting in
action, please try later ; from=<|[hidden email]>
to=<|[hidden email]> proto=ESMTP
helo=<ost1-v-4-63.static.adsl.vol.cz>
Jun 19 14:14:45 smtp66 postfix/cleanup[8046]: CEC657112BF2: hold: header
Received: from ost1-v-4-63.static.adsl.vol.cz
(ost1-v-4-63.static.adsl.vol.cz [62.177.85.63])??by
smtp66.swiftinter.net (Postfix) with ESMTP id CEC657112BF2??for
<|[hidden email]>; Fri, 19  from
ost1-v-4-63.static.adsl.vol.cz[62.177.85.63];
from=<|[hidden email]> to=<|[hidden email]>
proto=ESMTP helo=<ost1-v-4-63.static.adsl.vol.cz>
Jun 19 14:14:53 smtp66 MailScanner[32171]: Message CEC657112BF2.A431C
from 0.0.0.0 (|[hidden email]) to domain_name.com is spam,
SpamAssassin (not cached, score=12.905, required 3, BAYES_99 3.50,
HELO_DYNAMIC_HCC 4.29, HTML_MESSAGE 0.00, MIME_HTML_ONLY 1.46,
RCVD_IN_SORBS_WEB 0.62, RCVD_IN_XBL 3.03)
Jun 19 14:14:54 smtp66 MailScanner[32171]: Non-delivery of spam: message
CEC657112BF2.A431C from |[hidden email] to
|[hidden email] with subject Contact us to confirm order

Of course domain_name.com is a domain name allowed to relay on this server.

I want to stop everything what starts from pipe "|".

Regards,
Jarek

Terry Carmen wrote:

>> Hi.
>>
>> As I'm new on that group I would like to welcome everyone.
>>
>> I've noticed that  in my SMTP filtering server a lot of spam try to get
>> through. I want to block it but the problem is all these emails starts
>> from | (pipe). How to block it then ?
>>
>> I've tried to add /^From: |(*)/ REJECT in access file but it doesn't work.
>>    
>
>  
>> Can somebody shed a light for me how to block it ?
>>    
>
> Post some log entires showing the unwanted mail entering your system.
>
> Terry
>
>
>
>
>  

Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Michael Tokarev
Jaroslaw Grzabel wrote:
> Hi Terry,
>
> Thank you for your reply.
>
> It's not full log just only grepped by pattern and it's just only one
> example:
>
[]
> ost1-v-4-63.static.adsl.vol.cz[62.177.85.63];
> from=<|[hidden email]> to=<|[hidden email]>
> proto=ESMTP helo=<ost1-v-4-63.static.adsl.vol.cz>

Stop accepting mail for unknown recipients in your domains.

> Jun 19 14:14:53 smtp66 MailScanner[32171]: Message CEC657112BF2.A431C

You wont get much sympathy and support for mailscanner.
It's officially unsupported on this list.

[]
> I want to stop everything what starts from pipe "|".

No, you want to stop accepting mail to every recipient
in your domains first.

/mjt
Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Terry Carmen
In reply to this post by Jaroslaw Grzabel
> Received: from ost1-v-4-63.static.adsl.vol.cz
> (ost1-v-4-63.static.adsl.vol.cz [62.177.85.63])??by
> smtp66.swiftinter.net (Postfix) with ESMTP id CEC657112BF2??for
> <|[hidden email]>; Fri, 19  from
> ost1-v-4-63.static.adsl.vol.cz[62.177.85.63];
> from=<|[hidden email]> to=<|[hidden email]>
> proto=ESMTP helo=<ost1-v-4-63.static.adsl.vol.cz>


> Of course domain_name.com is a domain name allowed to relay on this server.
>
> I want to stop everything what starts from pipe "|".

Unless you have a user named "|arl.bird", all you need to do is stop accepting
mail for users that don't exist.

http://www.postfix.org/LOCAL_RECIPIENT_README.html

Terry



Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Michael Tokarev
In reply to this post by Michael Tokarev
Jaroslaw, if you want help, please reply to the list,
not to me personally.

Jaroslaw Grzabel wrote:
> Michael Tokarev wrote:
>> Stop accepting mail for unknown recipients in your domains.
> I will change my question then. How can I reject messages for unknown
> recipients when all recipients are on remote server not in my local
> server ? I'm just only relaying messages.

There are many ways of how to do this.  You may ask for the
actual list of addresses in the domains your're relaying for,
you may use something like ldap to query/propagate that list,
and as a last resort you can use reject_unverified_recipient.

/mjt
Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Jaroslaw Grzabel
Michael Tokarev wrote:
> Jaroslaw, if you want help, please reply to the list,
> not to me personally.
OK sorry for that. I've just replied to all.
> There are many ways of how to do this.  You may ask for the
> actual list of addresses in the domains your're relaying for,
> you may use something like ldap to query/propagate that list,
> and as a last resort you can use reject_unverified_recipient.
Not in the times when IPS's are obligated to run smart hosts for their
customers and relay mails also for all hosting customers in the times
when mobile operators gives you a possibility to connect from any place
on the world using each time when you're connected different IP address.
How do you imagine to create 45k users with 10-15k domains ? It's faster
to create access lists/maps and filter everything. Creating something
like openrelay server but with stricts ACL. To defend I'm asking simply
just only for a one rule which will exclude pipe from the address.
Anyway you have no other choice in such a solution as smart host is.

>
> /mjt

Regards,
Jarek
Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Wietse Venema
Jaroslaw Grzabel:
> How do you imagine to create 45k users with 10-15k domains ? It's faster
> to create access lists/maps and filter everything. Creating something
> like openrelay server but with stricts ACL. To defend I'm asking simply
> just only for a one rule which will exclude pipe from the address.
> Anyway you have no other choice in such a solution as smart host is.

reject_unverified_recipient automatically builds that access map for you.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Jaroslaw Grzabel
Wietse Venema wrote:
> reject_unverified_recipient automatically builds that access map for you.
>
> Wietse
>  
I think it's exactly that what I needed!

Thank you so much!

Regards,
Jarek
Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Jorey Bump
In reply to this post by Jaroslaw Grzabel
Jaroslaw Grzabel wrote, at 06/19/2009 10:44 AM:

> Not in the times when IPS's are obligated to run smart hosts for their
> customers and relay mails also for all hosting customers in the times
> when mobile operators gives you a possibility to connect from any place
> on the world using each time when you're connected different IP address.

For relaying, SMTP AUTH on port 587 solves this problem entirely.

> How do you imagine to create 45k users with 10-15k domains ? It's faster
> to create access lists/maps and filter everything. Creating something
> like openrelay server but with stricts ACL.

If your server is an MX for a domain, it MUST NOT accept mail for
invalid recipients. Doing so creates backscatter and potentially creates
problems for all other domains on the Internet.

> To defend I'm asking simply
> just only for a one rule which will exclude pipe from the address.

To be fair, your original question reveals that you are somewhat
unfamiliar with basic concepts of email administration, and that is why
noone is eager to help you shoot yourself in the foot, especially if it
means the bullet may ricochet off the floor and hit us.

That said, you must escape the pipe:

 /^\|/ REJECT

And you must also apply this rule to the envelope sender, not the From:
header. See the Postfix docs for more information.

But it's a moot point. You are fixing the wrong problem.

> Anyway you have no other choice in such a solution as smart host is.

You are mistaken. Please do more research and fix your configuration
according to best practices.


Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Gaby vanhegan
In reply to this post by Wietse Venema

On 19 Jun 2009, at 16:03, Wietse Venema wrote:

> Jaroslaw Grzabel:
>> How do you imagine to create 45k users with 10-15k domains ? It's  
>> faster
>> to create access lists/maps and filter everything. Creating something
>> like openrelay server but with stricts ACL. To defend I'm asking  
>> simply
>> just only for a one rule which will exclude pipe from the address.
>> Anyway you have no other choice in such a solution as smart host is.
>
> reject_unverified_recipient automatically builds that access map for  
> you.


Would it be considered "safe" to use this in a default  
smtpd_recipient_restrictions?  There's no caveats behind this one  
other than possible delay in sending probes from the verify daemon?

G.

--
Being drunk is feeling sophisticated without being able to say it.
http://www.playr.co.uk/


Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Wietse Venema
Gaby Vanhegan:

>
> On 19 Jun 2009, at 16:03, Wietse Venema wrote:
>
> > Jaroslaw Grzabel:
> >> How do you imagine to create 45k users with 10-15k domains ? It's  
> >> faster
> >> to create access lists/maps and filter everything. Creating something
> >> like openrelay server but with stricts ACL. To defend I'm asking  
> >> simply
> >> just only for a one rule which will exclude pipe from the address.
> >> Anyway you have no other choice in such a solution as smart host is.
> >
> > reject_unverified_recipient automatically builds that access map for  
> > you.
>
>
> Would it be considered "safe" to use this in a default  
> smtpd_recipient_restrictions?  There's no caveats behind this one  
> other than possible delay in sending probes from the verify daemon?

It is much more expensive than looking in a local/relay/virtual
recipient table, and does not work when you are "backup" MX for a
system that is down.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

Jaroslaw Grzabel
In reply to this post by Jorey Bump
Jorey Bump wrote:

> To be fair, your original question reveals that you are somewhat
> unfamiliar with basic concepts of email administration, and that is why
> noone is eager to help you shoot yourself in the foot, especially if it
> means the bullet may ricochet off the floor and hit us.
>
> That said, you must escape the pipe:
>
>  /^\|/ REJECT
>
> And you must also apply this rule to the envelope sender, not the From:
> header. See the Postfix docs for more information.
>
> But it's a moot point. You are fixing the wrong problem.
>  
Thank you for that.
I've got different opinion about it but it's not the place to argue with
anyone. My question was simple without unnecessary details. Maybe too
simple ?
If somebody will ask you what's the color of your car will you answer
what engine is yours ? Anyway if we want we can just only discuss about
it on private.
Anyway I would like to thank to anybody who took a part in that discuss.

Regards,
Jarek


Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

mouss-4
Jaroslaw Grzabel a écrit :

> Jorey Bump wrote:
>> To be fair, your original question reveals that you are somewhat
>> unfamiliar with basic concepts of email administration, and that is why
>> noone is eager to help you shoot yourself in the foot, especially if it
>> means the bullet may ricochet off the floor and hit us.
>>
>> That said, you must escape the pipe:
>>
>>  /^\|/ REJECT
>>
>> And you must also apply this rule to the envelope sender, not the From:
>> header. See the Postfix docs for more information.
>>
>> But it's a moot point. You are fixing the wrong problem.
>>  
> Thank you for that.
> I've got different opinion about it but it's not the place to argue with
> anyone. My question was simple without unnecessary details. Maybe too
> simple ?
> If somebody will ask you what's the color of your car will you answer
> what engine is yours ?

But this is not a (silly) answering machine. people here want to
understand your problem and to give you a good response. we feel happy
when we really help others, and for that we try to guess what problem
they are trying to fix. you can ask your doctor "I have foo-ache, give
bar-idicine". he can give you what you ask for, but then he would be a
silly doctor.

and the other thing you must keep in mind is that this is a public list,
and the answers are archived and will be used by other people.

after all, if you think about this, you'll find that it is no different
than in real life.

> Anyway if we want we can just only discuss about
> it on private.


you're right, we're getting off topic...

> Anyway I would like to thank to anybody who took a part in that discuss.
>
> Regards,
> Jarek
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Regular expression with fighting against spam

fakessh @
Le samedi 20 juin 2009 01:25, mouss a écrit :

> Jaroslaw Grzabel a écrit :
> > Jorey Bump wrote:
> >> To be fair, your original question reveals that you are somewhat
> >> unfamiliar with basic concepts of email administration, and that is why
> >> noone is eager to help you shoot yourself in the foot, especially if it
> >> means the bullet may ricochet off the floor and hit us.
> >>
> >> That said, you must escape the pipe:
> >>
> >>  /^\|/ REJECT
> >>
> >> And you must also apply this rule to the envelope sender, not the From:
> >> header. See the Postfix docs for more information.
> >>
> >> But it's a moot point. You are fixing the wrong problem.
> >
> > Thank you for that.
> > I've got different opinion about it but it's not the place to argue with
> > anyone. My question was simple without unnecessary details. Maybe too
> > simple ?
> > If somebody will ask you what's the color of your car will you answer
> > what engine is yours ?
>
> But this is not a (silly) answering machine. people here want to
> understand your problem and to give you a good response. we feel happy
> when we really help others, and for that we try to guess what problem
> they are trying to fix. you can ask your doctor "I have foo-ache, give
> bar-idicine". he can give you what you ask for, but then he would be a
> silly doctor.
>
> and the other thing you must keep in mind is that this is a public list,
> and the answers are archived and will be used by other people.
>
> after all, if you think about this, you'll find that it is no different
> than in real life.
>
> > Anyway if we want we can just only discuss about
> > it on private.
>
> you're right, we're getting off topic...
>

"Buddha"
nearless
> > Anyway I would like to thank to anybody who took a part in that discuss.
> >
> > Regards,
> > Jarek