Rejecting International Email

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
54 messages Options
123
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Rejecting International Email

Carlwill
I am currently running Postfix postfix-2.2.10-1.1.el4 and I am finding
a few spam emails slip through the cracks that are from .ca, nz, jp,
nl, and other common countries known for spam. Is there a way I can
have Postfix reject all email except for .mil, .edu, .us, .com, .net,
.org, and other legit domain extensions?

I tried searching Google and the Postfix site but was not sure if my
verbiage was correct. I don't know where this would go. I would assume
this would be a header_check parameter but how that appears I just
don't know...

Anyone care to assist me in this matter?

I don't know if it matters so here are some logs of them slipping through:

[root@mail ~]# cat /var/log/maillog | grep "<[hidden email]>"
Apr 29 11:35:26 mail postfix/qmgr[29577]: C305D15C06C:
from=<[hidden email]>, size=913, nrcpt=1 (queue active)
Apr 29 11:35:26 mail postfix/qmgr[29577]: 47F0815C06E:
from=<[hidden email]>, size=1368, nrcpt=1 (queue active)
Apr 29 11:35:26 mail amavis[1320]: (01320-11) Passed CLEAN,
[72.248.68.127] [72.248.68.127] <[hidden email]> ->
<[hidden email]>, Message-ID:
<000801c8aa0e$0310717c$c30cc995@oldrwvj>, mail_id: phcAFLJ4UAyB, Hits:
-, size: 913, queued_as: 47F0815C06E, 125 ms

There are more I am sure...

Thanks for any info!
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

Arturo 'Buanzo' Busleiman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Carlos Williams wrote:
| I am currently running Postfix postfix-2.2.10-1.1.el4 and I am finding
| a few spam emails slip through the cracks that are from .ca, nz, jp,
| nl, and other common countries known for spam. Is there a way I can
| have Postfix reject all email except for .mil, .edu, .us, .com, .net,
| .org, and other legit domain extensions?

You'd still get all @gmail.com, @hotmail.com based spam, anyway. Also, FROM can be easily faked...
so... well, it's kinda pointless.

- --
Arturo "Buanzo" Busleiman
Reliable inter-continental Mail Relay Service - Ask me!
Independent Security Consultant - SANS - OISSG
http://www.buanzo.com.ar/pro/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIF1BvAlpOsGhXcE0RCjxsAJ9QODlZkGQbA2NZbOrbHlfK9Lt3kwCdGI3L
lfBt0AtWW058/CRCZaJzg6o=
=U6ha
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

d.hill
In reply to this post by Carlwill
On Tue, 29 Apr 2008 at 12:08 -0400, [hidden email] confabulated:

> I am currently running Postfix postfix-2.2.10-1.1.el4 and I am finding
> a few spam emails slip through the cracks that are from .ca, nz, jp,
> nl, and other common countries known for spam. Is there a way I can
> have Postfix reject all email except for .mil, .edu, .us, .com, .net,
> .org, and other legit domain extensions?
>
> I tried searching Google and the Postfix site but was not sure if my
> verbiage was correct. I don't know where this would go. I would assume
> this would be a header_check parameter but how that appears I just
> don't know...
>
> Anyone care to assist me in this matter?
>
> I don't know if it matters so here are some logs of them slipping through:
>
> [root@mail ~]# cat /var/log/maillog | grep "<[hidden email]>"
> Apr 29 11:35:26 mail postfix/qmgr[29577]: C305D15C06C:
> from=<[hidden email]>, size=913, nrcpt=1 (queue active)
> Apr 29 11:35:26 mail postfix/qmgr[29577]: 47F0815C06E:
> from=<[hidden email]>, size=1368, nrcpt=1 (queue active)
> Apr 29 11:35:26 mail amavis[1320]: (01320-11) Passed CLEAN,
> [72.248.68.127] [72.248.68.127] <[hidden email]> ->
> <[hidden email]>, Message-ID:
> <000801c8aa0e$0310717c$c30cc995@oldrwvj>, mail_id: phcAFLJ4UAyB, Hits:
> -, size: 913, queued_as: 47F0815C06E, 125 ms
>
> There are more I am sure...
>
> Thanks for any info!

I don't know if you trust using SpamCop or not. For what it's worth, the
above IP you show in the logs is listed:

   %host 127.68.248.72.bl.spamcop.net
   127.68.248.72.bl.spamcop.net has address 127.0.0.2
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

Colin Brace
In reply to this post by Carlwill


On Tue, 29 Apr 2008 12:08:13 -0400, "Carlos Williams"
<[hidden email]> wrote:

> I am currently running Postfix postfix-2.2.10-1.1.el4 and I am finding
> a few spam emails slip through the cracks that are from .ca, nz, jp,
> nl, and other common countries known for spam. Is there a way I can
> have Postfix reject all email except for .mil, .edu, .us, .com, .net,
> .org, and other legit domain extensions?

There are more intelligent and effective ways of dealing with spam then
blocking entire countries. See this essay:

The Spam Problem: Moving Beyond RBLs
http://www.whirlycott.com/phil/antispam/rbl-bad/rbl-bad.html

Greylisting and spamassassin catch most spam these days.

--
  Colin Brace
  Amsterdam
  http://lim.nl

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

Carlwill
In reply to this post by d.hill
On Tue, Apr 29, 2008 at 12:50 PM, D Hill <[hidden email]> wrote:
>
>  I don't know if you trust using SpamCop or not. For what it's worth, the
> above IP you show in the logs is listed:
>
>   %host 127.68.248.72.bl.spamcop.net
>   127.68.248.72.bl.spamcop.net has address 127.0.0.2
>
I would be willing to try and see if it helps. I am confused however I
have the following:

        reject_rbl_client bl.spamcop.net,

The above is listed in smtpd_recipient_restrictions &
smtpd_client_restrictions. Do I need to move it to
smtpd_sender_restrictions?

If that host is listed in spamcop and I have spamcop rejecting on both
those on my main.cf, why did it pass? I am adding my postconf -n below
for more info:

[root@mail ~]# postconf -n
address_verify_sender = <>
alias_database = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
alias_maps = hash:/etc/postfix/aliases,         hash:/etc/mailman/aliases
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
command_time_limit = 1400
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
default_destination_recipient_limit = 100
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
local_recipient_maps = unix:passwd.byname $alias_maps
mail_owner = postfix
mailbox_size_limit = 40000000
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
max_idle = 175
maximal_backoff_time = 2000s
message_size_limit = 10240000
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
mydestination = $myhostname, $mydomain, localhost.$mydomain, localhost
mydomain = example.org
myhostname = mail.example.org
mynetworks = $config_directory/mynetworks
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
parent_domain_matches_subdomains =
proxy_interfaces = 127.0.0.1/8
qmgr_message_active_limit = 20000
queue_directory = /var/spool/postfix
queue_run_delay = 500s
readme_directory = /usr/share/doc/postfix-2.2.10/README_FILES
relay_domains = onesaf.net, saic.com
sample_directory = /usr/share/doc/postfix-2.2.10/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP debugger_command
= PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
smtpd_client_restrictions =
permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_unknown_sender_domain,
       reject_non_fqdn_sender, reject_rbl_client zen.spamhaus.org,
   reject_rbl_client bl.spamcop.net,        reject_rbl_client
safe.dnsbl.sorbs.net,        reject_rbl_client list.dsbl.org
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_error_sleep_time = 0
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks, permit_sasl_authenticated,
        reject_invalid_hostname, reject_non_fqdn_hostname,
        check_helo_access, regexp:/etc/postfix/helo.regexp
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks,
        permit_sasl_authenticated,        check_sender_access
hash:/etc/postfix/access, check_sender_access
hash:/etc/postfix/sender_restrictions,        check_sender_access
hash:/etc/postfix/siteoverride, reject_non_fqdn_sender,
reject_unknown_sender_domain,         permit
smtpd_soft_error_limit = 4
smtpd_timeout = 60s
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/httpd/conf/ssl.crt/mail.example.org.crt
smtpd_tls_key_file = /etc/httpd/conf/ssl.key/mail.example.org.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 501
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550




--
Man your battle stations...
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

jason hirsh
In reply to this post by Carlwill

On Apr 29, 2008, at 12:08 PM, Carlos Williams wrote:

> I am currently running Postfix postfix-2.2.10-1.1.el4 and I am finding
> a few spam emails slip through the cracks that are from .ca, nz, jp,
> nl, and other common countries known for spam. Is there a way I can
> have Postfix reject all email except for .mil, .edu, .us, .com, .net,
> .org, and other legit domain extensions?
>
> I tried searching Google and the Postfix site but was not sure if my
> verbiage was correct. I don't know where this would go. I would assume
> this would be a header_check parameter but how that appears I just
> don't know...
>
> Anyone care to assist me in this matter?
>
> I don't know if it matters so here are some logs of them slipping  
> through:
>
> [root@mail ~]# cat /var/log/maillog | grep "<[hidden email]>"
> Apr 29 11:35:26 mail postfix/qmgr[29577]: C305D15C06C:
> from=<[hidden email]>, size=913, nrcpt=1 (queue active)
> Apr 29 11:35:26 mail postfix/qmgr[29577]: 47F0815C06E:
> from=<[hidden email]>, size=1368, nrcpt=1 (queue active)
> Apr 29 11:35:26 mail amavis[1320]: (01320-11) Passed CLEAN,
> [72.248.68.127] [72.248.68.127] <[hidden email]> ->
> <[hidden email]>, Message-ID:
> <000801c8aa0e$0310717c$c30cc995@oldrwvj>, mail_id: phcAFLJ4UAyB, Hits:
> -, size: 913, queued_as: 47F0815C06E, 125 ms
>
> There are more I am sure...
>
> Thanks for any info!


This is a little coarse but it sure gets rid of the offending countries
I am sure there are subtler methods...but I don't get a lot of mail  
from foreign countries so
I added this to my main.cf


smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc-ignorant.org
        reject_rbl_client kr.countries.nerd.dk
        reject_rbl_client cn.countries.nerd.dk
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client bl.spamcop.net
        reject_rbl_client kp.countries.nerd.dk
        reject_rbl_client ng.countries.nerd.dk
        reject_rbl_client tw.countries.nerd.dk
        reject_rbl_client th.countries.nerd.dk
        reject_rbl_client pl.countries.nerd.dk
        reject_rbl_client ru.countries.nerd.dk
        reject_rbl_client it.countries.nerd.dk
        reject_rbl_client cz.countries.nerd.dk
  reject_rbl_client ae.countries.nerd.dk
  reject_rbl_client br.countries.nerd.dk
  reject_rbl_client PE.countries.nerd.dk
  reject_rbl_client MX.countries.nerd.dk
     reject_rbl_client tr.countries.nerd.dk
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

Henrik K
On Tue, Apr 29, 2008 at 01:39:12PM -0400, Jason Hirsh wrote:

>
> smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc-ignorant.org
> reject_rbl_client kr.countries.nerd.dk
> reject_rbl_client cn.countries.nerd.dk
> reject_rbl_client zen.spamhaus.org
> reject_rbl_client bl.spamcop.net
> reject_rbl_client kp.countries.nerd.dk
> reject_rbl_client ng.countries.nerd.dk
> reject_rbl_client tw.countries.nerd.dk
> reject_rbl_client th.countries.nerd.dk
> reject_rbl_client pl.countries.nerd.dk
> reject_rbl_client ru.countries.nerd.dk
> reject_rbl_client it.countries.nerd.dk
> reject_rbl_client cz.countries.nerd.dk
>   reject_rbl_client ae.countries.nerd.dk
>   reject_rbl_client br.countries.nerd.dk
>   reject_rbl_client PE.countries.nerd.dk
>   reject_rbl_client MX.countries.nerd.dk
>       reject_rbl_client tr.countries.nerd.dk

I hope you are running local rbldnsd and rsyncing countries.nerd.dk. If you
have any decend amount of traffic, it's very nasty to query same zone 15
times per connection.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

jason hirsh

On Apr 29, 2008, at 1:52 PM, Henrik K wrote:

> On Tue, Apr 29, 2008 at 01:39:12PM -0400, Jason Hirsh wrote:
>>
>> smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc-ignorant.org
>> reject_rbl_client kr.countries.nerd.dk
>> reject_rbl_client cn.countries.nerd.dk
>> reject_rbl_client zen.spamhaus.org
>> reject_rbl_client bl.spamcop.net
>> reject_rbl_client kp.countries.nerd.dk
>> reject_rbl_client ng.countries.nerd.dk
>> reject_rbl_client tw.countries.nerd.dk
>> reject_rbl_client th.countries.nerd.dk
>> reject_rbl_client pl.countries.nerd.dk
>> reject_rbl_client ru.countries.nerd.dk
>> reject_rbl_client it.countries.nerd.dk
>> reject_rbl_client cz.countries.nerd.dk
>> reject_rbl_client ae.countries.nerd.dk
>> reject_rbl_client br.countries.nerd.dk
>> reject_rbl_client PE.countries.nerd.dk
>> reject_rbl_client MX.countries.nerd.dk
>>      reject_rbl_client tr.countries.nerd.dk
>
> I hope you are running local rbldnsd and rsyncing countries.nerd.dk.  
> If you
> have any decend amount of traffic, it's very nasty to query same  
> zone 15
> times per connection.
>
and how would I do that?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

/dev/rob0
In reply to this post by Colin Brace
On Tue April 29 2008 12:12:46 Colin Brace wrote:
> On Tue, 29 Apr 2008 12:08:13 -0400, "Carlos Williams"
> <[hidden email]> wrote:
> > I am currently running Postfix postfix-2.2.10-1.1.el4 and I am
> > finding a few spam emails slip through the cracks that are from
> > .ca, nz, jp, nl, and other common countries known for spam. Is
> > there a way I can have Postfix reject all email except for .mil,
> > .edu, .us, .com, .net, .org, and other legit domain extensions?

Interesting choice of words, to imply that CCTLD's are somehow not
legitimate.

> There are more intelligent and effective ways of dealing with spam
> then blocking entire countries. See this essay:

That's true, and furthermore it was not clear whether the OP knew what
he meant in saying these spams were "from" these nasty, evil spamming
countries. I suspect he was seeing sender addresses, or worse, the
"From:" header, which as has already been pointed out in this thread,  
is meaningless.

The problems created by clueless anti-spam measures are in many cases
worse than the spam problem itself. If you don't understand SMTP and
what "client address" and "sender address" means in that context, you
really should not consider yourself qualified to design safe and
effective anti-spam strategies.

> The Spam Problem: Moving Beyond RBLs
> http://www.whirlycott.com/phil/antispam/rbl-bad/rbl-bad.html

This article was written in 2003 by someone who apparently had very
little understanding of RBLs and mailservers. Utter garbage IMO; looks
like sour grapes over his qmail server[s] being listed by a minor RBL,
possibly due to being on an ISP with spammers and open relays.

> Greylisting and spamassassin catch most spam these days.

Greylisting is ineffective against SBL-type spam hosts, which can in
some cases comprise the majority of spam attacks on a valid address.
Furthermore, there are many documented cases of spam zombies repeating
their spam runs, so the effectiveness of greylisting is decreasing all
the time. Zombie armies are so large now that they can do this. In due
time, if not already, the main benefit of greylisting will be that it
gives CBL more time to list the spambot.

SpamAssassin is indeed fairly effective, but it suffers from the
fundamental issue of being content-based. Spam is about conSent, not
conTent. SA's most effective strategies are the ones which use RBLs and
URIBLs. But the RBL is still most effective and SAFE when used in the
MTA itself. If the sender never sees a bounce, and neither the sender
nor the recipient see that the mail was quarantined or discarded, the
integrity of the email system is lost.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

d.hill
In reply to this post by jason hirsh
On Tue, 29 Apr 2008 at 13:59 -0400, [hidden email] confabulated:

>
> On Apr 29, 2008, at 1:52 PM, Henrik K wrote:
>
>> On Tue, Apr 29, 2008 at 01:39:12PM -0400, Jason Hirsh wrote:
>>>
>>> smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc-ignorant.org
>>> reject_rbl_client kr.countries.nerd.dk
>>> reject_rbl_client cn.countries.nerd.dk
>>> reject_rbl_client zen.spamhaus.org
>>> reject_rbl_client bl.spamcop.net
>>> reject_rbl_client kp.countries.nerd.dk
>>> reject_rbl_client ng.countries.nerd.dk
>>> reject_rbl_client tw.countries.nerd.dk
>>> reject_rbl_client th.countries.nerd.dk
>>> reject_rbl_client pl.countries.nerd.dk
>>> reject_rbl_client ru.countries.nerd.dk
>>> reject_rbl_client it.countries.nerd.dk
>>> reject_rbl_client cz.countries.nerd.dk
>>> reject_rbl_client ae.countries.nerd.dk
>>> reject_rbl_client br.countries.nerd.dk
>>> reject_rbl_client PE.countries.nerd.dk
>>> reject_rbl_client MX.countries.nerd.dk
>>>     reject_rbl_client tr.countries.nerd.dk
>>
>> I hope you are running local rbldnsd and rsyncing countries.nerd.dk. If you
>> have any decend amount of traffic, it's very nasty to query same zone 15
>> times per connection.
>>
> and how would I do that?

Their site does explain:

   http://countries.nerd.dk
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

Henrik K
In reply to this post by jason hirsh
On Tue, Apr 29, 2008 at 01:59:49PM -0400, Jason Hirsh wrote:

>
> On Apr 29, 2008, at 1:52 PM, Henrik K wrote:
>
>> On Tue, Apr 29, 2008 at 01:39:12PM -0400, Jason Hirsh wrote:
>>>
>>> smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc-ignorant.org
>>> reject_rbl_client kr.countries.nerd.dk
>>> reject_rbl_client cn.countries.nerd.dk
>>> reject_rbl_client zen.spamhaus.org
>>> reject_rbl_client bl.spamcop.net
>>> reject_rbl_client kp.countries.nerd.dk
>>> reject_rbl_client ng.countries.nerd.dk
>>> reject_rbl_client tw.countries.nerd.dk
>>> reject_rbl_client th.countries.nerd.dk
>>> reject_rbl_client pl.countries.nerd.dk
>>> reject_rbl_client ru.countries.nerd.dk
>>> reject_rbl_client it.countries.nerd.dk
>>> reject_rbl_client cz.countries.nerd.dk
>>> reject_rbl_client ae.countries.nerd.dk
>>> reject_rbl_client br.countries.nerd.dk
>>> reject_rbl_client PE.countries.nerd.dk
>>> reject_rbl_client MX.countries.nerd.dk
>>>      reject_rbl_client tr.countries.nerd.dk
>>
>> I hope you are running local rbldnsd and rsyncing countries.nerd.dk.  
>> If you
>> have any decend amount of traffic, it's very nasty to query same zone
>> 15
>> times per connection.
>>
> and how would I do that?

Slightly easier way:

reject_rbl_client zz.countries.nerd.dk=127.0.1.154
reject_rbl_client zz.countries.nerd.dk=127.0.0.156
... add the rest from http://countries.nerd.dk/isolist.txt

Now there is only one DNS query for the combined zone.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

/dev/rob0
In reply to this post by jason hirsh
On Tue April 29 2008 12:59:49 Jason Hirsh wrote:
> On Apr 29, 2008, at 1:52 PM, Henrik K wrote:
> > On Tue, Apr 29, 2008 at 01:39:12PM -0400, Jason Hirsh wrote:
> >> smtpd_sender_restrictions = reject_rhsbl_sender
> >> dsn.rfc-ignorant.org reject_rbl_client kr.countries.nerd.dk
> >> reject_rbl_client cn.countries.nerd.dk
snip
> > I hope you are running local rbldnsd and rsyncing
> > countries.nerd.dk. If you have any decend amount of traffic,
> > it's very nasty to query same zone 15 times per connection.
>
> and how would I do that?

http://countries.nerd.dk/

http://rsync.samba.org/ ("man rsync" might help too)

http://www.corpit.ru/mjt/rbldnsd.html
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

/dev/rob0
In reply to this post by Henrik K
On Tue April 29 2008 13:11:36 Henrik K wrote:
> > and how would I do that?
>
> Slightly easier way:
>
> reject_rbl_client zz.countries.nerd.dk=127.0.1.154
> reject_rbl_client zz.countries.nerd.dk=127.0.0.156
> ... add the rest from http://countries.nerd.dk/isolist.txt
>
> Now there is only one DNS query for the combined zone.

Indeed, this is the most net-friendly approach. Useful? I doubt it.

http://www.spamhaus.org/statistics/countries.lasso
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

jason hirsh
In reply to this post by /dev/rob0

On Apr 29, 2008, at 2:13 PM, /dev/rob0 wrote:

> On Tue April 29 2008 12:59:49 Jason Hirsh wrote:
>> On Apr 29, 2008, at 1:52 PM, Henrik K wrote:
>>> On Tue, Apr 29, 2008 at 01:39:12PM -0400, Jason Hirsh wrote:
>>>> smtpd_sender_restrictions = reject_rhsbl_sender
>>>> dsn.rfc-ignorant.org reject_rbl_client kr.countries.nerd.dk
>>>> reject_rbl_client cn.countries.nerd.dk
> snip
>>> I hope you are running local rbldnsd and rsyncing
>>> countries.nerd.dk. If you have any decend amount of traffic,
>>> it's very nasty to query same zone 15 times per connection.
>>
>> and how would I do that?
>
> http://countries.nerd.dk/
>
> http://rsync.samba.org/ ("man rsync" might help too)
>
> http://www.corpit.ru/mjt/rbldnsd.html


well I thought I followed the guidance in the first link

the other two are well above my comprehension at this time

guess I will live with the overhead

thanks


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

Zbigniew Szalbot-9
In reply to this post by /dev/rob0
Hi there,

/dev/rob0 pisze:

>> reject_rbl_client zz.countries.nerd.dk=127.0.1.154
>> reject_rbl_client zz.countries.nerd.dk=127.0.0.156
>> ... add the rest from http://countries.nerd.dk/isolist.txt
>>
>> Now there is only one DNS query for the combined zone.
>
> Indeed, this is the most net-friendly approach. Useful? I doubt it.
>
> http://www.spamhaus.org/statistics/countries.lasso


Being from one of the countries you intend to block, I always feel sheer
despair for being punished for someone else's offences. And please if
you need to go this route, make sure your postmaster address allows
"accidentally caught in your net" to contact you.

--
Zbigniew Szalbot
www.lc-words.com

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

Jeffrey Shawn Klotz-2
In reply to this post by Carlwill
I use the Header_Checks to bounce email from foreign countries.  It
looks for domain names from other countries TLD. It's not perfect but
stops an amazing amount of spam.

Header_Checks:

##  Filter mail relayed through other countries
if /^Received:/
/.*.\.gd[ )].*/                                           OK 250 Mail
from GD allowed
/.*.\.us[ )].*/                                            OK 250 Mail
from US allowed
/.*.\.[a-z][a-z][ )].*/                                 REJECT 550 Mail
from your country not allowed
endif

## Filter by sender
if /^From:/
/.*.\.us>$/                                                OK 250 x001
Mail from US allowed
/.*.\.[a-z][a-z]>$/                                     REJECT 550 x001
Sender not allowed
/.*.\.us$/                                                  OK 250 x002
Mail from US allowed
/.*.\.[a-z][a-z]$/                                        REJECT 550  
x002 Sender not allowed
endif

##  Filter by Reply
if /^Return-Path:/
/.*.\.us>$/                                                OK 250 x003
Mail from US allowed
/.*.\.[a-z][a-z]>$/                                     REJECT 550 x003
Sender not allowed
/.*.\.us$/                                                  OK 250 x004
Mail from US allowed
/.*.\.[a-z][a-z]$/                                       REJECT 550  
x004 Sender not allowed
endif


Carlos Williams wrote:

> I am currently running Postfix postfix-2.2.10-1.1.el4 and I am finding
> a few spam emails slip through the cracks that are from .ca, nz, jp,
> nl, and other common countries known for spam. Is there a way I can
> have Postfix reject all email except for .mil, .edu, .us, .com, .net,
> .org, and other legit domain extensions?
>
> I tried searching Google and the Postfix site but was not sure if my
> verbiage was correct. I don't know where this would go. I would assume
> this would be a header_check parameter but how that appears I just
> don't know...
>
> Anyone care to assist me in this matter?
>
> I don't know if it matters so here are some logs of them slipping through:
>
> [root@mail ~]# cat /var/log/maillog | grep "<[hidden email]>"
> Apr 29 11:35:26 mail postfix/qmgr[29577]: C305D15C06C:
> from=<[hidden email]>, size=913, nrcpt=1 (queue active)
> Apr 29 11:35:26 mail postfix/qmgr[29577]: 47F0815C06E:
> from=<[hidden email]>, size=1368, nrcpt=1 (queue active)
> Apr 29 11:35:26 mail amavis[1320]: (01320-11) Passed CLEAN,
> [72.248.68.127] [72.248.68.127] <[hidden email]> ->
> <[hidden email]>, Message-ID:
> <000801c8aa0e$0310717c$c30cc995@oldrwvj>, mail_id: phcAFLJ4UAyB, Hits:
> -, size: 913, queued_as: 47F0815C06E, 125 ms
>
> There are more I am sure...
>
> Thanks for any info!
>
>  
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

/dev/rob0
In reply to this post by Zbigniew Szalbot-9
On Tue April 29 2008 13:27:56 Zbigniew Szalbot wrote:

> /dev/rob0 pisze:
> >> reject_rbl_client zz.countries.nerd.dk=127.0.1.154
> >> reject_rbl_client zz.countries.nerd.dk=127.0.0.156
> >> ... add the rest from http://countries.nerd.dk/isolist.txt
> >>
> >> Now there is only one DNS query for the combined zone.
> >
> > Indeed, this is the most net-friendly approach. Useful? I doubt it.
> >
> > http://www.spamhaus.org/statistics/countries.lasso
>
> Being from one of the countries you intend to block, I always feel

Please check your attributions and reread the thread. In no place did I
advocate this, and in fact in my portion of the quoted text I doubted
the usefulness of this approach. It's "net-friendly" only in that it
makes a single DNS query to the zone.

I do not do, nor do I advocate that others do:
  *  Client blocking by country of origin
  *  Client blocking by CCTLD of FCrDNS name[1]
  *  Sender address blocking by CCTLD in the domain[2]
  *  From: header sender address blocking


[1] In fact I ran a machine formerly located in Georgia and Alabama,
    USA, which had an IP address with a .uk reverse DNS name.
[2] Rarely is the sender address a valid means of blocking. Joe Wein
    (joewein.de, which happens to be in Japan, FWIW) maintains a list
    of Hotmail senders used in spam from actual Hotmail/MSN servers.
    That list is a valid means of blocking, but it's not scalable nor
    is it very effective.
--
    Offlist mail to this address is discarded unless
    "/dev/rob0" or "not-spam" is in Subject: header
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

Jorey Bump
In reply to this post by Carlwill
Carlos Williams wrote, at 04/29/2008 12:08 PM:
> I am currently running Postfix postfix-2.2.10-1.1.el4 and I am finding
> a few spam emails slip through the cracks that are from .ca, nz, jp,
> nl, and other common countries known for spam. Is there a way I can
> have Postfix reject all email except for .mil, .edu, .us, .com, .net,
> .org, and other legit domain extensions?

I did this long ago (along with blocking character sets), and soon found
that there are better ways that don't penalize the innocent. If there
are enough of these messages to be a nuisance, your attempts to fight
spam in general are probably inadequate. Improve this and you're likely
to gain more benefits in the long run.

If you still feel the need to target countries, don't block them
outright. You can either raise the bar or use a scoring system.

An example of raising the bar is Selective Unlisting:

  http://unlisting.org/selective.html

While Unlisting in general can be a bit too aggressive, it can be
selectively applied to specific networks that are low priority sources
of mail for a given site. For example, assume the Ferengi Alliance has
been allocated the range 10.0.0.0 - 10.255.255.255 and is a considerable
source of zombie spam. You can apply Unlisting to 10.0.0.0/8 to block
badly behaving Ferengi spambots, yet continue to correspond with Ferengi
servers that adhere more closely to the RFCs (as long as they don't use
complicated, yet perfectly legal, round robin techniques). Any
inconvenience is limited to this network, and doing business with
Ferengis may not be important enough for you to be overly concerned.

There are various ways to score based on country of origin. You can use
a policy server, or score them in SpamAssassin, as I do (in a
before-queue filter). Here's an imaginary example that you can build
upon in your SpamAssassin local.cf (beware of wrapping):

# score based on geographical origin (of owner of IP space)

# first discover country code of origin using a TXT lookup
header RCVD_COUNTRIES           eval:check_rbl_txt('nerd-zz',
'zz.countries.nerd.dk.')
describe RCVD_COUNTRIES         Received from countries.nerd.dk
tflags RCVD_COUNTRIES           net
# Assume everyone is a little evil
score RCVD_COUNTRIES            1.0

# Now do a subtest based on the resulting lookup and adjust the
# score appropriately for your user base.

# Hey, my country isn't evil! Lower the score.

header RCVD_VIA_US              eval:check_rbl_sub('nerd-zz', 'us')
describe RCVD_VIA_US            Received from United States
tflags RCVD_VIA_US              net
score RCVD_VIA_US               -1.0

# Canada is sooooooooo evil! But I might need to contact a realtor if
# global warming continues, so I'll spare a couple of points, just in
# case.

header RCVD_VIA_CANADA          eval:check_rbl_sub('nerd-zz', 'ca')
describe RCVD_VIA_CANADA        Received from Canada
tflags RCVD_VIA_CANADA          net
score RCVD_VIA_CANADA           3.0

Assuming a required_score of 5.0 to mark a message as spam, this
approach can work very well. Naturally, you will want to block as much
obvious spam as possible before it reaches SpamAssassin, using other
techniques. Not only will this reduce server load, but it is kinder to
the RBLs you use. Refer to nerd.dk for more information to help you
create a configuration that makes sense for your own site:

   http://countries.nerd.dk/

And remember, things change. Countries that were once notorious sources
of spam have considerably cleaned up their act, so you'll need to review
  this periodically.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

mouss-2
In reply to this post by Carlwill
Carlos Williams wrote:
> I am currently running Postfix postfix-2.2.10-1.1.el4 and I am finding
> a few spam emails slip through the cracks that are from .ca, nz, jp,
> nl, and other common countries known for spam.

the country where most spam comes from or comes for is the US. would you
block the whole US?

>  Is there a way I can
> have Postfix reject all email except for .mil, .edu, .us, .com, .net,
> .org, and other legit domain extensions?
>  

according to my logs, this won't bring you much.  of course, my logs
are'nt yours but...

> I tried searching Google and the Postfix site but was not sure if my
> verbiage was correct. I don't know where this would go. I would assume
> this would be a header_check parameter but how that appears I just
> don't know...
>
> Anyone care to assist me in this matter?
>
> I don't know if it matters so here are some logs of them slipping through:
>
> [root@mail ~]# cat /var/log/maillog | grep "<[hidden email]>"
> Apr 29 11:35:26 mail postfix/qmgr[29577]: C305D15C06C:
> from=<[hidden email]>, size=913, nrcpt=1 (queue active)
> Apr 29 11:35:26 mail postfix/qmgr[29577]: 47F0815C06E:
> from=<[hidden email]>, size=1368, nrcpt=1 (queue active)
> Apr 29 11:35:26 mail amavis[1320]: (01320-11) Passed CLEAN,
> [72.248.68.127] [72.248.68.127] <[hidden email]> ->
> <[hidden email]>, Message-ID:
> <000801c8aa0e$0310717c$c30cc995@oldrwvj>, mail_id: phcAFLJ4UAyB, Hits:
> -, size: 913, queued_as: 47F0815C06E, 125 ms
>  

$ geoiplookup 72.248.68.127
GeoIP Country Edition: US, United States

so you want to block other countries because a US machine is owned?
doesn't look very rational to me...

now, lesseee.

$ host 72.248.68.127
127.68.248.72.in-addr.arpa domain name pointer
host127.72.248.68.conversent.net.

looks like:

NOQUEUE: reject: RCPT from
host120.72.248.37.conversent.net[72.248.37.120]: 554 5.7.1
<host120.72.248.37.conversent.net[72.248.37.120]>: Client host rejected:
Generic hostname not accepted. Please use your ISP relay or fix you
rDNS; from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<host120.72.248.37.conversent.net>


NOQUEUE: reject: RCPT from
host134.72.248.24.conversent.net[72.248.24.134]: 450 4.7.1
<user489981e478.conversent.net>: Helo command rejected: Host not found;
from=<[hidden email]> to=<[hidden email]> proto=SMTP
helo=<user489981e478.conversent.net>

...


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Rejecting International Email

mouss-2
In reply to this post by Carlwill
Carlos Williams wrote:

> On Tue, Apr 29, 2008 at 12:50 PM, D Hill <[hidden email]> wrote:
>  
>>  I don't know if you trust using SpamCop or not. For what it's worth, the
>> above IP you show in the logs is listed:
>>
>>   %host 127.68.248.72.bl.spamcop.net
>>   127.68.248.72.bl.spamcop.net has address 127.0.0.2
>>
>>    
> I would be willing to try and see if it helps. I am confused however I
> have the following:
>
>         reject_rbl_client bl.spamcop.net,
>
> The above is listed in smtpd_recipient_restrictions &
> smtpd_client_restrictions. Do I need to move it to
> smtpd_sender_restrictions?
>  

you only need to have it once.
> If that host is listed in spamcop and I have spamcop rejecting on both
> those on my main.cf, why did it pass?

either the check isn't reached (but this is not very probable) or you
have a DNS problem.


> [snip]
> smtpd_client_restrictions =
> permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining,

in the standard setup, reject_unauth_pipelining is useless here.

> reject_unknown_sender_domain,
>  

oh no. do not do SAV until you know what it means and how to reduce its
consequences.

> [snip]
> reject_unknown_sender_domain,

once again...


> [snip]
>
>
>  

123
Loading...