Spam from the same domain

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Spam from the same domain

listadecorreo

Hello

in the last month I revived a lot of spam from user_non_exist@mydomain
to user_exist@mydomain..... can I block all received externals mails
from my domain to my domain...

I use postfix with amavis (spamassassin/clamav)

thanks in advance
Reply | Threaded
Open this post in threaded view
|

Re: Spam from the same domain

Mark Goodge
On 26/03/2010 20:54, listadecorreo wrote:
>
> Hello
>
> in the last month I revived a lot of spam from user_non_exist@mydomain
> to user_exist@mydomain..... can I block all received externals mails
> from my domain to my domain...

It's very easy to block mails from fake_user@domain to real_user@domain.
Just turn on sender address verification for your own domains. See
http://www.postfix.org/ADDRESS_VERIFICATION_README.html for details on
how it's configured.

Blocking forged mails from real_user@domain to real_user@domain is
harder, as if any of your users use SMTP servers other than your own
then it's very hard to distinguish between that and forgeries.

Mark
Reply | Threaded
Open this post in threaded view
|

Re: Spam from the same domain

Daniel L'Hommedieu
On Mar 26, 2010, at 17:14, Mark Goodge wrote:

> On 26/03/2010 20:54, listadecorreo wrote:
>>
>> Hello
>>
>> in the last month I revived a lot of spam from user_non_exist@mydomain
>> to user_exist@mydomain..... can I block all received externals mails
>> from my domain to my domain...
>
> It's very easy to block mails from fake_user@domain to real_user@domain. Just turn on sender address verification for your own domains. See http://www.postfix.org/ADDRESS_VERIFICATION_README.html for details on how it's configured.
>
> Blocking forged mails from real_user@domain to real_user@domain is harder, as if any of your users use SMTP servers other than your own then it's very hard to distinguish between that and forgeries.

Mark,

I find that using the Zen spamhaus list does a very good job at blocking mail from [hidden email], for my domains example.com.

Daniel
Reply | Threaded
Open this post in threaded view
|

Re: Spam from the same domain

Steve-352
In reply to this post by listadecorreo

-------- Original-Nachricht --------
> Datum: Fri, 26 Mar 2010 21:54:43 +0100
> Von: listadecorreo <[hidden email]>
> An: [hidden email]
> Betreff: Spam from the same domain

>
> Hello
>
> in the last month I revived a lot of spam from user_non_exist@mydomain
> to user_exist@mydomain..... can I block all received externals mails
> from my domain to my domain...
>
Are your users sending mail over your infrastructure? Do you force them to use SMTP AUTH/SASL? If so then you might have a look at reject_sender_login_mismatch to stop forgeries from your own domain.


> I use postfix with amavis (spamassassin/clamav)
>
> thanks in advance

--
Sicherer, schneller und einfacher. Die aktuellen Internet-Browser -
jetzt kostenlos herunterladen! http://portal.gmx.net/de/go/atbrowser
Reply | Threaded
Open this post in threaded view
|

Re: Spam from the same domain

Ansgar Wiechers
On 2010-03-26 Steve wrote:
> Von: listadecorreo <[hidden email]>
>> in the last month I revived a lot of spam from
>> user_non_exist@mydomain to user_exist@mydomain..... can I block all
>> received externals mails from my domain to my domain...
            ^^^^^^^^^^^^^^^
> Are your users sending mail over your infrastructure? Do you force
> them to use SMTP AUTH/SASL? If so then you might have a look at
> reject_sender_login_mismatch to stop forgeries from your own domain.

The OP wants to block external, not internal senders.

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: Spam from the same domain

Steve-352

-------- Original-Nachricht --------
> Datum: Sat, 27 Mar 2010 00:13:25 +0100
> Von: Ansgar Wiechers <[hidden email]>
> An: [hidden email]
> Betreff: Re: Spam from the same domain

> On 2010-03-26 Steve wrote:
> > Von: listadecorreo <[hidden email]>
> >> in the last month I revived a lot of spam from
> >> user_non_exist@mydomain to user_exist@mydomain..... can I block all
> >> received externals mails from my domain to my domain...
>             ^^^^^^^^^^^^^^^
> > Are your users sending mail over your infrastructure? Do you force
> > them to use SMTP AUTH/SASL? If so then you might have a look at
> > reject_sender_login_mismatch to stop forgeries from your own domain.
>
> The OP wants to block external, not internal senders.
>
I have perfectly understood what the OP wants. And my answer is still valid. I have reject_sender_login_mismatch active on my servers and trying from remote (or local) to send a mail with my email address or any email address under one of my domains as the sender without being authenticated against Postfix does not work (replaced sensitive information to protect the innocent):
-----------------------------
netbox ~ # telnet mail.mydomain.tld 25
Trying 12.23.34.56...
Connected to mail.mydomain.tld.
Escape character is '^]'.
220 cluster2.mydomain.tld ESMTP Postfix (2.7.0)
ehlo some.remote.name.tld
250-cluster2.mydomain.tld
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<[hidden email]>
553 5.7.1 <[hidden email]>: Sender address rejected: not logged in
rset
250 2.0.0 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
netbox ~ #
-----------------------------

And the same goes if the sender does not exist:
-----------------------------
netbox ~ # telnet mail.mydomain.tld 25
Trying 12.23.34.57...
Connected to mail.mydomain.tld.
Escape character is '^]'.
220 cluster1.mydomain.tld ESMTP Postfix (2.7.0)
ehlo some.remote.name.tld
250-cluster1.mydomain.tld
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<[hidden email]>
553 5.7.1 <[hidden email]>: Sender address rejected: not logged in
rset
250 2.0.0 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
netbox ~ #
-----------------------------

So if I am not totally wrong understanding the OP then the above would work for blocking external mails that claim to be from <user_non_exist@mydomain> and are send to <user_exist@mydomain>. But only if he has a mechanism available in Postfix to identify logged in users and if he forces any of his users to first be authenticated before being able to send mails.

Please feel free to correct me if my suggestion is not valid.


> Regards
> Ansgar Wiechers
> --
// Steve
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
Reply | Threaded
Open this post in threaded view
|

Re: Spam from the same domain

Sahil Tandon
In reply to this post by Mark Goodge
On Fri, 26 Mar 2010, Mark Goodge wrote:

> On 26/03/2010 20:54, listadecorreo wrote:
> >
> >in the last month I revived a lot of spam from user_non_exist@mydomain
> >to user_exist@mydomain..... can I block all received externals mails
> >from my domain to my domain...
>
> It's very easy to block mails from fake_user@domain to
> real_user@domain. Just turn on sender address verification for your
> own domains.

An easier way to block spam from [hidden email] is to use
reject_unlisted_sender.  See postconf(5).

http://www.postfix.org/postconf.5.html#reject_unlisted_sender
http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_sender

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Spam from the same domain

mouss-4
In reply to this post by listadecorreo
listadecorreo a écrit :
>
> Hello
>
> in the last month I revived a lot of spam from user_non_exist@mydomain
> to user_exist@mydomain..... can I block all received externals mails
> from my domain to my domain...
> I use postfix with amavis (spamassassin/clamav)
>


- to block mail from user_not_exist@yourdomain, simply use
        reject_unlisted_sender
in your smtpd restrictions, or even more simply, set
smtpd_reject_unlisted_sender = yes
The latter applies to all mail.

- to block mail from user_exist@yourdomain if it comes from external
clients and is not authenticated, then simply use

smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        check_sender_access hash:/etc/postfix/access_sender
        ...

== access_sender
example.com REJECT not allowed without authentication
.example.com REJECT not allowed without authentication
...

This will reject all mail from [hidden email] or [hidden email]
unless it comes from mynetworks or the user was authenticated.

note this applies to envelope addresses (MAIL FROM), not to headers
(From: or Reply-To:).

If you are about headers, first try zen as suggested before. for the
spam that slips, tune spamassassin.

Reply | Threaded
Open this post in threaded view
|

Re: Spam from the same domain

listadecorreo
mouss wrote:
listadecorreo a écrit :
  
Hello

in the last month I revived a lot of spam from user_non_exist@mydomain
to user_exist@mydomain..... can I block all received externals mails
from my domain to my domain...
I use postfix with amavis (spamassassin/clamav)

    


- to block mail from user_not_exist@yourdomain, simply use
	reject_unlisted_sender
in your smtpd restrictions, or even more simply, set
smtpd_reject_unlisted_sender = yes
The latter applies to all mail.

- to block mail from user_exist@yourdomain if it comes from external
clients and is not authenticated, then simply use

smtpd_recipient_restrictions =
	permit_mynetworks
	permit_sasl_authenticated
	reject_unauth_destination
	check_sender_access hash:/etc/postfix/access_sender
	...

== access_sender
example.com	REJECT not allowed without authentication
.example.com	REJECT not allowed without authentication
...

This will reject all mail from [hidden email] or [hidden email]
unless it comes from mynetworks or the user was authenticated.

note this applies to envelope addresses (MAIL FROM), not to headers
(From: or Reply-To:).

If you are about headers, first try zen as suggested before. for the
spam that slips, tune spamassassin.


  
thanks, is perfect.... 

Recuerdos Pep