Spammer rejected, but resends every 10 minutes. Any way to prevent this

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Spammer rejected, but resends every 10 minutes. Any way to prevent this

lists@lazygranch.com
I'm getting hit every 10 minutes from this spammer. As you can see I am
rejecting the message. I wonder if the offending email server doesn't
know the message is being rejected?

Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
rejected: cannot find your reverse hostname, [113.247.6.67];
from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<mail.port25.com>
Reply | Threaded
Open this post in threaded view
|

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

Kevin A. McGrail
On 3/13/2018 10:51 PM, [hidden email] wrote:
> I'm getting hit every 10 minutes from this spammer. As you can see I am
> rejecting the message. I wonder if the offending email server doesn't
> know the message is being rejected?
>
> Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
> reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
> rejected: cannot find your reverse hostname, [113.247.6.67];
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<mail.port25.com>

Have you looked at something like fail2ban that can automate an iptables
block?

Reply | Threaded
Open this post in threaded view
|

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

Benny Pedersen-2
Kevin A. McGrail skrev den 2018-03-14 03:55:

> On 3/13/2018 10:51 PM, [hidden email] wrote:
>> I'm getting hit every 10 minutes from this spammer. As you can see I
>> am
>> rejecting the message. I wonder if the offending email server doesn't
>> know the message is being rejected?
>>
>> Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
>> reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
>> rejected: cannot find your reverse hostname, [113.247.6.67];
>> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
>> helo=<mail.port25.com>
>
> Have you looked at something like fail2ban that can automate an
> iptables
> block?

+1

but 450 is not reject, its soft rejecting, with means there is possible
local dns fails

please dont post postconf -n now
Reply | Threaded
Open this post in threaded view
|

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

Peter Ajamian
In reply to this post by lists@lazygranch.com
On 14/03/18 15:51, [hidden email] wrote:
> I'm getting hit every 10 minutes from this spammer. As you can see I am
> rejecting the message. I wonder if the offending email server doesn't
> know the message is being rejected?
>
> Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
> reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
> rejected: cannot find your reverse hostname, [113.247.6.67];
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<mail.port25.com>

That's not a reject, it's a defer (4xx) code which specifically means
that you're telling the remote server to try again.  Spam or not the
remote server is doing what you're telling it to do.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

Bill Cole-3
In reply to this post by lists@lazygranch.com
On 13 Mar 2018, at 22:51 (-0400), [hidden email] wrote:

> I'm getting hit every 10 minutes from this spammer. As you can see I
> am
> rejecting the message. I wonder if the offending email server doesn't
> know the message is being rejected?

It's not being rejected, it's being deferred.

> Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
> reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
> rejected: cannot find your reverse hostname, [113.247.6.67];
> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> helo=<mail.port25.com>

A '450' response code is explicitly telling the client to try again
later.

If you are using reject_unknown_reverse_client_hostname, it is mostly
safe to set unknown_client_reject_code to '550' instead of the default
'450' but if you are using reject_unknown_client_hostname (which is
unsafe for most sites) you should not.

OR: if you don't get any legitimate mail from Hunan, Chongqing, or Hong
Kong you can probably safely block 113.240.0.0/12 from talking at all to
your SMTP port (or just the /13 to limit it to Hunan.)


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

Bill Cole-3
On 13 Mar 2018, at 23:35 (-0400), Bill Cole wrote:

> OR: if you don't get any legitimate mail from Hunan, Chongqing, or
> Hong Kong you can probably safely block 113.240.0.0/12 from talking at
> all to your SMTP port (or just the /13 to limit it to Hunan.)

OR: Use the Spamhaus ZEN DNSBL, which has the whole /12 listed via its
PBL component.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

lists@lazygranch.com
In reply to this post by Bill Cole-3
On Tue, 13 Mar 2018 23:35:01 -0400
"Bill Cole" <[hidden email]> wrote:

> On 13 Mar 2018, at 22:51 (-0400), [hidden email] wrote:
>
> > I'm getting hit every 10 minutes from this spammer. As you can see
> > I am
> > rejecting the message. I wonder if the offending email server
> > doesn't know the message is being rejected?  
>
> It's not being rejected, it's being deferred.
>
> > Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
> > reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
> > rejected: cannot find your reverse hostname, [113.247.6.67];
> > from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> > helo=<mail.port25.com>  
>
> A '450' response code is explicitly telling the client to try again
> later.
>
> If you are using reject_unknown_reverse_client_hostname, it is mostly
> safe to set unknown_client_reject_code to '550' instead of the
> default '450' but if you are using reject_unknown_client_hostname
> (which is unsafe for most sites) you should not.
>
> OR: if you don't get any legitimate mail from Hunan, Chongqing, or
> Hong Kong you can probably safely block 113.240.0.0/12 from talking
> at all to your SMTP port (or just the /13 to limit it to Hunan.)
>

I knew it had to be something stupid I was doing since the spammers
behaved when blocked by the RBLs. I am using
reject_unknown_reverse_client_hostname,
so I set the code to 550 as you indicated and will see how that works.

It also now occurs to me that the MX Tools website can be use to see
what annoying IP or host can be blocked by a particular RBL. I've
obviously used the MX Tools blacklist checker for my own domains and IP,
but not for other servers. The offending IP is on eight blocking lists.

Thanks all.
Reply | Threaded
Open this post in threaded view
|

RE: Spammer rejected, but resends every 10 minutes. Any way to prevent this

L.P.H. van Belle
In reply to this post by Bill Cole-3
Or why not use and SPF like this in the dns.

your.domain.tld TXT “v=spf1 -exists:%{ir}.zen.spamhaus.org +mx -all exp:explain.your.domain.tld”
explain.your.domain.tld  TXT "SPF error %{i} is not one of %{d}’s designated mail servers.”

Now these never reaches your server, saving cpu cycles etc.

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: [hidden email]
> [mailto:[hidden email]] Namens Bill Cole
> Verzonden: woensdag 14 maart 2018 4:46
> Aan: Postfix users
> Onderwerp: Re: Spammer rejected, but resends every 10
> minutes. Any way to prevent this
>
> On 13 Mar 2018, at 23:35 (-0400), Bill Cole wrote:
>
> > OR: if you don't get any legitimate mail from Hunan, Chongqing, or
> > Hong Kong you can probably safely block 113.240.0.0/12 from
> talking at
> > all to your SMTP port (or just the /13 to limit it to Hunan.)
>
> OR: Use the Spamhaus ZEN DNSBL, which has the whole /12
> listed via its
> PBL component.
>
> --
> Bill Cole
> [hidden email] or [hidden email]
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Currently Seeking Steady Work: https://linkedin.com/in/billcole
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

Bill Cole-3
On 14 Mar 2018, at 6:28 (-0400), L.P.H. van Belle wrote:

> Or why not use and SPF like this in the dns.
>
> your.domain.tld TXT “v=spf1 -exists:%{ir}.zen.spamhaus.org +mx
> -all exp:explain.your.domain.tld”
> explain.your.domain.tld  TXT "SPF error %{i} is not one of %{d}’s
> designated mail servers.”
>
> Now these never reaches your server, saving cpu cycles etc.

1. That only effects mail FROM your domain, which you can controlled
much more directly for your own MTA in your own MTA.
2. It's redundant: '+mx -all' has the same operational meaning.
3. The syntax (trailing 'exp:' ) will pointlessly challenge SPF
implementations, as it is rarely used and essentially useless.
4. It recommends to others that they use Zen in a manner that it is
unfit for.
5. For many domains, "+mx -all" is unsuitable in both parts.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole