Why is this mail accepted?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Why is this mail accepted?

Peter Tselios
Dear all,
        I try to figure out why emails from unknown senders are not blocked by
postfix configuration. In my main.cf I have the following:

smtpd_recipient_restrictions =
        permit_mx_backup,
        permit_mynetworks,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_rbl_client multihop.dsbl.org,
        reject_rbl_client sbl-xbl.spamhaus.org,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client bl.spamcop.net,
        #reject_unauth_destination,
        check_relay_domains,
        check_client_access pcre:/etc/postfix/dspam_filter_access,
        permit

However, I constantly receive mails like the following:
Jul 22 10:40:20 SERVER1 postfix/smtpd[26876]: NOQUEUE: filter: RCPT from
unknown[92.48.195.40]: <unknown[92.48.195.40]>: Client host triggers FILTER
dspam:dspam; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<alpha.oxywrz.com>
Jul 22 10:40:20 SERVER1 postfix/smtpd[26876]: D2DD45F08034:
client=unknown[92.48.195.40]
Jul 22 10:40:20 SERVER1 postfix/cleanup[26880]: D2DD45F08034:
message-id=<[hidden email]>
Jul 22 10:40:21 SERVER1 postfix/qmgr[6895]: D2DD45F08034:
from=<[hidden email]>, size=2710, nrcpt=1 (queue
active)

The antispam is not catching the mail (that's another issue), but the question
is why on the first place the mail was not denied?

Thank you,
Peter

Reply | Threaded
Open this post in threaded view
|

Re: Why is this mail accepted?

Ralf Hildebrandt
* s91066 <[hidden email]>:

> Dear all,
> I try to figure out why emails from unknown senders are not blocked by
> postfix configuration. In my main.cf I have the following:
>
> smtpd_recipient_restrictions =
> permit_mx_backup,
> permit_mynetworks,
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_rbl_client multihop.dsbl.org,
> reject_rbl_client sbl-xbl.spamhaus.org,
> reject_rbl_client cbl.abuseat.org,
> reject_rbl_client bl.spamcop.net,
> #reject_unauth_destination,
> check_relay_domains,
> check_client_access pcre:/etc/postfix/dspam_filter_access,
> permit
>
> However, I constantly receive mails like the following:

> Jul 22 10:40:20 SERVER1 postfix/smtpd[26876]: NOQUEUE: filter: RCPT from
> unknown[92.48.195.40]: <unknown[92.48.195.40]>: Client host triggers FILTER
> dspam:dspam; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<alpha.oxywrz.com>
> Jul 22 10:40:20 SERVER1 postfix/smtpd[26876]: D2DD45F08034:
> client=unknown[92.48.195.40]
> Jul 22 10:40:20 SERVER1 postfix/cleanup[26880]: D2DD45F08034:
> message-id=<[hidden email]>
> Jul 22 10:40:21 SERVER1 postfix/qmgr[6895]: D2DD45F08034:
> from=<[hidden email]>, size=2710, nrcpt=1 (queue
> active)
>
> The antispam is not catching the mail (that's another issue), but the question
> is why on the first place the mail was not denied?

Why SHOULD it be denied? Based on which criterion?

check_relay_domains returns permit or reject, thus nothing after
check_relay_domains is seen at all.

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
People, it's only email. There are other things in life (really).
Have a break ...                                        -- Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Why is this mail accepted? - corrections

Peter Tselios
> * s91066 <[hidden email]>:
> > Dear all,
> > I try to figure out why emails from unknown senders are not blocked by
> > postfix configuration. In my main.cf I have the following:
> >
> > smtpd_recipient_restrictions =
> > permit_mx_backup,
> > permit_mynetworks,
> > reject_non_fqdn_sender,
> > reject_non_fqdn_recipient,
> > reject_unknown_recipient_domain,
> > reject_unknown_sender_domain,
> > reject_unknown_recipient_domain,
> > reject_rbl_client multihop.dsbl.org,
> > reject_rbl_client sbl-xbl.spamhaus.org,
> > reject_rbl_client cbl.abuseat.org,
> > reject_rbl_client bl.spamcop.net,
> > #reject_unauth_destination,
> > check_relay_domains,
> > check_client_access pcre:/etc/postfix/dspam_filter_access,
> > permit
> >
> > However, I constantly receive mails like the following:
> >
> > Jul 22 10:40:20 SERVER1 postfix/smtpd[26876]: NOQUEUE: filter: RCPT from
> > unknown[92.48.195.40]: <unknown[92.48.195.40]>: Client host triggers
> > FILTER dspam:dspam; from=<[hidden email]>
> > to=<[hidden email]> proto=ESMTP helo=<alpha.oxywrz.com>
> > Jul 22 10:40:20 SERVER1 postfix/smtpd[26876]: D2DD45F08034:
> > client=unknown[92.48.195.40]
> > Jul 22 10:40:20 SERVER1 postfix/cleanup[26880]: D2DD45F08034:
> > message-id=<[hidden email]>
> > Jul 22 10:40:21 SERVER1 postfix/qmgr[6895]: D2DD45F08034:
> > from=<[hidden email]>, size=2710, nrcpt=1 (queue
> > active)
> >
> > The antispam is not catching the mail (that's another issue), but the
> > question is why on the first place the mail was not denied?
>
> Why SHOULD it be denied? Based on which criterion?
>
> check_relay_domains returns permit or reject, thus nothing after
> check_relay_domains is seen at all.

Those criteria are on the bottom of the list. The sender's address is listed
at spamhaus.org, thus it should not be permitted to even connect to postfix!
So, one of the
the reject_rbl_client multihop.dsbl.org,  reject_rbl_client
sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org,
reject_rbl_client bl.spamcop.net,
should block the sender!

By the way, I have a mistake on my initial email. The issue is not with
the 'unknown senders' (another issue that I currently investigate) but with
the rbl. My apologies.

Reply | Threaded
Open this post in threaded view
|

Re: Why is this mail accepted? - corrections

Ralf Hildebrandt
* s91066 <[hidden email]>:

> > > Jul 22 10:40:20 SERVER1 postfix/smtpd[26876]: NOQUEUE: filter: RCPT from
> > > unknown[92.48.195.40]: <unknown[92.48.195.40]>: Client host triggers
> > > FILTER dspam:dspam; from=<[hidden email]>
> > > to=<[hidden email]> proto=ESMTP helo=<alpha.oxywrz.com>
> > > Jul 22 10:40:20 SERVER1 postfix/smtpd[26876]: D2DD45F08034:
> > > client=unknown[92.48.195.40]
> > > Jul 22 10:40:20 SERVER1 postfix/cleanup[26880]: D2DD45F08034:
> > > message-id=<[hidden email]>
> > > Jul 22 10:40:21 SERVER1 postfix/qmgr[6895]: D2DD45F08034:
> > > from=<[hidden email]>, size=2710, nrcpt=1 (queue
> > > active)
> > >
> > > The antispam is not catching the mail (that's another issue), but the
> > > question is why on the first place the mail was not denied?
> >
> > Why SHOULD it be denied? Based on which criterion?
> >
> > check_relay_domains returns permit or reject, thus nothing after
> > check_relay_domains is seen at all.
>
> Those criteria are on the bottom of the list. The sender's address is listed
> at spamhaus.org, thus it should not be permitted to even connect to postfix!
> So, one of the
> the reject_rbl_client multihop.dsbl.org,

http://dsbl.org/ is down, just look at the page

> reject_rbl_client sbl-xbl.spamhaus.org,

Not listed:
http://www.spamhaus.org/query/bl?ip=92.48.195.40

> reject_rbl_client cbl.abuseat.org,

Not listed:
http://cbl.abuseat.org/lookup.cgi?ip=92.48.195.40&.submit=Lookup

> reject_rbl_client bl.spamcop.net, should block the sender!

Not listed:
http://www.spamcop.net/w3m?action=checkblock&ip=92.48.195.40

> By the way, I have a mistake on my initial email. The issue is not with
> the 'unknown senders' (another issue that I currently investigate) but with
> the rbl. My apologies.

There is no problem. The IP is not listed at all.

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
I was married by a judge. I should have asked for a jury. - Groucho Marx
Reply | Threaded
Open this post in threaded view
|

Re: Why is this mail accepted? - corrections - blacklists

Richard Foley
Isn't the single zen list an acceptable catch-all currently?

        zen.spamhaus.org

It includes all the SBL/XBL/PBL lists and the CBL list from abuseat.org too.

See also:

        http://stats.dnsbl.com/

--
Richard Foley
Ciao - shorter than aufwiedersehen

http://www.rfi.net/

On Tuesday 22 July 2008 10:54:44 Ralf Hildebrandt wrote:
> * s91066 <[hidden email]>:
>
> > > > Jul 22 10:40:20 SERVER1 postfix/smtpd[26876]: NOQUEUE: filter: RCPT
from
> > > > unknown[92.48.195.40]: <unknown[92.48.195.40]>: Client host triggers
> > > > FILTER dspam:dspam; from=<[hidden email]>
> > > > to=<[hidden email]> proto=ESMTP helo=<alpha.oxywrz.com>
> > > > Jul 22 10:40:20 SERVER1 postfix/smtpd[26876]: D2DD45F08034:
> > > > client=unknown[92.48.195.40]
> > > > Jul 22 10:40:20 SERVER1 postfix/cleanup[26880]: D2DD45F08034:
> > > > message-id=<[hidden email]>
> > > > Jul 22 10:40:21 SERVER1 postfix/qmgr[6895]: D2DD45F08034:
> > > > from=<[hidden email]>, size=2710, nrcpt=1
(queue

> > > > active)
> > > >
> > > > The antispam is not catching the mail (that's another issue), but the
> > > > question is why on the first place the mail was not denied?
> > >
> > > Why SHOULD it be denied? Based on which criterion?
> > >
> > > check_relay_domains returns permit or reject, thus nothing after
> > > check_relay_domains is seen at all.
> >
> > Those criteria are on the bottom of the list. The sender's address is
listed
> > at spamhaus.org, thus it should not be permitted to even connect to
postfix!

> > So, one of the
> > the reject_rbl_client multihop.dsbl.org,
>
> http://dsbl.org/ is down, just look at the page
>
> > reject_rbl_client sbl-xbl.spamhaus.org,
>
> Not listed:
> http://www.spamhaus.org/query/bl?ip=92.48.195.40
>
> > reject_rbl_client cbl.abuseat.org,
>
> Not listed:
> http://cbl.abuseat.org/lookup.cgi?ip=92.48.195.40&.submit=Lookup
>
> > reject_rbl_client bl.spamcop.net, should block the sender!
>
> Not listed:
> http://www.spamcop.net/w3m?action=checkblock&ip=92.48.195.40
>
> > By the way, I have a mistake on my initial email. The issue is not with
> > the 'unknown senders' (another issue that I currently investigate) but
with

> > the rbl. My apologies.
>
> There is no problem. The IP is not listed at all.
>
> --
> Ralf Hildebrandt ([hidden email])          [hidden email]
> Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
> http://www.arschkrebs.de
> I was married by a judge. I should have asked for a jury. - Groucho Marx
>
Reply | Threaded
Open this post in threaded view
|

Re: Why is this mail accepted? - corrections - blacklists

Ralf Hildebrandt
* Richard Foley <[hidden email]>:
> Isn't the single zen list an acceptable catch-all currently?
>
> zen.spamhaus.org
>
> It includes all the SBL/XBL/PBL lists and the CBL list from abuseat.org too.

Yes, correct.
But it still doesn't list 92.48.195.40 :)

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
God does not play dice.
            -- Einstein
Reply | Threaded
Open this post in threaded view
|

Re: Why is this mail accepted? - corrections - blacklists

mouss-2
In reply to this post by Richard Foley
Richard Foley wrote:
> Isn't the single zen list an acceptable catch-all currently?
>
> zen.spamhaus.org
>
> It includes all the SBL/XBL/PBL lists and the CBL list from abuseat.org too.

more precisely, the cbl is included in the xbl.

zen = pbl + sbl-xbl
sbl-xbl = sbl + xbl
xbl = cbl + njabl-proxy + ...


That said, one may want to query the cbl directly to reduce the number
of queries to spamhaus or to get fresh responses (I don't know how long
it takes to sync the xbl).