fight spam problem: sender equal to receiver

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
36 messages Options
12
Reply | Threaded
Open this post in threaded view
|

fight spam problem: sender equal to receiver

Roland Plüss-2
I've got since a couple of weeks a rather nasty spam increase ( in fact
massive ). Some jerk sends forged emails to some address [hidden email] on my
server with the same email address as the receiver ( hence [hidden email]
receives an email from [hidden email] ). It's clearly not relayed by my server
since the emails come from some spurious servers but got the sender
email forged.

Now I could not figure out a way with postfix-2.5.5 to reject emails
where the sender and receiver emails do match. Any ideas how to
accomplish this?

--
Yours sincerely
Plüss Roland


Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

Sturgis, Grant

On Sun, 2008-12-07 at 09:51 -0700, Roland Plüss wrote:

> I've got since a couple of weeks a rather nasty spam increase ( in
> fact
> massive ). Some jerk sends forged emails to some address [hidden email] on my
> server with the same email address as the receiver ( hence [hidden email]
> receives an email from [hidden email] ). It's clearly not relayed by my server
> since the emails come from some spurious servers but got the sender
> email forged.
>
> Now I could not figure out a way with postfix-2.5.5 to reject emails
> where the sender and receiver emails do match. Any ideas how to
> accomplish this?

This has been discussed at length in the last couple of weeks.  Check
the archives:

http://archives.neohapsis.com/archives/postfix/


>
> --
> Yours sincerely
> Plüss Roland
>
>
>
>

This electronic message transmission is a PRIVATE communication which
contains information which may be confidential or privileged. The
information is intended to be for the use of the individual or entity
named above. If you are not the intended recipient, please be aware that
any disclosure, copying, distribution or use of the contents of this
information is prohibited. Please notify the sender  of the delivery
error by replying to this message, or notify us by telephone
(877-633-2436, ext. 0), and then delete it from your system.
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

Roland Plüss-2
I read now the thread in the archive and tried to apply the proposed
solution. I'm still getting the same amount of spam mails where
sender=receiver. My settings look like this:

disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
   permit_mynetworks,
   check_helo_access hash:/etc/postfix/helo_access,
   reject_invalid_helo_hostname,
   reject_non_fqdn_helo_hostname,
   reject_unknown_helo_hostname,
   permit
smtpd_recipient_restrictions =
   permit_mynetworks,
   reject_unauth_destination,
   reject_non_fqdn_hostname,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   reject_rbl_client zen.spamhaus.org,
   permit
smtpd_sender_restrictions =
   permit_mynetworks,
   check_sender_access hash:/etc/postfix/sender_access,
   reject_non_fqdn_sender,
   reject_unknown_sender_domain,
   reject_sender_login_mismatch,
   reject_unauthenticated_sender_login_mismatch,
   permit

I added the "reject_unknown_recipient_domain" and "reject_rbl_client
zen.spamhaus.org" lines to no avail. Any ideas what else I could try?

Sturgis, Grant wrote:

> On Sun, 2008-12-07 at 09:51 -0700, Roland Plüss wrote:
>  
>> I've got since a couple of weeks a rather nasty spam increase ( in
>> fact
>> massive ). Some jerk sends forged emails to some address [hidden email] on my
>> server with the same email address as the receiver ( hence [hidden email]
>> receives an email from [hidden email] ). It's clearly not relayed by my server
>> since the emails come from some spurious servers but got the sender
>> email forged.
>>
>> Now I could not figure out a way with postfix-2.5.5 to reject emails
>> where the sender and receiver emails do match. Any ideas how to
>> accomplish this?
>>    
>
> This has been discussed at length in the last couple of weeks.  Check
> the archives:
>
> http://archives.neohapsis.com/archives/postfix/
>
>
>  
>> --
>> Yours sincerely
>> Plüss Roland
>>
>>
>>
>>
>>    
>
> This electronic message transmission is a PRIVATE communication which
> contains information which may be confidential or privileged. The
> information is intended to be for the use of the individual or entity
> named above. If you are not the intended recipient, please be aware that
> any disclosure, copying, distribution or use of the contents of this
> information is prohibited. Please notify the sender  of the delivery
> error by replying to this message, or notify us by telephone
> (877-633-2436, ext. 0), and then delete it from your system.
>  
--
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )


signature.asc (268 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

Roland Plüss-2
** Sorry, send to the previous poster instead of the list...
** I'm not a fan of mailing lists because of things
** like this U.=.U

No idea which log snippets you want to see but the postconf -n one I can
give already

alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib64/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
default_destination_concurrency_limit = 2
disable_vrfy_command = yes
home_mailbox = .maildir/
html_directory = /usr/share/doc/postfix-2.5.5/html
inet_interfaces = all
local_destination_concurrency_limit = 2
local_transport = virtual
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 8096000
mydestination = $myhostname, localhost.$mydomain, localhost.localdomain,
ldap:acceptdomains
mydomain = rptd.ch
myhostname = rptd.ch
mynetworks = ****, ****, ****, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.5/readme
relay_recipient_maps = ldap:ldaprelay
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,   check_helo_access
hash:/etc/postfix/helo_access,   reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,   reject_unknown_helo_hostname,   permit
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks,   check_sender_access
hash:/etc/postfix/sender_access,   reject_non_fqdn_sender,
reject_unknown_sender_domain,   reject_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch,   permit
smtpd_tls_CAfile = /etc/apache2/ssl/cacert.crt
smtpd_tls_cert_file = /etc/postfix/mail_rptd_ch.crt
smtpd_tls_key_file = /etc/postfix/mail_rptd_ch.key
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_gid_maps = static:1100
virtual_mailbox_base = /var/spool/mail/vmail
virtual_mailbox_limit = 0
virtual_mailbox_maps = ldap:ldapvirtual
virtual_minimum_uid = 500
virtual_uid_maps = static:1100


DJ Lucas wrote:

> Roland Plüss wrote:
>> I read now the thread in the archive and tried to apply the proposed
>> solution. I'm still getting the same amount of spam mails where
>> sender=receiver. My settings look like this:
>>
>>  
> Need to see log snips and 'postconf -n' output.
>
> -- DJ Lucas
>
>
--
Yours sincerely<br>
Plüss Roland<br>
<br>
Leader and Head Programmer<br>
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )<br>
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )<br>
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php
)<br>


signature.asc (268 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

mouss-2
Roland Plüss a écrit :
> ** Sorry, send to the previous poster instead of the list...
> ** I'm not a fan of mailing lists because of things
> ** like this U.=.U
>
> No idea which log snippets you want to see but the postconf -n one I can
> give already
>

a copy of the headers of one spam would be more useful to find out how
to block it.

note that if the forged sender is not in your domain, then the checks
suggested in the previously mentioned thread don't help.


> [snip]

Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

Roland Plüss-2
In reply to this post by Roland Plüss-2
I tried to find one of the messages in the logs. It's damn hard to find
it since it's really weird... and it all makes no sense to me. I think
this email source belongs to the logs below ( added <!-- --> to prevent
potential damage due to fudged HTML ).



email source:

>>>>>
>>>>>
From - Thu Dec 11 02:09:06 2008
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <[hidden email]>
X-Original-To: [hidden email]
Delivered-To: [hidden email]
Received: from 99-206-220-166.pools.spcsdns.net
(99-206-220-166.pools.spcsdns.net [99.206.220.166])
    by rptd.ch (Postfix) with SMTP id D824468297
    for <[hidden email]>; Wed, 10 Dec 2008 18:03:42 +0100 (CET)
To: <[hidden email]>
Subject: Delivery Status Notification (Failure)
From: <[hidden email]>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
Message-Id: <[hidden email]>
Date: Wed, 10 Dec 2008 18:03:42 +0100 (CET)

<!--

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
</HEAD>
<BODY><a href="http://resolutionor.com/" target="_blank">
<img src="http://resolutionor.com/adv4.jpg" border=0 alt="Having trouble
viewing this email?
Click here to view as a webpage."></a></BODY></HTML>

-->
<<<<<
<<<<<



the logs ( **** is an email address from my network, a legit one ).

>>>>>
>>>>>
Dec 10 18:03:41 [postfix/smtpd] initializing the server-side TLS engine
Dec 10 18:03:41 [postfix/smtpd] connect from
99-206-220-166.pools.spcsdns.net[99.206.220.166]
Dec 10 18:03:42 [postfix/smtpd] warning: restriction
`reject_authenticated_sender_login_mismatch' ignored: no SASL support
Dec 10 18:03:42 [postfix/smtpd] warning: restriction
`reject_unauthenticated_sender_login_mismatch' ignored: no SASL support
                - Last output repeated twice -
Dec 10 18:03:42 [postfix/smtpd] D824468297:
client=99-206-220-166.pools.spcsdns.net[99.206.220.166]
Dec 10 18:03:43 [postfix/smtpd] connect from
mail.hudfic.com.vn[210.245.86.14]
Dec 10 18:03:44 [postfix/cleanup] D824468297:
message-id=<[hidden email]>
Dec 10 18:03:44 [postfix/qmgr] D824468297: from=<[hidden email]>,
size=827, nrcpt=1 (queue active)
Dec 10 18:03:44 [postfix/smtpd] NOQUEUE: reject: RCPT from
mail.hudfic.com.vn[210.245.86.14]: 450 4.7.1 <cp-mail1.hosting.hn.fpt.vn
>: Helo command rejected: Host not found;
from=<[hidden email]> to=<****@rptd.ch> proto=ESMTP
helo=<cp-mail1.hosting.
hn.fpt.vn>
Dec 10 18:03:44 [postfix/virtual] D824468297: to=<[hidden email]>,
relay=virtual, delay=2, delays=2/0/0/0.03, dsn=2.0.0, status=sen
t (delivered to maildir)
Dec 10 18:03:44 [postfix/qmgr] D824468297: removed
Dec 10 18:03:44 [postfix/smtpd] disconnect from
99-206-220-166.pools.spcsdns.net[99.206.220.166]
Dec 10 18:03:44 [postfix/smtpd] disconnect from
mail.hudfic.com.vn[210.245.86.14]
<<<<<<
<<<<<<



What is strange is that it looks like they send a fudged mail and the
mail triggers a postmaster-mail ( which is redirected to [hidden email]
). But why should it do this? It should only trigger one if you send a
mail to somebody else and there an error happens. I know the person
owning this email and she never used paypal at all so she also never
send a mail there for sure.



DJ Lucas wrote:

> Roland Plüss wrote:
>> ** Sorry, send to the previous poster instead of the list...
>> ** I'm not a fan of mailing lists because of things
>> ** like this U.=.U
>>
>> No idea which log snippets you want to see
> A complete log of a message that got through that shouldn't have, from
> connect to delivery would be helpful.  Still in a bit of a
> rush...check back later.
>
> -- DJ Lucas
>
>
>
--
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )


signature.asc (268 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

DJ Lucas-2
Roland Plüss wrote:
> `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support
>  
Well, there ya go.  There is no restriction that would prevent that
message from being delivered, so of course they get through.

At a very minimum, please add: 'reject_rbl_client zen.spamhaus.org' to
smtpd_recipient_restrictions.  That'll stop quite a few of them as well
as a lot of other junk.

As far as SASL support, you can verify with postconf -a.  Making postfix
aware of Cyrus or Dovecot is another thing that probably should be done
at some point.
See http://www.postfix.org/SASL_README.html#build_postfix or check with
your distribution/vendor for support if postfix was supplied to you in a
package.

-- DJ Lucas


--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

mouss-2
In reply to this post by Roland Plüss-2
Roland Plüss a écrit :
> I tried to find one of the messages in the logs. It's damn hard to find
> it since it's really weird... and it all makes no sense to me. I think
> this email source belongs to the logs below ( added <!-- --> to prevent
> potential damage due to fudged HTML ).
>

Do not edit logs, except replacing private information. you have really
no reason to remove the pid. In any case, the format of the lines must
not be changed (because we know how a unix log line looks like).


anyway,
        reject_rbl_client zen.spamhaus.org
should be enough to block 99.206.220.166

Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

Roland Plüss-2
I only enclosed the HTML tags in the email body with comment marks. The
logs are unaltered except hidding one email address.

What goes for zen.spamhaus.org... I've got this one in my config... but
it seems to not work ( host not found ).

mouss wrote:

> Roland Plüss a écrit :
>  
>> I tried to find one of the messages in the logs. It's damn hard to find
>> it since it's really weird... and it all makes no sense to me. I think
>> this email source belongs to the logs below ( added <!-- --> to prevent
>> potential damage due to fudged HTML ).
>>
>>    
>
> Do not edit logs, except replacing private information. you have really
> no reason to remove the pid. In any case, the format of the lines must
> not be changed (because we know how a unix log line looks like).
>
>
> anyway,
> reject_rbl_client zen.spamhaus.org
> should be enough to block 99.206.220.166
>
>  
--
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )


signature.asc (268 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

Roland Plüss-2
In reply to this post by DJ Lucas-2
SASL is a problem. I tried doing it once but as soon as I enable the
entire system totally breaks. I tried various tuts and howtos but to no
avail. SASL stays broken and I can't get it working. I'm running
hardened 64bit here and postfix crashes left and right if not compiled
with a no-pie compiler. With SASL compiled in it also crashes left and
right with a no-pie compiler so I'm somehow forced to find another way
around this problem.

DJ Lucas wrote:

> Roland Plüss wrote:
>> `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support
>>  
> Well, there ya go.  There is no restriction that would prevent that
> message from being delivered, so of course they get through.
>
> At a very minimum, please add: 'reject_rbl_client zen.spamhaus.org' to
> smtpd_recipient_restrictions.  That'll stop quite a few of them as
> well as a lot of other junk.
>
> As far as SASL support, you can verify with postconf -a.  Making
> postfix aware of Cyrus or Dovecot is another thing that probably
> should be done at some point.
> See http://www.postfix.org/SASL_README.html#build_postfix or check
> with your distribution/vendor for support if postfix was supplied to
> you in a package.
>
> -- DJ Lucas
>
>
postconf -a yields nothing. What is it supposed to do?

--
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )


signature.asc (268 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

mouss-2
In reply to this post by Roland Plüss-2
Roland Plüss a écrit :
> I only enclosed the HTML tags in the email body with comment marks. The
> logs are unaltered except hidding one email address.
>

so what logs are these? I mean, how were these logs generated?


Dec 10 18:03:41 [postfix/smtpd] connect from
99-206-220-166.pools.spcsdns.net[99.206.220.166]

a standard unix log line would look like this:

Dec 10 18:03:41 yourhost postfix/smtpd[390]: connect from
99-206-220-166.pools.spcsdns.net[99.206.220.166]

In particular, it has the pid (the [390] in this example).

if you followed the "mentioned threads", then that mail should have been
blocked. your sender_access should contain

rptd.ch REJECT not authorized blah blah

do not forget to postmap the file.


> What goes for zen.spamhaus.org... I've got this one in my config... but
> it seems to not work ( host not found ).

try

$ host 2.0.0.127.zen.spamhaus.org

This should return

2.0.0.127.zen.spamhaus.org has address 127.0.0.4
2.0.0.127.zen.spamhaus.org has address 127.0.0.10
2.0.0.127.zen.spamhaus.org has address 127.0.0.2


Note that spamhaus require you to pay for a feed if you query them too
much. so if you get a lot of mail, you'll need a feed. Also, if you
forward DNS queries to your ISP, and your ISP doesn't pay for a feed,
then your queries will be blocked as well.


you could also reject "dynamic like" helo names with a
        check_helo_access pcre:/etc/postfix/access_helo.pcre

== access_helo.pcre
/^\d+([-\.]\d+){3}\./ REJECT dynamic like helo hostname. Please fix your
HELO or use your ISP relay

WARNING: untested/unvalidated/no warranty/...

Examples have been posted on the list (more or less recently).


In another post, you wrote:
> SASL is a problem. I tried doing it once but as soon as I enable the
> entire system totally breaks. I tried various tuts and howtos but to
> no avail. SASL stays broken and I can't get it working. I'm running
> hardened 64bit here and postfix crashes left and right if not compiled
> with a no-pie compiler. With SASL compiled in it also crashes left and
> right with a no-pie compiler so I'm somehow forced to find another way
> around this problem.

you can try dovecot sasl implementation, if you have a recent postfix.
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

Roland Plüss-2

> so what logs are these? I mean, how were these logs generated?
>  
vixie-cron
> if you followed the "mentioned threads", then that mail should have been
> blocked. your sender_access should contain
>
> rptd.ch REJECT not authorized blah blah
>
> do not forget to postmap the file.
>  
I can try adding this line. But didn't this thread mentioned "potential
problems" with this setup?
> Note that spamhaus require you to pay for a feed if you query them too
> much. so if you get a lot of mail, you'll need a feed. Also, if you
> forward DNS queries to your ISP, and your ISP doesn't pay for a feed,
> then your queries will be blocked as well.
>  
What kind of numbers for "not too many" do we talk here?
> you can try dovecot sasl implementation, if you have a recent postfix.
>  
I've got mail-mta/postfix-2.5.5 , should this work?

--
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )


signature.asc (268 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

mouss-2
Roland Plüss a écrit :
>> so what logs are these? I mean, how were these logs generated?
>>  
> vixie-cron

so they are not logs. these are reports.

next time, connect to your server and grab lines from /var/log/maillog
(or whatever file contains postfix logs). not necessary now.


>> if you followed the "mentioned threads", then that mail should have been
>> blocked. your sender_access should contain
>>
>> rptd.ch REJECT not authorized blah blah
>>
>> do not forget to postmap the file.
>>  
> I can try adding this line. But didn't this thread mentioned "potential
> problems" with this setup?

it really depends on your setup and/or policy.

>> Note that spamhaus require you to pay for a feed if you query them too
>> much. so if you get a lot of mail, you'll need a feed. Also, if you
>> forward DNS queries to your ISP, and your ISP doesn't pay for a feed,
>> then your queries will be blocked as well.
>>  
> What kind of numbers for "not too many" do we talk here?

http://www.spamhaus.org/organization/dnsblusage.html

if you generate 300,000 DNS queries per day, you need a feed... but you
forgot to run the test command... (host 2.0.....).

>> you can try dovecot sasl implementation, if you have a recent postfix.
>>  
> I've got mail-mta/postfix-2.5.5 , should this work?
>


dovecot is supported in "2.3 and later". but your package may have been
built without it. run
# postconf -a
and see if "dovecot" is listed in the output.

read
        http://www.postfix.org/SASL_README.html
for more.
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

Roland Plüss-2

> so they are not logs. these are reports.
>
> next time, connect to your server and grab lines from /var/log/maillog
> (or whatever file contains postfix logs). not necessary now.
>  
I don't have such a file. All logs go into the one I posted managed by
vixie-cron.
> it really depends on your setup and/or policy.
>  
Tried it. I'm still getting the same spam which clearly matches this
rule but it doesn't seem to work. Are they using a work-around to trick
postfix?
> http://www.spamhaus.org/organization/dnsblusage.html
>
> if you generate 300,000 DNS queries per day, you need a feed... but you
> forgot to run the test command... (host 2.0.....).
>  
Do we talk of "DNS" queries of conventional queries ( per mail ). Since
I've got a DNS server on my machine which would already capture all DNS
queries.
> dovecot is supported in "2.3 and later". but your package may have been
> built without it. run
> # postconf -a
> and see if "dovecot" is listed in the output.
>
> read
> http://www.postfix.org/SASL_README.html
> for more.
>  
No, all empty. I'll have a closer look into this one this weekend.

--
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )


signature.asc (268 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

mouss-2
Roland Plüss a écrit :
>> so they are not logs. these are reports.
>>
>> next time, connect to your server and grab lines from /var/log/maillog
>> (or whatever file contains postfix logs). not necessary now.
>>  
> I don't have such a file. All logs go into the one I posted managed by
> vixie-cron.

No. cron doesn't "manage" logs. cron runs log parsers that generate
reports. but the logs are somewhere on your system. if you are using a
standard syslogd, then you can find the path in /etc/syslog.conf. if you
can't find them, you'll need to ask on a forum dedicated to your OS.

>> it really depends on your setup and/or policy.
>>  
> Tried it. I'm still getting the same spam which clearly matches this
> rule but it doesn't seem to work. Are they using a work-around to trick
> postfix?

that check only blocks specific spam: spam that uses an address in your
domain in the envelope sender (MAIL FROM command). this envelope sender
is what you see in the Return-Path header in the sample you posted.

>> http://www.spamhaus.org/organization/dnsblusage.html
>>
>> if you generate 300,000 DNS queries per day, you need a feed... but you
>> forgot to run the test command... (host 2.0.....).
>>  
> Do we talk of "DNS" queries of conventional queries ( per mail ). Since
> I've got a DNS server on my machine which would already capture all DNS
> queries.

instead of spending time on theory, why don't you run the command that I
told you?
$ host 2.0.0.127.zen.spamhaus.org

and yes, the 300000 are DNS queries. if you don't get a lot of mail,
then your DNS server won't be blocked, unless it forwards queries to
your ISP.

>> dovecot is supported in "2.3 and later". but your package may have been
>> built without it. run
>> # postconf -a
>> and see if "dovecot" is listed in the output.
>>
>> read
>> http://www.postfix.org/SASL_README.html
>> for more.
>>  
> No, all empty. I'll have a closer look into this one this weekend.
>

so you need to rebuild/reinstall it.
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

Roland Plüss-2

> that check only blocks specific spam: spam that uses an address in your
> domain in the envelope sender (MAIL FROM command). this envelope sender
> is what you see in the Return-Path header in the sample you posted.
>  
I tried adding the REJECT line to the "check_sender_access
hash:/etc/postfix/sender_access" and it still spams like hell. What
could be wrong?
> instead of spending time on theory, why don't you run the command that I
> told you?
> $ host 2.0.0.127.zen.spamhaus.org
>
> and yes, the 300000 are DNS queries. if you don't get a lot of mail,
> then your DNS server won't be blocked, unless it forwards queries to
> your ISP.
>  
I'll try mapping zen.spamhaus.org to 127.0.0.2 in my /etc/hosts. This
should not require a DNS lookup and hopefully it works then. Let's see
> so you need to rebuild/reinstall it.
>  
I'll keep this as an option should anything else fail.

--
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )


signature.asc (268 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

Jan P. Kessler-2
Roland Plüss schrieb:
> I'll try mapping zen.spamhaus.org to 127.0.0.2 in my /etc/hosts. This
> should not require a DNS lookup and hopefully it works then. Let's see
>  

You must not do this if you want to use zen.spamhaus.org. Please follow
the given advices and read something about how dnsbls work. A good point
to start might be http://www.spamhaus.org/dnsbl_function.html


Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

Roland Plüss-2
The problem is that it doesn't seem to work neither the way mentioned in
the threads nor adding the dns bypass... I've got again 20 of those same
spam shit in my inbox today. It's going on my nerves. Is there no way to
stop this?

Jan P. Kessler wrote:

> Roland Plüss schrieb:
>> I'll try mapping zen.spamhaus.org to 127.0.0.2 in my /etc/hosts. This
>> should not require a DNS lookup and hopefully it works then. Let's see
>>  
>
> You must not do this if you want to use zen.spamhaus.org. Please
> follow the given advices and read something about how dnsbls work. A
> good point to start might be http://www.spamhaus.org/dnsbl_function.html
>
>
--
Yours sincerely
Plüss Roland

Leader and Head Programmer
- Game: Epsylon ( http://epsylon.rptd.ch/ ,
http://www.moddb.com/games/4057/epsylon )
- Game Engine: Drag(en)gine ( http://dragengine.rptd.ch ,
http://www.moddb.com/engines/9/dragengine )
- Normal Map Generator: DENormGen ( http://epsylon.rptd.ch/denormgen.php )


signature.asc (268 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

mouss-2
Roland Plüss a écrit :
> The problem is that it doesn't seem to work neither the way mentioned in
> the threads nor adding the dns bypass... I've got again 20 of those same
> spam shit in my inbox today. It's going on my nerves. Is there no way to
> stop this?
>

There is no "dns bypass". I did not tell you to edit /etc/hosts. I told
you to run the following command:

host 2.0.0.127.zen.spamhaus.org

in short, connect to your postfix server and in the terminal, type the
line above, hit "ENTER" and see what the system tells you. "host" is
similar to "nslookup". Am I clear now?


Also, post the output of
        postconf -n
Last time you showed it, you did not have zen in your config.
Reply | Threaded
Open this post in threaded view
|

Re: fight spam problem: sender equal to receiver

Noel Jones-2
In reply to this post by Roland Plüss-2
Roland Plüss wrote:
> The problem is that it doesn't seem to work neither the way mentioned in
> the threads nor adding the dns bypass... I've got again 20 of those same
> spam shit in my inbox today. It's going on my nerves. Is there no way to
> stop this?

Please do not top post.  Put your answers below the text you
refer to.  and watch your language.

If you need help, show your "postconf -n" output and postfix
logging of the message you want to block.

If you want to show the contents of the spam, upload it to
pastebin.com and include the link in your post here.

>> Roland Plüss schrieb:
>>> I'll try mapping zen.spamhaus.org to 127.0.0.2 in my /etc/hosts. This
>>> should not require a DNS lookup and hopefully it works then. Let's see

No, don't add this to your hosts file.  Add a restriction to
your postfix main.cf.  Show your "postconf -n" output if you
need help knowing what to put where.


--
Noel Jones

12