filtering return-path : <random-string@google.com>

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

filtering return-path : <random-string@google.com>

Frank Bonnet
Hello

We are hardly spammed by numerous sources , the FIRST line of each email
is like the following

Return-Path: [hidden email]

The left part of the address is constantly changed but the right is always @google.com

I would like to discard all that spam, help greatly appreciated

Thanks by advance
 
Reply | Threaded
Open this post in threaded view
|

Re: filtering return-path : <random-string@google.com>

Noel Jones-2
On 5/3/2013 4:01 AM, Frank Bonnet wrote:

> Hello
>
> We are hardly spammed by numerous sources , the FIRST line of each email
> is like the following
>
> Return-Path: <[hidden email]>
>
> The left part of the address is constantly changed but the right is
> always @google.com
>
> I would like to discard all that spam, help greatly appreciated
>
> Thanks by advance
>  


The Return-Path: header is added by postfix during delivery, and is
equal to the envelope sender address.

It's not clear that all @google.com senders are spam, so there may
be legit mail caught in the trap.  Use with caution.

You can probably reject most of the spam using a few common and
relatively safe rules.  I would suggest something like this:

# main.cf
smtpd_recipient_restrictions =
  permit_mynetworks
  permit_sasl_authenticated
  reject_unauth_destination
# next line is considered quite safe
  reject_unknown_reverse_client_hostname
# next line is safe for most sites
  check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre
# zen is considered a very safe and effective RBL
  reject_rbl_client zen.spamhaus.org
# next line rejects all @google.com senders. May reject legit mail.
  check_sender_access pcre:/etc/postfix/sender.pcre

## sender.pcre file contents:
/@google\.com$/   REJECT suspicious @google.com sender address
# while you're at it, reject the current .pw tld spam storm
/\.pw$/  REJECT ".pw" domains not accepted here

The fqrdns.pcre file can be downloaded here:
http://www.hardwarefreak.com/fqrdns.pcre

If you're uncomfortable with any of the above suggestions, you can
safely try them out by prepending warn_if_reject, which will log a
reject_warning:, but not reject the message.  Like this:
  warn_if_reject reject_rbl_client zen.spamhaus.org


The above settings require postfix 2.6 or newer, with pcre support.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: filtering return-path : <random-string@google.com>

Wolfgang Zeikat
In an older episode, on 2013-05-03 16:30, Noel Jones wrote:

> ## sender.pcre file contents:
> /@google\.com$/   REJECT suspicious @google.com sender address

Shouldn't the @ be escaped: \@

wolfgang

> # while you're at it, reject the current .pw tld spam storm
> /\.pw$/  REJECT ".pw" domains not accepted here

Reply | Threaded
Open this post in threaded view
|

Re: filtering return-path : <random-string@google.com>

Noel Jones-2
On 5/3/2013 9:34 AM, Wolfgang Zeikat wrote:
> In an older episode, on 2013-05-03 16:30, Noel Jones wrote:
>
>> ## sender.pcre file contents:
>> /@google\.com$/   REJECT suspicious @google.com sender address
>
> Shouldn't the @ be escaped: \@

No.  This isn't perl.



  -- Noel Jones


>
> wolfgang
>
>> # while you're at it, reject the current .pw tld spam storm
>> /\.pw$/  REJECT ".pw" domains not accepted here
>

Reply | Threaded
Open this post in threaded view
|

Re: filtering return-path : <random-string@google.com>

Frank Bonnet
In reply to this post by Frank Bonnet
answer to myself :-)

I finally decided to use a body_checks map

it works well as the message is always the same

CYBERDROID Inc.



Le 03/05/2013 11:01, Frank Bonnet a écrit :
Hello

We are hardly spammed by numerous sources , the FIRST line of each email
is like the following

Return-Path: [hidden email]

The left part of the address is constantly changed but the right is always @google.com

I would like to discard all that spam, help greatly appreciated

Thanks by advance



Reply | Threaded
Open this post in threaded view
|

Re: filtering return-path : <random-string@google.com>

Benny Pedersen-2
Frank Bonnet skrev den 2013-05-03 21:32:
> answer to myself :-)

reply to you now here

>  I finally decided to use a body_checks map

is it only google.com in body ?, not return-path ?

but if its body, why not learn how to create an clamav signature now ?
:)

--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Reply | Threaded
Open this post in threaded view
|

Re: filtering return-path : <random-string@google.com>

Benny Pedersen-2
In reply to this post by Noel Jones-2
Noel Jones skrev den 2013-05-03 16:30:

> ## sender.pcre file contents:
> /@google\.com$/   REJECT suspicious @google.com sender address

http://dmarcian.com/spf-survey/google.com

no need to hard-reject it, are there legit google spam anywhere ?

--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it
Reply | Threaded
Open this post in threaded view
|

Re: filtering return-path : <random-string@google.com>

Benny Pedersen-2
In reply to this post by Noel Jones-2
Noel Jones skrev den 2013-05-03 16:36:

> No.  This isn't perl.

have you seen google.com spam where it gets spf pass ?

--
senders that put my email into body content will deliver it to my own
trashcan, so if you like to get reply, dont do it