Loading ...
Sorry, an error occurred while loading the content.

Re: RES: RES: smtpd_sender_restrictions

Expand Messages
  • Tony Earnshaw
    ... Really, this has been discussed almost daily for the time I ve subscribed (years). I ll sum up some of them: client restrictions, helo restrictions, sender
    Message 1 of 15 , Dec 1, 2006
    • 0 Attachment
      Carlos Eduardo R. L. de Miranda wrote:

      > Could you give me directions to those " many other ways Postfix gives you of
      >> stopping spam, though, before it ever gets to your filter"?

      Really, this has been discussed almost daily for the time I've
      subscribed (years). I'll sum up some of them:
      client restrictions, helo restrictions, sender restrictions, recipient
      restrictions, rbl restrictions, policy daemons and milters.

      Read this, though it's getting a little long in the tooth and you should
      only use it as a collection of examples:

      http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

      Google for Postfix and (anti) UCE ...

      BTW my MUA (Thunderbird 1.5.0.8) keeps breaking your MS Outlook 11
      thread, I don't know why ...

      --Tonni

      --
      Tonni Earnshaw
      tonni @ barlaeus.nl
    • Jorey Bump
      ... If you must block by country, use an RBL: http://countries.nerd.dk/ However, I find such RBLs more useful in a scoring system. Here s what I do in my
      Message 2 of 15 , Dec 1, 2006
      • 0 Attachment
        Carlos Eduardo R. L. de Miranda wrote:

        > Our server is receiving lots of spam messages from servers with Russian
        > domain.
        > I would like to block every message from Russian domains.

        If you must block by country, use an RBL:

        http://countries.nerd.dk/

        However, I find such RBLs more useful in a scoring system. Here's what I
        do in my SpamAssassin local.cf (watch the wrap):

        # first discover country code of origin using a TXT lookup
        header RCVD_COUNTRIES eval:check_rbl_txt('nerd-zz',
        'zz.countries.nerd.dk.')
        describe RCVD_COUNTRIES Received from countries.nerd.dk
        tflags RCVD_COUNTRIES net
        # All countries get a point by default
        score RCVD_COUNTRIES 1.0

        # now do a subtest based on the resulting lookup
        # adjust score apropriately for your user base

        # Remove the penalty for my own country, the source of most of my mail
        header RCVD_VIA_US eval:check_rbl_sub('nerd-zz', 'us')
        describe RCVD_VIA_US Received from United States
        tflags RCVD_VIA_US net
        score RCVD_VIA_US -1.0

        # Remove the penalty for other countries I'm likely to correspond with
        header RCVD_VIA_CANADA eval:check_rbl_sub('nerd-zz', 'ca')
        describe RCVD_VIA_CANADA Received from Canada
        tflags RCVD_VIA_CANADA net
        score RCVD_VIA_CANADA -1.0

        # Add additional points for countries that are common sources of spam
        header RCVD_VIA_RUSSIA eval:check_rbl_sub('nerd-zz', 'ru')
        describe RCVD_VIA_RUSSIA Received from Russia
        tflags RCVD_VIA_RUSSIA net
        score RCVD_VIA_RUSSIA 1.0

        header RCVD_VIA_NIGERIA eval:check_rbl_sub('nerd-zz', 'ng')
        describe RCVD_VIA_NIGERIA Received from Nigeria
        tflags RCVD_VIA_NIGERIA net
        score RCVD_VIA_NIGERIA 3.0


        I stick with SpamAssassin's default required_score of 5.0 before a
        message is marked spam. Note that I don't assign scores that will
        automatically mark a message as spam (and SpamAssassin scores are not
        merely additive, negative points are also assigned by some rules). While
        I do believe that the country of origin can be an indicator of
        *potential* spamminess, I try to choose weights that will put the score
        over the top only when combined with other reliable indicators. Also,
        the situation is constantly improving in some countries, so you
        shouldn't just set and forget this.

        Be sure to consider your user base. I have clients whose focus is
        entirely international, so obviously I do not employ this technique on
        their sites.
      • mouss
        ... Note that /^.+... is almost equivalent to /.+... assuming one doesn t accept nonfqnd addresses, /ru$/ would block more than the posted expression. or if
        Message 3 of 15 , Dec 1, 2006
        • 0 Attachment
          Tony Earnshaw wrote:
          > Carlos Eduardo R. L. de Miranda wrote:
          >
          >> Our server is receiving lots of spam messages from servers with Russian
          >> domain.
          >> I would like to block every message from Russian domains.
          >>
          >> Postfix 2.3.3 - Fedora Core 6
          >>
          >> main.cf
          >> smtpd_sender_restrictions = check_sender_access
          >> hash:/etc/postfix/sender,
          >> reject_non_fqdn_sender, reject_unknown_sender_domain
          >>
          >> sender file:
          >> /.*@*\.ru$/ REJECT text message
          >
          > The above is wrong and obviously won't block anything from anyone. Do
          > you see why? Look again!
          >
          > This will work (tested with pcretest):
          > /^.+@.+\.ru$/

          Note that
          /^.+...
          is almost equivalent to
          /.+...

          assuming one doesn't accept nonfqnd addresses,
          /ru$/
          would block more than the posted expression. or if you think there will
          be a tld ending in ru other than .ru, then
          /.\ru$/


          but as you say, the sender tld won't help much... OP may want a geo
          DNSBL such as blackholes.us (Is this still maintained?).
        • mouss
          ... Instead of querying a DNSBL: loadplugin Mail::SpamAssassin::Plugin::RelayCountry header COUNTRY_US X-Relay-Countries=~/ bUS b/ describe COUNTRY_US Relayed
          Message 4 of 15 , Dec 1, 2006
          • 0 Attachment
            Jorey Bump wrote:
            > Carlos Eduardo R. L. de Miranda wrote:
            >
            >> Our server is receiving lots of spam messages from servers with Russian
            >> domain.
            >> I would like to block every message from Russian domains.
            >
            > If you must block by country, use an RBL:
            >
            > http://countries.nerd.dk/
            >
            > However, I find such RBLs more useful in a scoring system. Here's what
            > I do in my SpamAssassin local.cf (watch the wrap):
            >
            > # first discover country code of origin using a TXT lookup
            > header RCVD_COUNTRIES eval:check_rbl_txt('nerd-zz',
            > 'zz.countries.nerd.dk.')
            > describe RCVD_COUNTRIES Received from countries.nerd.dk
            > tflags RCVD_COUNTRIES net
            > # All countries get a point by default
            > score RCVD_COUNTRIES 1.0

            Instead of querying a DNSBL:


            loadplugin Mail::SpamAssassin::Plugin::RelayCountry

            header COUNTRY_US X-Relay-Countries=~/\bUS\b/
            describe COUNTRY_US Relayed via United States
            score COUNTRY_US 0.01
          • Sheldon T. Hall
            Quoth mouss ... ... Simpler still, and requiring less horsepower ... get the country IP assignments from http://completewhois.com in a form suitable for use
            Message 5 of 15 , Dec 1, 2006
            • 0 Attachment
              Quoth mouss ...
              > Jorey Bump wrote:
              > > Carlos Eduardo R. L. de Miranda wrote:
              > >
              > >> Our server is receiving lots of spam messages from servers
              > >> with Russian domain.
              > >> I would like to block every message from Russian domains.
              > >
              > > If you must block by country, use an RBL:
              > >
              > > http://countries.nerd.dk/
              > >
              > > However, I find such RBLs more useful in a scoring system.
              > > Here's what
              > > I do in my SpamAssassin local.cf (watch the wrap):
              > >
              > > # first discover country code of origin using a TXT lookup
              > > header RCVD_COUNTRIES eval:check_rbl_txt('nerd-zz',
              > > 'zz.countries.nerd.dk.')
              > > describe RCVD_COUNTRIES Received from countries.nerd.dk
              > > tflags RCVD_COUNTRIES net
              > > # All countries get a point by default
              > > score RCVD_COUNTRIES 1.0
              >
              > Instead of querying a DNSBL:
              >
              >
              > loadplugin Mail::SpamAssassin::Plugin::RelayCountry
              >
              > header COUNTRY_US X-Relay-Countries=~/\bUS\b/
              > describe COUNTRY_US Relayed via United States
              > score COUNTRY_US 0.01

              Simpler still, and requiring less horsepower ... get the country IP
              assignments from http://completewhois.com in a form suitable for use with
              your firewall, and block port 25 (or everthing) to packets coming from those
              address blocks. This isn't perfect, but if applied selectively, it really,
              really cuts down on the crap.

              I don't see a lot of spam delivered by servers at Russian domains, although
              I see a lot of spam with forged Russian "from" addresses.

              -Shel
            • mouss
              ... His mail has two Message-Id headers. Message-ID: ... Message-ID: broken
              Message 6 of 15 , Dec 2, 2006
              • 0 Attachment
                Tony Earnshaw wrote:
                >
                >
                > BTW my MUA (Thunderbird 1.5.0.8) keeps breaking your MS Outlook 11
                > thread, I don't know why ...

                His mail has two Message-Id headers.

                Message-ID: <BAY110-DAV4BED20C8242739035454BBADA0@...>
                ...
                Message-ID: <004401c71547$d0829ab0$7400a8c0@ws1>

                broken setup...
              • Curtis Doty
                ... Received: from .* by BAY110-DAV4.phx.gbl with DAV; Indeed, the offending relay appears to have been MSN/Hotmail using WebDAV for email submission. ../C
                Message 7 of 15 , Dec 3, 2006
                • 0 Attachment
                  1:47am mouss said:

                  > Tony Earnshaw wrote:
                  > >
                  > >
                  > > BTW my MUA (Thunderbird 1.5.0.8) keeps breaking your MS Outlook 11 thread, I
                  > > don't know why ...
                  >
                  > His mail has two Message-Id headers.
                  >
                  > Message-ID: <BAY110-DAV4BED20C8242739035454BBADA0@...>
                  > ...
                  > Message-ID: <004401c71547$d0829ab0$7400a8c0@ws1>
                  >
                  > broken setup...
                  >

                  Received: from .* by BAY110-DAV4.phx.gbl with DAV;

                  Indeed, the offending relay appears to have been MSN/Hotmail using WebDAV
                  for email submission.

                  ../C
                • R.L. Nevot
                  Hi all ... Lots of responses, but there s something I cannot see. If you are using regular expressions, you must use regexp: or pcre: type maps for regular
                  Message 8 of 15 , Dec 3, 2006
                  • 0 Attachment
                    Hi all

                    2006/12/1, Carlos Eduardo R. L. de Miranda <cerlm@...>:
                    smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender,
                            reject_non_fqdn_sender, reject_unknown_sender_domain

                    sender file:
                    /.*@*\.ru$/     REJECT text message

                    Command: postmap /etc/postfix/sender
                             Service postfix reload

                    It is no working. The *.ru domains are accepted and delivered to user.


                    Lots of responses, but there's something I cannot see. If you are using regular expressions, you must use regexp: or pcre: type maps for regular expressions to be evaluated. If you use HASH, afaik it wouldn't work.

                    Regards
                  Your message has been successfully submitted and would be delivered to recipients shortly.