Loading ...
Sorry, an error occurred while loading the content.
 

Spam Attack on Postmaster

Expand Messages
  • Carlos Williams
    I have a Postfix server running with also Postgrey enabled. It seems to work great however in the last week I have noticed a huge increase in spam mail that is
    Message 1 of 18 , Sep 24, 2009
      I have a Postfix server running with also Postgrey enabled. It seems
      to work great however in the last week I have noticed a huge increase
      in spam mail that is sent to postmaster@... I am configured on the
      mail server to get all mail destined for Postmaster and it appears
      that everyone and their mother is spamming my postmaster account. I
      don't know if the message filters and greylisting I have configured on
      the server are being applied to mail sent to postmaster because very
      obvious spam that my smtpd_*_restrictions under main.cf should be
      filtering and then if not, Postgrey should for sure be filtering them
      out!

      I am just trying to understand why this spam is getting through.

      I am posting my postconf -n below as well as some examples from my
      logs of messages sent to postmaster. Pretty much the only messages
      that are sent to that particular address are spam.

      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      broken_sasl_auth_clients = yes
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      content_filter = amavisfeed:[127.0.0.1]:10024
      daemon_directory = /usr/libexec/postfix
      home_mailbox = Maildir/
      html_directory = no
      inet_interfaces = all
      mail_owner = postfix
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      mydestination = $myhostname, $mydomain, mail.$mydomain
      mydomain = iamghost.com
      myhostname = mail.iamghost.com
      mynetworks = $config_directory/mynetworks
      myorigin = $mydomain
      newaliases_path = /usr/bin/newaliases.postfix
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
      recipient_delimiter = +
      relay_domains =
      sample_directory = /usr/share/doc/postfix-2.3.3/samples
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtpd_banner = $myhostname ESMTP
      smtpd_delay_reject = yes
      smtpd_helo_required = yes
      smtpd_helo_restrictions = permit_mynetworks,
      permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
      reject_invalid_helo_hostname, permit
      smtpd_recipient_restrictions = permit_mynetworks,
      permit_sasl_authenticated, reject_unauth_pipelining,
      reject_non_fqdn_recipient, reject_unknown_recipient_domain,
      reject_unauth_destination, reject_unlisted_recipient,
      check_policy_service unix:postgrey/socket, check_sender_access
      hash:/etc/postfix/sender_access, reject_rbl_client
      zen.spamhaus.org, reject_rbl_client bl.spamcop.net, permit
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_path = private/auth
      smtpd_sasl_security_options = noanonymous
      smtpd_sasl_type = dovecot
      smtpd_sender_restrictions = permit_mynetworks,
      permit_sasl_authenticated, reject_non_fqdn_sender,
      reject_unknown_sender_domain,
      reject_unknown_reverse_client_hostname, permit
      smtpd_tls_CAfile = /etc/ssl/intermediate.crt
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file = /etc/ssl/mail.crt
      smtpd_tls_key_file = /etc/ssl/mail.key
      smtpd_tls_loglevel = 1
      smtpd_tls_security_level = may
      smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
      smtpd_tls_session_cache_timeout = 3600s
      tls_random_source = dev:/dev/urandom
      unknown_local_recipient_reject_code = 550

      **From my maillogs**

      [root@mail ~]# cat /var/log/maillog | grep -i "Sep 23" | grep -i "92.243.237.70"
      Sep 23 16:01:13 mail postfix/smtpd[31246]: connect from unknown[92.243.237.70]
      Sep 23 16:01:14 mail postfix/smtpd[31246]: 09E43779B26:
      client=unknown[92.243.237.70]
      Sep 23 16:01:15 mail postfix/smtpd[31246]: disconnect from
      unknown[92.243.237.70]
      Sep 23 16:01:21 mail amavis[29716]: (29716-05) Passed SPAMMY,
      [92.243.237.70] [92.243.237.70] <BethbeachheadCoffman@...>
      -> <postmaster@...>, Message-ID:
      <006201ca3c99$5f10f490$1d32ddb0$@org>, mail_id: Yo1zL4wIGwB4, Hits:
      6.995, size: 6091, queued_as: 944B7779B31, 5988 ms

      Trying to understand if these messages are routed simply because
      they're sent to postmaster or if it did pass all smtpd_*_restrictions
      and also pass greylisting parameters (which I find extremely
      unlikely). Can someone please help me understand why my postmaster
      account is getting slammed with spam?
    • Noel Jones
      ... Some older versions of postfix give special treatment to the postmaster address. To disable this special treatment, add # main.cf address_verify_sender =
      Message 2 of 18 , Sep 24, 2009
        On 9/24/2009 9:26 AM, Carlos Williams wrote:
        > I have a Postfix server running with also Postgrey enabled. It seems
        > to work great however in the last week I have noticed a huge increase
        > in spam mail that is sent to postmaster@... I am configured on the
        > mail server to get all mail destined for Postmaster and it appears
        > that everyone and their mother is spamming my postmaster account. I
        > don't know if the message filters and greylisting I have configured on
        > the server are being applied to mail sent to postmaster because very
        > obvious spam that my smtpd_*_restrictions under main.cf should be
        > filtering and then if not, Postgrey should for sure be filtering them
        > out!
        >
        > I am just trying to understand why this spam is getting through.
        >

        Some older versions of postfix give special treatment to the
        postmaster address. To disable this special treatment, add
        # main.cf
        address_verify_sender = $double_bounce_sender

        -- Noel Jones
      • Carlos Williams
        ... I am guessing that 2.3 which the latest version for Redhat Linux is considered old, right? I will add that parameter in main.cf.
        Message 3 of 18 , Sep 24, 2009
          On Thu, Sep 24, 2009 at 11:05 AM, Noel Jones <njones@...> wrote:
          > Some older versions of postfix give special treatment to the postmaster
          > address.  To disable this special treatment, add
          > # main.cf
          > address_verify_sender = $double_bounce_sender

          I am guessing that 2.3 which the latest version for Redhat Linux is
          considered old, right?

          I will add that parameter in main.cf.
        • /dev/rob0
          ... s/considered// The latest version of Postfix at this time is 2.6.5, and 2.7 is in development. Note that 2.2 and earlier are no longer updated. Remember,
          Message 4 of 18 , Sep 24, 2009
            On Thursday 24 September 2009 10:16:01 Carlos Williams wrote:
            > On Thu, Sep 24, 2009 at 11:05 AM, Noel Jones
            > <njones@...> wrote:
            > > Some older versions of postfix give special treatment to the
            > > postmaster address.  To disable this special treatment, add
            > > # main.cf
            > > address_verify_sender = $double_bounce_sender
            >
            > I am guessing that 2.3 which the latest version for Redhat Linux
            > is considered old, right?

            s/considered//

            The latest version of Postfix at this time is 2.6.5, and 2.7 is in
            development. Note that 2.2 and earlier are no longer updated.

            Remember, RHEL deliberately holds back from recent software. It's a
            feature: the theory being that newer versions, being less tested,
            might have unanticipated problems. If you want to use RHEL, you
            should be aware of that.
            --
            Offlist mail to this address is discarded unless
            "/dev/rob0" or "not-spam" is in Subject: header
          • Carlos Williams
            ... So when you note older I am going to assume 2.3.x qualifies, right? Basically I should simply add the following anywhere in my main.cf config file,
            Message 5 of 18 , Oct 27, 2009
              On Thu, Sep 24, 2009 at 11:05 AM, Noel Jones <njones@...> wrote:
              > Some older versions of postfix give special treatment to the postmaster
              > address.  To disable this special treatment, add
              > # main.cf
              > address_verify_sender = $double_bounce_sender

              So when you note "older" I am going to assume 2.3.x qualifies, right?

              Basically I should simply add the following anywhere in my 'main.cf'
              config file, right?

              *address_verify_sender = $double_bounce_sender*
            • Noel Jones
              ... Yes. Well, don t include the stars... Or you can have postfix add it to main.cf for you by typing the command: # postconf -e
              Message 6 of 18 , Oct 27, 2009
                On 10/27/2009 7:22 AM, Carlos Williams wrote:
                > On Thu, Sep 24, 2009 at 11:05 AM, Noel Jones<njones@...> wrote:
                >> Some older versions of postfix give special treatment to the postmaster
                >> address. To disable this special treatment, add
                >> # main.cf
                >> address_verify_sender = $double_bounce_sender
                >
                > So when you note "older" I am going to assume 2.3.x qualifies, right?
                >
                > Basically I should simply add the following anywhere in my 'main.cf'
                > config file, right?
                >
                > *address_verify_sender = $double_bounce_sender*


                Yes. Well, don't include the stars...

                Or you can have postfix add it to main.cf for you by typing
                the command:

                # postconf -e 'address_verify_sender=$double_bounce_sender'




                -- Noel Jones
              • Carlos Williams
                ... I added the above parameter (address_verify_sender=$double_bounce_sender) in my main.cf to keep spammers from sending spam / junk email to my built in
                Message 7 of 18 , Feb 28, 2010
                  On Tue, Oct 27, 2009 at 8:55 AM, Noel Jones <njones@...> wrote:
                  > Or you can have postfix add it to main.cf for you by typing the command:
                  >
                  > # postconf -e 'address_verify_sender=$double_bounce_sender'

                  I added the above parameter
                  (address_verify_sender=$double_bounce_sender) in my main.cf to keep
                  spammers from sending spam / junk email to my built in Postmaster
                  account. I am running a dated version of Postfix 2.3. I added it in my
                  main.cf and reloaded Postfix. I see it listed in my 'postconf -n' &
                  just this weekend received this email:

                  Return-Path: <postmaster@...>
                  X-Original-To: postmaster@...
                  Delivered-To: postmaster@...
                  Received: from localhost (localhost.localdomain [127.0.0.1])
                  by mail.iamghost.com (Postfix) with ESMTP id EC5B277ADD6
                  for <postmaster@...>; Sat, 27 Feb 2010 15:05:50 -0500 (EST)
                  X-Virus-Scanned: amavisd-new at iamghost.com
                  X-Spam-Flag: YES
                  X-Spam-Score: 7.457
                  X-Spam-Level: *******
                  X-Spam-Status: Yes, score=7.457 tagged_above=-999 required=5
                  tests=[BAYES_50=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
                  RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033,
                  RDNS_NONE=0.1] autolearn=no
                  Received: from mail.iamghost.com ([127.0.0.1])
                  by localhost (iamghost.com [127.0.0.1]) (amavisd-new, port 10024)
                  with LMTP id awUEbrkCfcvq for <postmaster@...>;
                  Sat, 27 Feb 2010 15:05:50 -0500 (EST)
                  Received: from ambianceimports.com (unknown [89.204.40.160])
                  by mail.iamghost.com (Postfix) with SMTP id 179C477ADB5
                  for <postmaster@...>; Sat, 27 Feb 2010 15:05:48 -0500 (EST)
                  To: <postmaster@...>
                  Subject: ***SPAM*** Delivery Status Notification
                  From: Inez <postmaster@...>
                  MIME-Version: 1.0
                  Content-Type: text/html; charset="ISO-8859-1"
                  Content-Transfer-Encoding: 7bit
                  Message-Id: <20100227200549.179C477ADB5@...>
                  Date: Sat, 27 Feb 2010 15:05:48 -0500 (EST)

                  *************************************************************************

                  Should the above parameter firstly not have allowed this message to be
                  sent to 'Postmaster'?
                  And I am confused why the "Return-Path & Delivered-To" address are the
                  same. Was this spammer attempting to spoof my postmaster's email
                  address?
                • Stan Hoeppner
                  ... Carlos, I think it s time you join spam-l and learn all the tricks to fighting spam. http://spam-l.com/mailman/listinfo/spam-l The host that sent
                  Message 8 of 18 , Feb 28, 2010
                    Carlos Williams put forth on 2/28/2010 1:55 PM:
                    > On Tue, Oct 27, 2009 at 8:55 AM, Noel Jones <njones@...> wrote:
                    >> Or you can have postfix add it to main.cf for you by typing the command:
                    >>
                    >> # postconf -e 'address_verify_sender=$double_bounce_sender'
                    >
                    > I added the above parameter
                    > (address_verify_sender=$double_bounce_sender) in my main.cf to keep
                    > spammers from sending spam / junk email to my built in Postmaster
                    > account. I am running a dated version of Postfix 2.3. I added it in my
                    > main.cf and reloaded Postfix. I see it listed in my 'postconf -n' &
                    > just this weekend received this email:

                    <snip>

                    Carlos, I think it's time you join spam-l and learn all the tricks to
                    fighting spam. http://spam-l.com/mailman/listinfo/spam-l

                    The host that sent you this "postmaster" spam is infected with a spam bot.
                    The IP address is listed on no less than 7 dnsbls. The IP address is
                    dynamic, with generic rDNS.

                    inetnum: 89.204.36.0 - 89.204.49.255
                    netname: USI_ADSL_USERS5
                    descr: Dynamic distribution IP's for broadband services

                    160.40.204.89.access.ttknet.ru

                    You could have blocked this spam with any number of methods, the simplest
                    being adding the following to main.cf:

                    smtpd_recipient_restrictions =
                    reject_rbl_client zen.spamhaus.org

                    If you don't need to receive email from Russia, ever, period, you can use
                    the data at ipdeny.com to build a cidr table and block _ALL_ mail from
                    Russia. You can do this for any country.

                    --
                    Stan
                  • Carlos Williams
                    ... Thanks. I will research this and see what I can learn from that list. ... I do have this in my main.cf. I don t know why it didn t reject it if I have
                    Message 9 of 18 , Feb 28, 2010
                      On Sun, Feb 28, 2010 at 5:27 PM, Stan Hoeppner <stan@...> wrote:
                      > Carlos, I think it's time you join spam-l and learn all the tricks to
                      > fighting spam.  http://spam-l.com/mailman/listinfo/spam-l

                      Thanks. I will research this and see what I can learn from that list.

                      > You could have blocked this spam with any number of methods, the simplest
                      > being adding the following to main.cf:
                      >
                      > smtpd_recipient_restrictions =
                      >       reject_rbl_client zen.spamhaus.org

                      I do have this in my main.cf. I don't know why it didn't reject it if
                      I have zen.spamhaus.org in my config unless it was added after the
                      spam was sent to me. Do you know? I have attached my output of
                      'postconf -n' below.

                      address_verify_sender = $double_bounce_sender
                      alias_database = hash:/etc/aliases
                      alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
                      broken_sasl_auth_clients = yes
                      command_directory = /usr/sbin
                      config_directory = /etc/postfix
                      content_filter = amavisfeed:[127.0.0.1]:10024
                      daemon_directory = /usr/libexec/postfix
                      home_mailbox = Maildir/
                      html_directory = no
                      inet_interfaces = all
                      mail_owner = postfix
                      mailq_path = /usr/bin/mailq.postfix
                      manpage_directory = /usr/share/man
                      message_size_limit = 20480000
                      mydestination = $myhostname, $mydomain, mail.$mydomain
                      mydomain = iamghost.com
                      myhostname = mail.iamghost.com
                      mynetworks = $config_directory/mynetworks
                      myorigin = $mydomain
                      newaliases_path = /usr/bin/newaliases.postfix
                      queue_directory = /var/spool/postfix
                      recipient_delimiter = +
                      relay_domains =
                      sendmail_path = /usr/sbin/sendmail.postfix
                      setgid_group = postdrop
                      smtp_tls_security_level = may
                      smtpd_banner = $myhostname ESMTP
                      smtpd_delay_reject = yes
                      smtpd_helo_required = yes
                      smtpd_helo_restrictions = permit_mynetworks,
                      permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
                      reject_invalid_helo_hostname
                      smtpd_recipient_restrictions = permit_mynetworks,
                      permit_sasl_authenticated, reject_unauth_pipelining,
                      reject_non_fqdn_recipient, reject_unknown_recipient_domain,
                      reject_unauth_destination, reject_unlisted_recipient,
                      check_policy_service unix:postgrey/socket, check_sender_access
                      hash:/etc/postfix/sender_access,
                      check_helo_access pcre:/etc/postfix/helo_checks.pcre,
                      reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
                      smtpd_sasl_auth_enable = yes
                      smtpd_sasl_path = private/auth
                      smtpd_sasl_security_options = noanonymous
                      smtpd_sasl_type = dovecot
                      smtpd_sender_restrictions = permit_mynetworks,
                      permit_sasl_authenticated, reject_non_fqdn_sender,
                      reject_unknown_sender_domain,
                      reject_unknown_reverse_client_hostname, permit
                      smtpd_tls_auth_only = yes
                      smtpd_tls_cert_file = /etc/ssl/mail.crt
                      smtpd_tls_key_file = /etc/ssl/mail.key
                      smtpd_tls_loglevel = 1
                      smtpd_tls_security_level = may
                      smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
                      smtpd_tls_session_cache_timeout = 3600s
                      tls_random_source = dev:/dev/urandom
                      unknown_local_recipient_reject_code = 550

                      > If you don't need to receive email from Russia, ever, period, you can use
                      > the data at ipdeny.com to build a cidr table and block _ALL_ mail from
                      > Russia.  You can do this for any country.

                      Is the a guide on how I can build a cidr table and block ALL mail from
                      Russia? I don't ever want / need mail from Russia and don't know how
                      to build this table and how to force Postfix to use the list.
                    • LuKreme
                      ... Often people have an exclusion to pass email to postmaster no matter what. Check you sender_access and helo_checks for such an exclusion. Mine looks like
                      Message 10 of 18 , Feb 28, 2010
                        On 28-Feb-10 21:02, Carlos Williams wrote:
                        > reject_unauth_destination, reject_unlisted_recipient,
                        > check_policy_service unix:postgrey/socket, check_sender_access
                        > hash:/etc/postfix/sender_access,
                        > check_helo_access pcre:/etc/postfix/helo_checks.pcre,
                        > reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net

                        Often people have an exclusion to pass email to postmaster no matter
                        what. Check you sender_access and helo_checks for such an exclusion.

                        Mine looks like this:

                        /^postmaster@...$/ 550 Don't Spoof as my postmaster
                        /^postmaster@...$/ 550 Don't Spoof as my postmaster
                        /^postmaster@...$/ 550 Don't Spoof as my postmaster
                        /^postmaster\@/ OK

                        --
                        They all have husbands and wives and children and houses and dogs,
                        and you know, they've all made themselves a part of something
                        and they can talk about what they do. What am I gonna say? \"I
                        killed the president of Paraguay with a fork. How've you been?\"
                      • Stan Hoeppner
                        ... If you sub the list, ask Rich K about ipdeny. I learned about it from him. He s been a spam fighter since 1994 (maybe earlier). He s old school. As is
                        Message 11 of 18 , Mar 1, 2010
                          Carlos Williams put forth on 2/28/2010 10:02 PM:
                          > On Sun, Feb 28, 2010 at 5:27 PM, Stan Hoeppner <stan@...> wrote:
                          >> Carlos, I think it's time you join spam-l and learn all the tricks to
                          >> fighting spam. http://spam-l.com/mailman/listinfo/spam-l
                          >
                          > Thanks. I will research this and see what I can learn from that list.

                          If you sub the list, ask Rich K about ipdeny. I learned about it from him.
                          He's been a spam fighter since 1994 (maybe earlier). He's old school. As
                          is Chris Lewis. Pay close attention to his posts. He's head of network
                          security at Nortel networks, as well as the creator/maintainer of a major
                          dnsbl, although I can't say which, lest I be shot. ;) The creator of
                          Enemies List, Steven Champeon, is also a member, very sharp guy. Lots of
                          experience on spam-l going waaay back. Many of the folks on the list
                          predate SMTP.

                          >> You could have blocked this spam with any number of methods, the simplest
                          >> being adding the following to main.cf:
                          >>
                          >> smtpd_recipient_restrictions =
                          >> reject_rbl_client zen.spamhaus.org
                          >
                          > I do have this in my main.cf. I don't know why it didn't reject it if
                          > I have zen.spamhaus.org in my config unless it was added after the
                          > spam was sent to me. Do you know? I have attached my output of
                          > 'postconf -n' below.

                          Look at the date/time stamp on the email transaction in your log, then check
                          it against the CBL. If you reported it here the same day you received it,
                          then CBL already had it listed. The CBL is incorporated into Spamhaus ZEN,
                          but it's easier to check if an IP is listed using the CBL website than the
                          Spamhaus website.

                          > Is the a guide on how I can build a cidr table and block ALL mail from
                          > Russia? I don't ever want / need mail from Russia and don't know how
                          > to build this table and how to force Postfix to use the list.

                          You don't need a guide. Just download the country files you want to block
                          from ipdeny.com and add "REJECT" to the end of each line in the file so
                          Postfix can use it, something like this:

                          sed 's/$/ REJECT Russian email not welcome/g' ru.zone > russia.cidr

                          Stick russia.cidr in /etc/postfix/ and to smtpd_recipient_restrictions,
                          close to the top, add:

                          check_client_access cidr:/etc/postfix/russia.cidr

                          This will block all smtp connections originating from Russian IP space.

                          Using ipdeny country listings is a simple and very effective way to stop a
                          lot of spam. If you are sure you'll never need to receive email from a
                          given country, using ipdeny cidr listings is the single most effective way
                          to block spam from those countries. It's cheap on resources too, compared
                          to dnsbl lookups.

                          --
                          Stan
                        • Ralf Hildebrandt
                          ... Yay, I m old school :) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin
                          Message 12 of 18 , Mar 1, 2010
                            * Stan Hoeppner <stan@...>:

                            > If you sub the list, ask Rich K about ipdeny. I learned about it from him.
                            > He's been a spam fighter since 1994 (maybe earlier). He's old school.

                            Yay, I'm old school :)
                            --
                            Ralf Hildebrandt
                            Geschäftsbereich IT | Abteilung Netzwerk
                            Charité - Universitätsmedizin Berlin
                            Campus Benjamin Franklin
                            Hindenburgdamm 30 | D-12203 Berlin
                            Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
                            ralf.hildebrandt@... | http://www.charite.de
                          • Noel Jones
                            ... That parameter doesn t prevent spammers from sending junk to postmaster, it prevents mail to postmaster from bypassing your existing anti-spam controls.
                            Message 13 of 18 , Mar 1, 2010
                              On 2/28/2010 1:55 PM, Carlos Williams wrote:
                              > On Tue, Oct 27, 2009 at 8:55 AM, Noel Jones<njones@...> wrote:
                              >> Or you can have postfix add it to main.cf for you by typing the command:
                              >>
                              >> # postconf -e 'address_verify_sender=$double_bounce_sender'
                              >
                              > I added the above parameter
                              > (address_verify_sender=$double_bounce_sender) in my main.cf to keep
                              > spammers from sending spam / junk email to my built in Postmaster
                              > account.

                              That parameter doesn't prevent spammers from sending junk to
                              postmaster, it prevents mail to postmaster from bypassing your
                              existing anti-spam controls. Big difference.


                              > I am running a dated version of Postfix 2.3. I added it in my
                              > main.cf and reloaded Postfix. I see it listed in my 'postconf -n'&
                              > just this weekend received this email:
                              >
                              > Return-Path:<postmaster@...>
                              > X-Original-To: postmaster@...
                              > Delivered-To: postmaster@...
                              > Received: from localhost (localhost.localdomain [127.0.0.1])
                              > by mail.iamghost.com (Postfix) with ESMTP id EC5B277ADD6
                              > for<postmaster@...>; Sat, 27 Feb 2010 15:05:50 -0500 (EST)
                              > X-Virus-Scanned: amavisd-new at iamghost.com
                              > X-Spam-Flag: YES
                              > X-Spam-Score: 7.457
                              > X-Spam-Level: *******
                              > X-Spam-Status: Yes, score=7.457 tagged_above=-999 required=5
                              > tests=[BAYES_50=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
                              > RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_PBL=0.905, RCVD_IN_XBL=3.033,
                              > RDNS_NONE=0.1] autolearn=no
                              > Received: from mail.iamghost.com ([127.0.0.1])
                              > by localhost (iamghost.com [127.0.0.1]) (amavisd-new, port 10024)
                              > with LMTP id awUEbrkCfcvq for<postmaster@...>;
                              > Sat, 27 Feb 2010 15:05:50 -0500 (EST)
                              > Received: from ambianceimports.com (unknown [89.204.40.160])
                              > by mail.iamghost.com (Postfix) with SMTP id 179C477ADB5
                              > for<postmaster@...>; Sat, 27 Feb 2010 15:05:48 -0500 (EST)
                              > To:<postmaster@...>
                              > Subject: ***SPAM*** Delivery Status Notification
                              > From: Inez<postmaster@...>
                              > MIME-Version: 1.0
                              > Content-Type: text/html; charset="ISO-8859-1"
                              > Content-Transfer-Encoding: 7bit
                              > Message-Id:<20100227200549.179C477ADB5@...>
                              > Date: Sat, 27 Feb 2010 15:05:48 -0500 (EST)
                              >
                              > *************************************************************************
                              >
                              > Should the above parameter firstly not have allowed this message to be
                              > sent to 'Postmaster'?

                              No. Apparently you have no controls that would otherwise
                              reject this spam.

                              > And I am confused why the "Return-Path& Delivered-To" address are the
                              > same. Was this spammer attempting to spoof my postmaster's email
                              > address?

                              Yes, looks as if the spammer forged your postmaster as the
                              envelope sender. You can reject mail FROM postmaster@ your
                              domain with a check_sender_access map.

                              If you need any more help, show your "postconf -n" output.

                              -- Noel Jones
                            • LuKreme
                              ... You re so old school you re PRE school! No, wait, that s not right. ... -- The fact that Bob and John are married does nothing to diminish anyone else s
                              Message 14 of 18 , Mar 1, 2010
                                On 01-Mar-10 06:08, Ralf Hildebrandt wrote:
                                > * Stan Hoeppner<stan@...>:
                                >
                                >> If you sub the list, ask Rich K about ipdeny. I learned about it from him.
                                >> He's been a spam fighter since 1994 (maybe earlier). He's old school.
                                >
                                > Yay, I'm old school :)

                                You're so old school you're PRE school!

                                No, wait, that's not right.

                                :D

                                --
                                The fact that Bob and John are married does nothing to diminish
                                anyone else's marriage any more than a black woman marrying a
                                white man, a Jew marrying a Catholic, or an ugly Lyle marrying
                                a Pretty Woman
                              • Carlos Williams
                                ... It looks like it does pass my anti-spam controls however & I am not sure why or how I can determine what is allowing this particular example to slip
                                Message 15 of 18 , Mar 1, 2010
                                  On Mon, Mar 1, 2010 at 9:29 AM, Noel Jones <njones@...> wrote:
                                  > That parameter doesn't prevent spammers from sending junk to postmaster, it
                                  > prevents mail to postmaster from bypassing your existing anti-spam controls.
                                  >  Big difference.

                                  It looks like it does pass my 'anti-spam' controls however & I am not
                                  sure why or how I can determine what is allowing this particular
                                  example to slip past. Below is straight from my Postfix logs and in
                                  the end of this email you can see my postconf -n shows
                                  '$double_bounce_sender':

                                  Feb 27 15:05:44 mail postfix/smtpd[3291]: warning: 89.204.40.160:
                                  hostname 160.40.204.89.access.ttknet.ru verification failed: Name or
                                  service not known
                                  Feb 27 15:05:44 mail postfix/smtpd[3291]: connect from unknown[89.204.40.160]
                                  Feb 27 15:05:49 mail postfix/smtpd[3291]: 179C477ADB5:
                                  client=unknown[89.204.40.160]
                                  Feb 27 15:05:50 mail postfix/cleanup[5220]: 179C477ADB5:
                                  message-id=<20100227200549.179C477ADB5@...>
                                  Feb 27 15:05:50 mail postfix/qmgr[20536]: 179C477ADB5:
                                  from=<postmaster@...>, size=3854, nrcpt=1 (queue active)
                                  Feb 27 15:05:50 mail postfix/smtpd[3291]: disconnect from unknown[89.204.40.160]
                                  Feb 27 15:05:50 mail postfix/smtpd[5224]: EC5B277ADD6:
                                  client=localhost.localdomain[127.0.0.1]
                                  Feb 27 15:05:50 mail postfix/cleanup[5220]: EC5B277ADD6:
                                  message-id=<20100227200549.179C477ADB5@...>
                                  Feb 27 15:05:51 mail postfix/smtpd[5224]: disconnect from
                                  localhost.localdomain[127.0.0.1]
                                  Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6:
                                  from=<postmaster@...>, size=4620, nrcpt=1 (queue active)
                                  Feb 27 15:05:51 mail amavis[6851]: (06851-16) Passed SPAMMY,
                                  [89.204.40.160] [89.204.40.160] <postmaster@...> ->
                                  <postmaster@...>, Message-ID:
                                  <20100227200549.179C477ADB5@...>, mail_id: awUEbrkCfcvq,
                                  Hits: 7.457, size: 3845, queued_as: EC5B277ADD6, 811 ms
                                  Feb 27 15:05:51 mail postfix/lmtp[5221]: 179C477ADB5:
                                  to=<postmaster@...>, relay=127.0.0.1[127.0.0.1]:10024,
                                  delay=2.5, delays=1.7/0.01/0/0.81, dsn=2.0.0, status=sent (250 2.0.0
                                  Ok, id=06851-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
                                  EC5B277ADD6)
                                  Feb 27 15:05:51 mail postfix/qmgr[20536]: 179C477ADB5: removed
                                  Feb 27 15:05:51 mail postfix/local[5225]: EC5B277ADD6:
                                  to=<carlos@...>, orig_to=<postmaster@...>,
                                  relay=local, delay=0.31, delays=0.18/0.01/0/0.12, dsn=2.0.0,
                                  status=sent (delivered to maildir)
                                  Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6: removed

                                  > No.  Apparently you have no controls that would otherwise reject this spam.

                                  I guess I didn't really understand fully the full meaning of
                                  '$double_bounce_sender'.

                                  > Yes, looks as if the spammer forged your postmaster as the envelope sender.
                                  >  You can reject mail FROM postmaster@ your domain with a check_sender_access
                                  > map.

                                  I do have a 'sender_access' map in /etc/postfix and in main.cf:

                                  [root@mail postfix]# postconf -n | grep 'sender_access'
                                  smtpd_recipient_restrictions = permit_mynetworks,
                                  permit_sasl_authenticated, reject_unauth_pipelining,
                                  reject_non_fqdn_recipient, reject_unknown_recipient_domain,
                                  reject_unauth_destination, reject_unlisted_recipient,
                                  check_policy_service unix:postgrey/socket, check_sender_access
                                  hash:/etc/postfix/sender_access,
                                  check_helo_access pcre:/etc/postfix/helo_checks.pcre,
                                  check_client_access hash:/etc/postfix/client_access,
                                  reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net

                                  Inside the file however I have domains and specific email addresses.
                                  Is this wrong formatting for the 'sender_access' file?

                                  # /etc/postfix/sender_access
                                  #
                                  # Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
                                  #
                                  lmco.com OK
                                  saic.com OK
                                  se-core.net OK
                                  army.mil OK
                                  us.army.mil OK
                                  rayhtheonvtc.com OK
                                  sting_ray1@... OK

                                  aol.com REJECT
                                  craigslist.org REJECT
                                  facebookmail.com REJECT
                                  gmail.com REJECT
                                  hotmail.com REJECT
                                  yahoo.com REJECT
                                  youtube.com REJECT

                                  Noel or anyone. If you can please help me understand the following:

                                  1. Why did Postfix allow the sender to bypass my 'anti spam' rules in
                                  my main.cf when it appeared in my logs above it didn't have a proper
                                  formatted fqdn and or hostname?
                                  2. Was it passed because it was spoofed to come from
                                  'postmaster@...' & I need to add a rule for this in
                                  'sender_access'?
                                  3. If 'yes' to above, why isn't '$double_bounce_sender' forcing email
                                  to 'Postmaster' run through checks?
                                  4. Based on my postconf -n (below) and my contents above showing
                                  '/etc/postfix/sender_access', do I have the correct values in the
                                  'sender_access' file or is it improperly formatted?

                                  ***Postconf -n***

                                  [root@mail postfix]# postconf -n
                                  address_verify_sender = $double_bounce_sender
                                  alias_database = hash:/etc/aliases
                                  alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
                                  broken_sasl_auth_clients = yes
                                  command_directory = /usr/sbin
                                  config_directory = /etc/postfix
                                  content_filter = amavisfeed:[127.0.0.1]:10024
                                  daemon_directory = /usr/libexec/postfix
                                  home_mailbox = Maildir/
                                  html_directory = no
                                  inet_interfaces = all
                                  mail_owner = postfix
                                  mailq_path = /usr/bin/mailq.postfix
                                  manpage_directory = /usr/share/man
                                  message_size_limit = 20480000
                                  mydestination = $myhostname, $mydomain, mail.$mydomain
                                  mydomain = iamghost.com
                                  myhostname = mail.iamghost.com
                                  mynetworks = $config_directory/mynetworks
                                  myorigin = $mydomain
                                  newaliases_path = /usr/bin/newaliases.postfix
                                  queue_directory = /var/spool/postfix
                                  readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                                  recipient_delimiter = +
                                  relay_domains =
                                  sample_directory = /usr/share/doc/postfix-2.3.3/samples
                                  sendmail_path = /usr/sbin/sendmail.postfix
                                  setgid_group = postdrop
                                  smtp_tls_security_level = may
                                  smtpd_banner = $myhostname ESMTP
                                  smtpd_data_restrictions = reject_unauth_pipelining, permit
                                  smtpd_delay_reject = yes
                                  smtpd_helo_required = yes
                                  smtpd_helo_restrictions = permit_mynetworks,
                                  permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
                                  reject_invalid_helo_hostname, permit
                                  smtpd_recipient_restrictions = permit_mynetworks,
                                  permit_sasl_authenticated, reject_unauth_pipelining,
                                  reject_non_fqdn_recipient, reject_unknown_recipient_domain,
                                  reject_unauth_destination, reject_unlisted_recipient,
                                  check_policy_service unix:postgrey/socket, check_sender_access
                                  hash:/etc/postfix/sender_access,
                                  check_helo_access pcre:/etc/postfix/helo_checks.pcre,
                                  check_client_access hash:/etc/postfix/client_access,
                                  reject_rbl_client zen.spamhaus.org, reject_rbl_client
                                  bl.spamcop.net, permit
                                  smtpd_sasl_auth_enable = yes
                                  smtpd_sasl_path = private/auth
                                  smtpd_sasl_security_options = noanonymous
                                  smtpd_sasl_type = dovecot
                                  smtpd_sender_restrictions = permit_mynetworks,
                                  permit_sasl_authenticated, reject_non_fqdn_sender,
                                  reject_unknown_sender_domain,
                                  reject_unknown_reverse_client_hostname, permit
                                  smtpd_tls_CAfile = /etc/ssl/intermediate.crt
                                  smtpd_tls_auth_only = yes
                                  smtpd_tls_cert_file = /srv/ssl/mail.crt
                                  smtpd_tls_key_file = /srv/ssl/mail.key
                                  smtpd_tls_loglevel = 1
                                  smtpd_tls_security_level = may
                                  smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
                                  smtpd_tls_session_cache_timeout = 3600s
                                  tls_random_source = dev:/dev/urandom
                                  unknown_local_recipient_reject_code = 550
                                • Noel Jones
                                  ... It slips past because there are no rules to block it. ... You can add postmaster@your_domain REJECT to this list if you want. ... You have no rules
                                  Message 16 of 18 , Mar 1, 2010
                                    On 3/1/2010 10:50 AM, Carlos Williams wrote:
                                    > On Mon, Mar 1, 2010 at 9:29 AM, Noel Jones<njones@...> wrote:
                                    >> That parameter doesn't prevent spammers from sending junk to postmaster, it
                                    >> prevents mail to postmaster from bypassing your existing anti-spam controls.
                                    >> Big difference.
                                    >
                                    > It looks like it does pass my 'anti-spam' controls however& I am not
                                    > sure why or how I can determine what is allowing this particular
                                    > example to slip past.

                                    It "slips past" because there are no rules to block it.

                                    > Below is straight from my Postfix logs and in
                                    > the end of this email you can see my postconf -n shows
                                    > '$double_bounce_sender':
                                    >
                                    > Feb 27 15:05:44 mail postfix/smtpd[3291]: warning: 89.204.40.160:
                                    > hostname 160.40.204.89.access.ttknet.ru verification failed: Name or
                                    > service not known
                                    > Feb 27 15:05:44 mail postfix/smtpd[3291]: connect from unknown[89.204.40.160]
                                    > Feb 27 15:05:49 mail postfix/smtpd[3291]: 179C477ADB5:
                                    > client=unknown[89.204.40.160]
                                    > Feb 27 15:05:50 mail postfix/cleanup[5220]: 179C477ADB5:
                                    > message-id=<20100227200549.179C477ADB5@...>
                                    > Feb 27 15:05:50 mail postfix/qmgr[20536]: 179C477ADB5:
                                    > from=<postmaster@...>, size=3854, nrcpt=1 (queue active)
                                    > Feb 27 15:05:50 mail postfix/smtpd[3291]: disconnect from unknown[89.204.40.160]
                                    > Feb 27 15:05:50 mail postfix/smtpd[5224]: EC5B277ADD6:
                                    > client=localhost.localdomain[127.0.0.1]
                                    > Feb 27 15:05:50 mail postfix/cleanup[5220]: EC5B277ADD6:
                                    > message-id=<20100227200549.179C477ADB5@...>
                                    > Feb 27 15:05:51 mail postfix/smtpd[5224]: disconnect from
                                    > localhost.localdomain[127.0.0.1]
                                    > Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6:
                                    > from=<postmaster@...>, size=4620, nrcpt=1 (queue active)
                                    > Feb 27 15:05:51 mail amavis[6851]: (06851-16) Passed SPAMMY,
                                    > [89.204.40.160] [89.204.40.160]<postmaster@...> ->
                                    > <postmaster@...>, Message-ID:
                                    > <20100227200549.179C477ADB5@...>, mail_id: awUEbrkCfcvq,
                                    > Hits: 7.457, size: 3845, queued_as: EC5B277ADD6, 811 ms
                                    > Feb 27 15:05:51 mail postfix/lmtp[5221]: 179C477ADB5:
                                    > to=<postmaster@...>, relay=127.0.0.1[127.0.0.1]:10024,
                                    > delay=2.5, delays=1.7/0.01/0/0.81, dsn=2.0.0, status=sent (250 2.0.0
                                    > Ok, id=06851-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
                                    > EC5B277ADD6)
                                    > Feb 27 15:05:51 mail postfix/qmgr[20536]: 179C477ADB5: removed
                                    > Feb 27 15:05:51 mail postfix/local[5225]: EC5B277ADD6:
                                    > to=<carlos@...>, orig_to=<postmaster@...>,
                                    > relay=local, delay=0.31, delays=0.18/0.01/0/0.12, dsn=2.0.0,
                                    > status=sent (delivered to maildir)
                                    > Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6: removed
                                    >
                                    >> No. Apparently you have no controls that would otherwise reject this spam.
                                    >
                                    > I guess I didn't really understand fully the full meaning of
                                    > '$double_bounce_sender'.
                                    >
                                    >> Yes, looks as if the spammer forged your postmaster as the envelope sender.
                                    >> You can reject mail FROM postmaster@ your domain with a check_sender_access
                                    >> map.
                                    >
                                    > I do have a 'sender_access' map in /etc/postfix and in main.cf:
                                    >
                                    > [root@mail postfix]# postconf -n | grep 'sender_access'
                                    > smtpd_recipient_restrictions = permit_mynetworks,
                                    > permit_sasl_authenticated, reject_unauth_pipelining,
                                    > reject_non_fqdn_recipient, reject_unknown_recipient_domain,
                                    > reject_unauth_destination, reject_unlisted_recipient,
                                    > check_policy_service unix:postgrey/socket, check_sender_access
                                    > hash:/etc/postfix/sender_access,
                                    > check_helo_access pcre:/etc/postfix/helo_checks.pcre,
                                    > check_client_access hash:/etc/postfix/client_access,
                                    > reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
                                    >
                                    > Inside the file however I have domains and specific email addresses.
                                    > Is this wrong formatting for the 'sender_access' file?
                                    >
                                    > # /etc/postfix/sender_access
                                    > #
                                    > # Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
                                    > #
                                    > lmco.com OK
                                    > saic.com OK
                                    > se-core.net OK
                                    > army.mil OK
                                    > us.army.mil OK
                                    > rayhtheonvtc.com OK
                                    > sting_ray1@... OK
                                    >
                                    > aol.com REJECT
                                    > craigslist.org REJECT
                                    > facebookmail.com REJECT
                                    > gmail.com REJECT
                                    > hotmail.com REJECT
                                    > yahoo.com REJECT
                                    > youtube.com REJECT

                                    You can add "postmaster@your_domain REJECT" to this list if
                                    you want.


                                    >
                                    > Noel or anyone. If you can please help me understand the following:
                                    >
                                    > 1. Why did Postfix allow the sender to bypass my 'anti spam' rules in
                                    > my main.cf when it appeared in my logs above it didn't have a proper
                                    > formatted fqdn and or hostname?

                                    You have no rules to reject based on this.

                                    > 2. Was it passed because it was spoofed to come from
                                    > 'postmaster@...'& I need to add a rule for this in
                                    > 'sender_access'?

                                    No, that doesn't appear to have any bearing.


                                    > 3. If 'yes' to above, why isn't '$double_bounce_sender' forcing email
                                    > to 'Postmaster' run through checks?
                                    > 4. Based on my postconf -n (below) and my contents above showing
                                    > '/etc/postfix/sender_access', do I have the correct values in the
                                    > 'sender_access' file or is it improperly formatted?

                                    >
                                    > ***Postconf -n***
                                    >
                                    > [root@mail postfix]# postconf -n
                                    > address_verify_sender = $double_bounce_sender
                                    > alias_database = hash:/etc/aliases
                                    > alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
                                    > broken_sasl_auth_clients = yes
                                    > command_directory = /usr/sbin
                                    > config_directory = /etc/postfix
                                    > content_filter = amavisfeed:[127.0.0.1]:10024
                                    > daemon_directory = /usr/libexec/postfix
                                    > home_mailbox = Maildir/
                                    > html_directory = no
                                    > inet_interfaces = all
                                    > mail_owner = postfix
                                    > mailq_path = /usr/bin/mailq.postfix
                                    > manpage_directory = /usr/share/man
                                    > message_size_limit = 20480000
                                    > mydestination = $myhostname, $mydomain, mail.$mydomain
                                    > mydomain = iamghost.com
                                    > myhostname = mail.iamghost.com
                                    > mynetworks = $config_directory/mynetworks
                                    > myorigin = $mydomain
                                    > newaliases_path = /usr/bin/newaliases.postfix
                                    > queue_directory = /var/spool/postfix
                                    > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
                                    > recipient_delimiter = +
                                    > relay_domains =
                                    > sample_directory = /usr/share/doc/postfix-2.3.3/samples
                                    > sendmail_path = /usr/sbin/sendmail.postfix
                                    > setgid_group = postdrop
                                    > smtp_tls_security_level = may
                                    > smtpd_banner = $myhostname ESMTP
                                    > smtpd_data_restrictions = reject_unauth_pipelining, permit
                                    > smtpd_delay_reject = yes
                                    > smtpd_helo_required = yes
                                    > smtpd_helo_restrictions = permit_mynetworks,
                                    > permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
                                    > reject_invalid_helo_hostname, permit
                                    > smtpd_recipient_restrictions = permit_mynetworks,
                                    > permit_sasl_authenticated, reject_unauth_pipelining,
                                    > reject_non_fqdn_recipient, reject_unknown_recipient_domain,
                                    > reject_unauth_destination, reject_unlisted_recipient,
                                    > check_policy_service unix:postgrey/socket, check_sender_access
                                    > hash:/etc/postfix/sender_access,
                                    > check_helo_access pcre:/etc/postfix/helo_checks.pcre,
                                    > check_client_access hash:/etc/postfix/client_access,
                                    > reject_rbl_client zen.spamhaus.org, reject_rbl_client
                                    > bl.spamcop.net, permit


                                    No glaring errors, although you might want to remove
                                    reject_unknown_recipient_domain as the only thing it's likely
                                    to block is your own domain.


                                    > smtpd_sasl_auth_enable = yes
                                    > smtpd_sasl_path = private/auth
                                    > smtpd_sasl_security_options = noanonymous
                                    > smtpd_sasl_type = dovecot
                                    > smtpd_sender_restrictions = permit_mynetworks,
                                    > permit_sasl_authenticated, reject_non_fqdn_sender,
                                    > reject_unknown_sender_domain,
                                    > reject_unknown_reverse_client_hostname, permit
                                    > smtpd_tls_CAfile = /etc/ssl/intermediate.crt
                                    > smtpd_tls_auth_only = yes
                                    > smtpd_tls_cert_file = /srv/ssl/mail.crt
                                    > smtpd_tls_key_file = /srv/ssl/mail.key
                                    > smtpd_tls_loglevel = 1
                                    > smtpd_tls_security_level = may
                                    > smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
                                    > smtpd_tls_session_cache_timeout = 3600s
                                    > tls_random_source = dev:/dev/urandom
                                    > unknown_local_recipient_reject_code = 550

                                    -- Noel Jones
                                  • Carlos Williams
                                    ... I am assuming I would add this to sender_access , correct? ... LuKreme suggested the above which is different from your suggestion above. I guess I am
                                    Message 17 of 18 , Mar 1, 2010
                                      On Mon, Mar 1, 2010 at 12:28 PM, Noel Jones <njones@...> wrote:
                                      > It "slips past" because there are no rules to block it.
                                      > You can add "postmaster@your_domain   REJECT" to this list if you want.

                                      I am assuming I would add this to 'sender_access', correct?

                                      On Mon, Mar 1, 2010 at 1:31 AM, LuKreme <kremels@...> wrote:
                                      > Often people have an exclusion to pass email to postmaster no matter what.
                                      > Check you sender_access and helo_checks for such an exclusion.
                                      >
                                      > Mine looks like this:
                                      >
                                      > /^postmaster@...$/ 550 Don't Spoof as my postmaster
                                      > /^postmaster@...$/ 550 Don't Spoof as my postmaster
                                      > /^postmaster@...$/ 550 Don't Spoof as my postmaster
                                      > /^postmaster\@/ OK

                                      LuKreme suggested the above which is different from your suggestion
                                      above. I guess I am just not sure which works or do they simply do the
                                      same thing. I don't know if the above example from LuKreme is for
                                      'sender_access' or another type of file. Do you care to add to this
                                      for my understanding?

                                      > No glaring errors, although you might want to remove
                                      > reject_unknown_recipient_domain as the only thing it's likely to block is
                                      > your own domain.

                                      Thanks. I will try this. You're the 1st to suggest this so far. Thanks.
                                    • mouss
                                      ... do not allow mail sent by receive only addresses such as psotmaster. I am assuming that you don t send mail from postmaster . that said, this won t
                                      Message 18 of 18 , Mar 1, 2010
                                        Carlos Williams a écrit :
                                        > On Mon, Mar 1, 2010 at 12:28 PM, Noel Jones <njones@...> wrote:
                                        >> It "slips past" because there are no rules to block it.
                                        >> You can add "postmaster@your_domain REJECT" to this list if you want.
                                        >
                                        > I am assuming I would add this to 'sender_access', correct?
                                        >
                                        > On Mon, Mar 1, 2010 at 1:31 AM, LuKreme <kremels@...> wrote:
                                        >> Often people have an exclusion to pass email to postmaster no matter what.
                                        >> Check you sender_access and helo_checks for such an exclusion.
                                        >>
                                        >> Mine looks like this:
                                        >>
                                        >> /^postmaster@...$/ 550 Don't Spoof as my postmaster
                                        >> /^postmaster@...$/ 550 Don't Spoof as my postmaster
                                        >> /^postmaster@...$/ 550 Don't Spoof as my postmaster
                                        >> /^postmaster\@/ OK
                                        >
                                        > LuKreme suggested the above which is different from your suggestion
                                        > above. I guess I am just not sure which works or do they simply do the
                                        > same thing. I don't know if the above example from LuKreme is for
                                        > 'sender_access' or another type of file. Do you care to add to this
                                        > for my understanding?
                                        >
                                        >> No glaring errors, although you might want to remove
                                        >> reject_unknown_recipient_domain as the only thing it's likely to block is
                                        >> your own domain.
                                        >
                                        > Thanks. I will try this. You're the 1st to suggest this so far. Thanks.

                                        do not allow mail sent by "receive only" addresses such as psotmaster. I
                                        am assuming that you don't send mail "from postmaster".

                                        that said, this won't block all your spam. block _sources_ of spam:

                                        $ host 89.204.40.160
                                        160.40.204.89.in-addr.arpa domain name pointer
                                        160.40.204.89.access.ttknet.ru.


                                        so use a

                                        regex=pcre:/etc/postfix/pcre

                                        smtpd_recipient_restrictions =
                                        ...
                                        reject_unauth_destination
                                        ...
                                        check_helo_access $regex/access_host
                                        check_reverse_client_hostname_access $regex/access_host


                                        == access_host
                                        /^(d\+\W){4}.*\.ttknet\.ru$/ REJECT generic hostname....

                                        In these spam days, it's no more possible to play mail with "generic"
                                        hostnames. The above is still "conservative". it'll only take me some
                                        time to go for a /(d\+\W){4}/.... ;-p
                                      Your message has been successfully submitted and would be delivered to recipients shortly.