Loading ...
Sorry, an error occurred while loading the content.
 

Re: Spam Attack on Postmaster

Expand Messages
  • LuKreme
    ... You re so old school you re PRE school! No, wait, that s not right. ... -- The fact that Bob and John are married does nothing to diminish anyone else s
    Message 1 of 18 , Mar 1, 2010
      On 01-Mar-10 06:08, Ralf Hildebrandt wrote:
      > * Stan Hoeppner<stan@...>:
      >
      >> If you sub the list, ask Rich K about ipdeny. I learned about it from him.
      >> He's been a spam fighter since 1994 (maybe earlier). He's old school.
      >
      > Yay, I'm old school :)

      You're so old school you're PRE school!

      No, wait, that's not right.

      :D

      --
      The fact that Bob and John are married does nothing to diminish
      anyone else's marriage any more than a black woman marrying a
      white man, a Jew marrying a Catholic, or an ugly Lyle marrying
      a Pretty Woman
    • Carlos Williams
      ... It looks like it does pass my anti-spam controls however & I am not sure why or how I can determine what is allowing this particular example to slip
      Message 2 of 18 , Mar 1, 2010
        On Mon, Mar 1, 2010 at 9:29 AM, Noel Jones <njones@...> wrote:
        > That parameter doesn't prevent spammers from sending junk to postmaster, it
        > prevents mail to postmaster from bypassing your existing anti-spam controls.
        >  Big difference.

        It looks like it does pass my 'anti-spam' controls however & I am not
        sure why or how I can determine what is allowing this particular
        example to slip past. Below is straight from my Postfix logs and in
        the end of this email you can see my postconf -n shows
        '$double_bounce_sender':

        Feb 27 15:05:44 mail postfix/smtpd[3291]: warning: 89.204.40.160:
        hostname 160.40.204.89.access.ttknet.ru verification failed: Name or
        service not known
        Feb 27 15:05:44 mail postfix/smtpd[3291]: connect from unknown[89.204.40.160]
        Feb 27 15:05:49 mail postfix/smtpd[3291]: 179C477ADB5:
        client=unknown[89.204.40.160]
        Feb 27 15:05:50 mail postfix/cleanup[5220]: 179C477ADB5:
        message-id=<20100227200549.179C477ADB5@...>
        Feb 27 15:05:50 mail postfix/qmgr[20536]: 179C477ADB5:
        from=<postmaster@...>, size=3854, nrcpt=1 (queue active)
        Feb 27 15:05:50 mail postfix/smtpd[3291]: disconnect from unknown[89.204.40.160]
        Feb 27 15:05:50 mail postfix/smtpd[5224]: EC5B277ADD6:
        client=localhost.localdomain[127.0.0.1]
        Feb 27 15:05:50 mail postfix/cleanup[5220]: EC5B277ADD6:
        message-id=<20100227200549.179C477ADB5@...>
        Feb 27 15:05:51 mail postfix/smtpd[5224]: disconnect from
        localhost.localdomain[127.0.0.1]
        Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6:
        from=<postmaster@...>, size=4620, nrcpt=1 (queue active)
        Feb 27 15:05:51 mail amavis[6851]: (06851-16) Passed SPAMMY,
        [89.204.40.160] [89.204.40.160] <postmaster@...> ->
        <postmaster@...>, Message-ID:
        <20100227200549.179C477ADB5@...>, mail_id: awUEbrkCfcvq,
        Hits: 7.457, size: 3845, queued_as: EC5B277ADD6, 811 ms
        Feb 27 15:05:51 mail postfix/lmtp[5221]: 179C477ADB5:
        to=<postmaster@...>, relay=127.0.0.1[127.0.0.1]:10024,
        delay=2.5, delays=1.7/0.01/0/0.81, dsn=2.0.0, status=sent (250 2.0.0
        Ok, id=06851-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
        EC5B277ADD6)
        Feb 27 15:05:51 mail postfix/qmgr[20536]: 179C477ADB5: removed
        Feb 27 15:05:51 mail postfix/local[5225]: EC5B277ADD6:
        to=<carlos@...>, orig_to=<postmaster@...>,
        relay=local, delay=0.31, delays=0.18/0.01/0/0.12, dsn=2.0.0,
        status=sent (delivered to maildir)
        Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6: removed

        > No.  Apparently you have no controls that would otherwise reject this spam.

        I guess I didn't really understand fully the full meaning of
        '$double_bounce_sender'.

        > Yes, looks as if the spammer forged your postmaster as the envelope sender.
        >  You can reject mail FROM postmaster@ your domain with a check_sender_access
        > map.

        I do have a 'sender_access' map in /etc/postfix and in main.cf:

        [root@mail postfix]# postconf -n | grep 'sender_access'
        smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated, reject_unauth_pipelining,
        reject_non_fqdn_recipient, reject_unknown_recipient_domain,
        reject_unauth_destination, reject_unlisted_recipient,
        check_policy_service unix:postgrey/socket, check_sender_access
        hash:/etc/postfix/sender_access,
        check_helo_access pcre:/etc/postfix/helo_checks.pcre,
        check_client_access hash:/etc/postfix/client_access,
        reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net

        Inside the file however I have domains and specific email addresses.
        Is this wrong formatting for the 'sender_access' file?

        # /etc/postfix/sender_access
        #
        # Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
        #
        lmco.com OK
        saic.com OK
        se-core.net OK
        army.mil OK
        us.army.mil OK
        rayhtheonvtc.com OK
        sting_ray1@... OK

        aol.com REJECT
        craigslist.org REJECT
        facebookmail.com REJECT
        gmail.com REJECT
        hotmail.com REJECT
        yahoo.com REJECT
        youtube.com REJECT

        Noel or anyone. If you can please help me understand the following:

        1. Why did Postfix allow the sender to bypass my 'anti spam' rules in
        my main.cf when it appeared in my logs above it didn't have a proper
        formatted fqdn and or hostname?
        2. Was it passed because it was spoofed to come from
        'postmaster@...' & I need to add a rule for this in
        'sender_access'?
        3. If 'yes' to above, why isn't '$double_bounce_sender' forcing email
        to 'Postmaster' run through checks?
        4. Based on my postconf -n (below) and my contents above showing
        '/etc/postfix/sender_access', do I have the correct values in the
        'sender_access' file or is it improperly formatted?

        ***Postconf -n***

        [root@mail postfix]# postconf -n
        address_verify_sender = $double_bounce_sender
        alias_database = hash:/etc/aliases
        alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
        broken_sasl_auth_clients = yes
        command_directory = /usr/sbin
        config_directory = /etc/postfix
        content_filter = amavisfeed:[127.0.0.1]:10024
        daemon_directory = /usr/libexec/postfix
        home_mailbox = Maildir/
        html_directory = no
        inet_interfaces = all
        mail_owner = postfix
        mailq_path = /usr/bin/mailq.postfix
        manpage_directory = /usr/share/man
        message_size_limit = 20480000
        mydestination = $myhostname, $mydomain, mail.$mydomain
        mydomain = iamghost.com
        myhostname = mail.iamghost.com
        mynetworks = $config_directory/mynetworks
        myorigin = $mydomain
        newaliases_path = /usr/bin/newaliases.postfix
        queue_directory = /var/spool/postfix
        readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
        recipient_delimiter = +
        relay_domains =
        sample_directory = /usr/share/doc/postfix-2.3.3/samples
        sendmail_path = /usr/sbin/sendmail.postfix
        setgid_group = postdrop
        smtp_tls_security_level = may
        smtpd_banner = $myhostname ESMTP
        smtpd_data_restrictions = reject_unauth_pipelining, permit
        smtpd_delay_reject = yes
        smtpd_helo_required = yes
        smtpd_helo_restrictions = permit_mynetworks,
        permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
        reject_invalid_helo_hostname, permit
        smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated, reject_unauth_pipelining,
        reject_non_fqdn_recipient, reject_unknown_recipient_domain,
        reject_unauth_destination, reject_unlisted_recipient,
        check_policy_service unix:postgrey/socket, check_sender_access
        hash:/etc/postfix/sender_access,
        check_helo_access pcre:/etc/postfix/helo_checks.pcre,
        check_client_access hash:/etc/postfix/client_access,
        reject_rbl_client zen.spamhaus.org, reject_rbl_client
        bl.spamcop.net, permit
        smtpd_sasl_auth_enable = yes
        smtpd_sasl_path = private/auth
        smtpd_sasl_security_options = noanonymous
        smtpd_sasl_type = dovecot
        smtpd_sender_restrictions = permit_mynetworks,
        permit_sasl_authenticated, reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_unknown_reverse_client_hostname, permit
        smtpd_tls_CAfile = /etc/ssl/intermediate.crt
        smtpd_tls_auth_only = yes
        smtpd_tls_cert_file = /srv/ssl/mail.crt
        smtpd_tls_key_file = /srv/ssl/mail.key
        smtpd_tls_loglevel = 1
        smtpd_tls_security_level = may
        smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
        smtpd_tls_session_cache_timeout = 3600s
        tls_random_source = dev:/dev/urandom
        unknown_local_recipient_reject_code = 550
      • Noel Jones
        ... It slips past because there are no rules to block it. ... You can add postmaster@your_domain REJECT to this list if you want. ... You have no rules
        Message 3 of 18 , Mar 1, 2010
          On 3/1/2010 10:50 AM, Carlos Williams wrote:
          > On Mon, Mar 1, 2010 at 9:29 AM, Noel Jones<njones@...> wrote:
          >> That parameter doesn't prevent spammers from sending junk to postmaster, it
          >> prevents mail to postmaster from bypassing your existing anti-spam controls.
          >> Big difference.
          >
          > It looks like it does pass my 'anti-spam' controls however& I am not
          > sure why or how I can determine what is allowing this particular
          > example to slip past.

          It "slips past" because there are no rules to block it.

          > Below is straight from my Postfix logs and in
          > the end of this email you can see my postconf -n shows
          > '$double_bounce_sender':
          >
          > Feb 27 15:05:44 mail postfix/smtpd[3291]: warning: 89.204.40.160:
          > hostname 160.40.204.89.access.ttknet.ru verification failed: Name or
          > service not known
          > Feb 27 15:05:44 mail postfix/smtpd[3291]: connect from unknown[89.204.40.160]
          > Feb 27 15:05:49 mail postfix/smtpd[3291]: 179C477ADB5:
          > client=unknown[89.204.40.160]
          > Feb 27 15:05:50 mail postfix/cleanup[5220]: 179C477ADB5:
          > message-id=<20100227200549.179C477ADB5@...>
          > Feb 27 15:05:50 mail postfix/qmgr[20536]: 179C477ADB5:
          > from=<postmaster@...>, size=3854, nrcpt=1 (queue active)
          > Feb 27 15:05:50 mail postfix/smtpd[3291]: disconnect from unknown[89.204.40.160]
          > Feb 27 15:05:50 mail postfix/smtpd[5224]: EC5B277ADD6:
          > client=localhost.localdomain[127.0.0.1]
          > Feb 27 15:05:50 mail postfix/cleanup[5220]: EC5B277ADD6:
          > message-id=<20100227200549.179C477ADB5@...>
          > Feb 27 15:05:51 mail postfix/smtpd[5224]: disconnect from
          > localhost.localdomain[127.0.0.1]
          > Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6:
          > from=<postmaster@...>, size=4620, nrcpt=1 (queue active)
          > Feb 27 15:05:51 mail amavis[6851]: (06851-16) Passed SPAMMY,
          > [89.204.40.160] [89.204.40.160]<postmaster@...> ->
          > <postmaster@...>, Message-ID:
          > <20100227200549.179C477ADB5@...>, mail_id: awUEbrkCfcvq,
          > Hits: 7.457, size: 3845, queued_as: EC5B277ADD6, 811 ms
          > Feb 27 15:05:51 mail postfix/lmtp[5221]: 179C477ADB5:
          > to=<postmaster@...>, relay=127.0.0.1[127.0.0.1]:10024,
          > delay=2.5, delays=1.7/0.01/0/0.81, dsn=2.0.0, status=sent (250 2.0.0
          > Ok, id=06851-16, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as
          > EC5B277ADD6)
          > Feb 27 15:05:51 mail postfix/qmgr[20536]: 179C477ADB5: removed
          > Feb 27 15:05:51 mail postfix/local[5225]: EC5B277ADD6:
          > to=<carlos@...>, orig_to=<postmaster@...>,
          > relay=local, delay=0.31, delays=0.18/0.01/0/0.12, dsn=2.0.0,
          > status=sent (delivered to maildir)
          > Feb 27 15:05:51 mail postfix/qmgr[20536]: EC5B277ADD6: removed
          >
          >> No. Apparently you have no controls that would otherwise reject this spam.
          >
          > I guess I didn't really understand fully the full meaning of
          > '$double_bounce_sender'.
          >
          >> Yes, looks as if the spammer forged your postmaster as the envelope sender.
          >> You can reject mail FROM postmaster@ your domain with a check_sender_access
          >> map.
          >
          > I do have a 'sender_access' map in /etc/postfix and in main.cf:
          >
          > [root@mail postfix]# postconf -n | grep 'sender_access'
          > smtpd_recipient_restrictions = permit_mynetworks,
          > permit_sasl_authenticated, reject_unauth_pipelining,
          > reject_non_fqdn_recipient, reject_unknown_recipient_domain,
          > reject_unauth_destination, reject_unlisted_recipient,
          > check_policy_service unix:postgrey/socket, check_sender_access
          > hash:/etc/postfix/sender_access,
          > check_helo_access pcre:/etc/postfix/helo_checks.pcre,
          > check_client_access hash:/etc/postfix/client_access,
          > reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
          >
          > Inside the file however I have domains and specific email addresses.
          > Is this wrong formatting for the 'sender_access' file?
          >
          > # /etc/postfix/sender_access
          > #
          > # Black/Whitelist for senders matching the 'MAIL FROM' field. Examples...
          > #
          > lmco.com OK
          > saic.com OK
          > se-core.net OK
          > army.mil OK
          > us.army.mil OK
          > rayhtheonvtc.com OK
          > sting_ray1@... OK
          >
          > aol.com REJECT
          > craigslist.org REJECT
          > facebookmail.com REJECT
          > gmail.com REJECT
          > hotmail.com REJECT
          > yahoo.com REJECT
          > youtube.com REJECT

          You can add "postmaster@your_domain REJECT" to this list if
          you want.


          >
          > Noel or anyone. If you can please help me understand the following:
          >
          > 1. Why did Postfix allow the sender to bypass my 'anti spam' rules in
          > my main.cf when it appeared in my logs above it didn't have a proper
          > formatted fqdn and or hostname?

          You have no rules to reject based on this.

          > 2. Was it passed because it was spoofed to come from
          > 'postmaster@...'& I need to add a rule for this in
          > 'sender_access'?

          No, that doesn't appear to have any bearing.


          > 3. If 'yes' to above, why isn't '$double_bounce_sender' forcing email
          > to 'Postmaster' run through checks?
          > 4. Based on my postconf -n (below) and my contents above showing
          > '/etc/postfix/sender_access', do I have the correct values in the
          > 'sender_access' file or is it improperly formatted?

          >
          > ***Postconf -n***
          >
          > [root@mail postfix]# postconf -n
          > address_verify_sender = $double_bounce_sender
          > alias_database = hash:/etc/aliases
          > alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases
          > broken_sasl_auth_clients = yes
          > command_directory = /usr/sbin
          > config_directory = /etc/postfix
          > content_filter = amavisfeed:[127.0.0.1]:10024
          > daemon_directory = /usr/libexec/postfix
          > home_mailbox = Maildir/
          > html_directory = no
          > inet_interfaces = all
          > mail_owner = postfix
          > mailq_path = /usr/bin/mailq.postfix
          > manpage_directory = /usr/share/man
          > message_size_limit = 20480000
          > mydestination = $myhostname, $mydomain, mail.$mydomain
          > mydomain = iamghost.com
          > myhostname = mail.iamghost.com
          > mynetworks = $config_directory/mynetworks
          > myorigin = $mydomain
          > newaliases_path = /usr/bin/newaliases.postfix
          > queue_directory = /var/spool/postfix
          > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
          > recipient_delimiter = +
          > relay_domains =
          > sample_directory = /usr/share/doc/postfix-2.3.3/samples
          > sendmail_path = /usr/sbin/sendmail.postfix
          > setgid_group = postdrop
          > smtp_tls_security_level = may
          > smtpd_banner = $myhostname ESMTP
          > smtpd_data_restrictions = reject_unauth_pipelining, permit
          > smtpd_delay_reject = yes
          > smtpd_helo_required = yes
          > smtpd_helo_restrictions = permit_mynetworks,
          > permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
          > reject_invalid_helo_hostname, permit
          > smtpd_recipient_restrictions = permit_mynetworks,
          > permit_sasl_authenticated, reject_unauth_pipelining,
          > reject_non_fqdn_recipient, reject_unknown_recipient_domain,
          > reject_unauth_destination, reject_unlisted_recipient,
          > check_policy_service unix:postgrey/socket, check_sender_access
          > hash:/etc/postfix/sender_access,
          > check_helo_access pcre:/etc/postfix/helo_checks.pcre,
          > check_client_access hash:/etc/postfix/client_access,
          > reject_rbl_client zen.spamhaus.org, reject_rbl_client
          > bl.spamcop.net, permit


          No glaring errors, although you might want to remove
          reject_unknown_recipient_domain as the only thing it's likely
          to block is your own domain.


          > smtpd_sasl_auth_enable = yes
          > smtpd_sasl_path = private/auth
          > smtpd_sasl_security_options = noanonymous
          > smtpd_sasl_type = dovecot
          > smtpd_sender_restrictions = permit_mynetworks,
          > permit_sasl_authenticated, reject_non_fqdn_sender,
          > reject_unknown_sender_domain,
          > reject_unknown_reverse_client_hostname, permit
          > smtpd_tls_CAfile = /etc/ssl/intermediate.crt
          > smtpd_tls_auth_only = yes
          > smtpd_tls_cert_file = /srv/ssl/mail.crt
          > smtpd_tls_key_file = /srv/ssl/mail.key
          > smtpd_tls_loglevel = 1
          > smtpd_tls_security_level = may
          > smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
          > smtpd_tls_session_cache_timeout = 3600s
          > tls_random_source = dev:/dev/urandom
          > unknown_local_recipient_reject_code = 550

          -- Noel Jones
        • Carlos Williams
          ... I am assuming I would add this to sender_access , correct? ... LuKreme suggested the above which is different from your suggestion above. I guess I am
          Message 4 of 18 , Mar 1, 2010
            On Mon, Mar 1, 2010 at 12:28 PM, Noel Jones <njones@...> wrote:
            > It "slips past" because there are no rules to block it.
            > You can add "postmaster@your_domain   REJECT" to this list if you want.

            I am assuming I would add this to 'sender_access', correct?

            On Mon, Mar 1, 2010 at 1:31 AM, LuKreme <kremels@...> wrote:
            > Often people have an exclusion to pass email to postmaster no matter what.
            > Check you sender_access and helo_checks for such an exclusion.
            >
            > Mine looks like this:
            >
            > /^postmaster@...$/ 550 Don't Spoof as my postmaster
            > /^postmaster@...$/ 550 Don't Spoof as my postmaster
            > /^postmaster@...$/ 550 Don't Spoof as my postmaster
            > /^postmaster\@/ OK

            LuKreme suggested the above which is different from your suggestion
            above. I guess I am just not sure which works or do they simply do the
            same thing. I don't know if the above example from LuKreme is for
            'sender_access' or another type of file. Do you care to add to this
            for my understanding?

            > No glaring errors, although you might want to remove
            > reject_unknown_recipient_domain as the only thing it's likely to block is
            > your own domain.

            Thanks. I will try this. You're the 1st to suggest this so far. Thanks.
          • mouss
            ... do not allow mail sent by receive only addresses such as psotmaster. I am assuming that you don t send mail from postmaster . that said, this won t
            Message 5 of 18 , Mar 1, 2010
              Carlos Williams a écrit :
              > On Mon, Mar 1, 2010 at 12:28 PM, Noel Jones <njones@...> wrote:
              >> It "slips past" because there are no rules to block it.
              >> You can add "postmaster@your_domain REJECT" to this list if you want.
              >
              > I am assuming I would add this to 'sender_access', correct?
              >
              > On Mon, Mar 1, 2010 at 1:31 AM, LuKreme <kremels@...> wrote:
              >> Often people have an exclusion to pass email to postmaster no matter what.
              >> Check you sender_access and helo_checks for such an exclusion.
              >>
              >> Mine looks like this:
              >>
              >> /^postmaster@...$/ 550 Don't Spoof as my postmaster
              >> /^postmaster@...$/ 550 Don't Spoof as my postmaster
              >> /^postmaster@...$/ 550 Don't Spoof as my postmaster
              >> /^postmaster\@/ OK
              >
              > LuKreme suggested the above which is different from your suggestion
              > above. I guess I am just not sure which works or do they simply do the
              > same thing. I don't know if the above example from LuKreme is for
              > 'sender_access' or another type of file. Do you care to add to this
              > for my understanding?
              >
              >> No glaring errors, although you might want to remove
              >> reject_unknown_recipient_domain as the only thing it's likely to block is
              >> your own domain.
              >
              > Thanks. I will try this. You're the 1st to suggest this so far. Thanks.

              do not allow mail sent by "receive only" addresses such as psotmaster. I
              am assuming that you don't send mail "from postmaster".

              that said, this won't block all your spam. block _sources_ of spam:

              $ host 89.204.40.160
              160.40.204.89.in-addr.arpa domain name pointer
              160.40.204.89.access.ttknet.ru.


              so use a

              regex=pcre:/etc/postfix/pcre

              smtpd_recipient_restrictions =
              ...
              reject_unauth_destination
              ...
              check_helo_access $regex/access_host
              check_reverse_client_hostname_access $regex/access_host


              == access_host
              /^(d\+\W){4}.*\.ttknet\.ru$/ REJECT generic hostname....

              In these spam days, it's no more possible to play mail with "generic"
              hostnames. The above is still "conservative". it'll only take me some
              time to go for a /(d\+\W){4}/.... ;-p
            Your message has been successfully submitted and would be delivered to recipients shortly.