Loading ...
Sorry, an error occurred while loading the content.

Re: spam - headers: from ME to ME, but different anvelope sender

Expand Messages
  • Noel Jones
    ... The OP has a basic content filter the passes through spamd then back to postfix via the sendmail interface. He s only shown us the post-filter logging.
    Message 1 of 14 , Sep 6, 2013
    • 0 Attachment
      On 9/6/2013 9:05 AM, Wietse Venema wrote:
      > Wijatmoko U. Prayitno:
      >> On Fri, 06 Sep 2013 16:43:27 +0300
      >> wiseadmin <wiseadmin@...> wrote:
      >>
      >>> and the same message from postfix logs:
      >>>
      >>> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
      >> The email came from local user uid 1018 (service pickup).
      >
      > Good observation. This message did not come via SMTP. You have
      > a buggy web application.
      >
      > Wietse
      >


      The OP has a basic content filter the passes through spamd then back
      to postfix via the sendmail interface. He's only shown us the
      post-filter logging.

      Wijatmoko, could you put a sample of the spam, including all
      headers, on pastebin.com or similar where we can see it?



      -- Noel Jones
    • Stan Hoeppner
      ... The default spamassassin spamc/spamd install on many OSes defaults to reinjecting via pickup. I have the same setup. This isn t the problem. The problem
      Message 2 of 14 , Sep 6, 2013
      • 0 Attachment
        On 9/6/2013 9:05 AM, Wietse Venema wrote:
        > Wijatmoko U. Prayitno:
        >> On Fri, 06 Sep 2013 16:43:27 +0300
        >> wiseadmin <wiseadmin@...> wrote:
        >>
        >>> and the same message from postfix logs:
        >>>
        >>> /var/log/mail.log.1:Sep 5 17:10:06 cma postfix/pickup[17510]: A3E8C10BADF: uid=1018 from=<strongestv0@...>
        >> The email came from local user uid 1018 (service pickup).
        >
        > Good observation. This message did not come via SMTP. You have
        > a buggy web application.

        The default spamassassin spamc/spamd install on many OSes defaults to
        reinjecting via pickup. I have the same setup. This isn't the problem.

        The problem is "Nigerian 419" from 41.0.0.0/8. Block this class A net
        in a CIDR table and this problem is solved, unless you are in Africa and
        need to accept email from Africa. I've been blocking this /8 basically
        forever. I also take the extra step of rejecting any connection that
        has 41/8 in the headers.

        --
        Stan
      • FliedRice
        Just a thought, In order to block more incoming spam you could add more rbl s to your main.cf file. I have spamassassin, but it s turned off in favor of the
        Message 3 of 14 , Sep 6, 2013
        • 0 Attachment
          Just a thought, In order to block more incoming spam you could add more rbl's
          to your main.cf file.
          I have spamassassin, but it's turned off in favor of the following smtpd
          restrictions and domain blocking
          in the plesk user interface, or filtering in the Cpanel interface. I have 2
          servers which both use these restrictions:

          smtpd_client_restrictions = permit_mynetworks, reject_rbl_client
          sbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org, reject_rbl_client
          bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client
          dnsbl.mags.net, reject_rbl_client bl.mailspike.net, reject_rbl_client
          l2.apews.org, reject_rbl_client bl.tiopan.com, reject_rbl_client
          niku.2ch.net, reject_rbl_client bl.spameatingmonkey.net

          I ended up choosing these over time as I get a lot of spam emails, (because
          I send a lot of emails).
          I started with a couple, but when one email got thru I would check the dbl
          listings to see who might be
          blocking the one that got thru. I would then add a rbl client that I found
          was blocking the sender
          who had just spammed me.

          Here is a large MultiRbl List <http://multirbl.valli.org> if you want to
          test any email IP's that are sending emails to domains on your server.

          And if your not very concerned about blocking incoming emails but want to
          block more try:
          reject_rbl_client blackholes.five-ten-sg.com
          It seems to be ok with the large domain ISP's, but it's bullish on
          everything else.



          -----
          Free English
          & Spanish
          Ecards for Birthdays, Christmas , holidays, Valentines , Love , & just because!
          --
          View this message in context: http://postfix.1071664.n5.nabble.com/spam-headers-from-ME-to-ME-but-different-anvelope-sender-tp61232p61250.html
          Sent from the Postfix Users mailing list archive at Nabble.com.
        • Jeroen Geilman
          ... That s all zen now. ... You would want to use postscreen(8) for that. For starters, it does parallel lookups (which is faster) and maintains its own cache
          Message 4 of 14 , Sep 11, 2013
          • 0 Attachment
            On 09/07/2013 05:19 AM, FliedRice wrote:
            > Just a thought, In order to block more incoming spam you could add more rbl's
            > to your main.cf file.
            > I have spamassassin, but it's turned off in favor of the following smtpd
            > restrictions and domain blocking
            > in the plesk user interface, or filtering in the Cpanel interface. I have 2
            > servers which both use these restrictions:
            >
            > smtpd_client_restrictions = permit_mynetworks, reject_rbl_client
            > sbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org,

            That's all zen now.
            > reject_rbl_client
            > bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client
            > dnsbl.mags.net, reject_rbl_client bl.mailspike.net, reject_rbl_client
            > l2.apews.org, reject_rbl_client bl.tiopan.com, reject_rbl_client
            > niku.2ch.net, reject_rbl_client bl.spameatingmonkey.net

            You would want to use postscreen(8) for that.
            For starters, it does parallel lookups (which is faster) and maintains
            its own cache (which is faster still.)
            It also allows you to do weighted scoring for multiple DNSBLs (which
            smtpd_client_restrictions does not.)

            Available in postfix 2.8+ (which is over 2 years old)


            --
            J.
          Your message has been successfully submitted and would be delivered to recipients shortly.