rejected emails
in [Postfix]
|
Prev: SASL
Next: Postfix setup help required
From: rogv24 on 26 Oct 2006 15:13 I have a unix/postfix environment and I am getting a bunch of emails that are not on my rbl's, I have spamhaus, spamcop, dynablock, dsbl, ordbl. They pass domain, FQDN, host, MX, envelope checking checks. They also pass spam assassin checks. Hell, then how can I get rid of them? Thanks
From: Greg Hackney on 26 Oct 2006 19:05 rogv24(a)yahoo.com wrote: > I have a unix/postfix environment and I am getting a bunch of emails > that are not on my rbl's, > I have spamhaus, spamcop, dynablock, dsbl, ordbl. > They pass domain, FQDN, host, MX, envelope checking checks. > They also pass spam assassin checks. > > Hell, then how can I get rid of them? > Thanks It's been my experience that probably the last 5-8 percent of the spam that gets through after all other automated means are deployed, are the hardest to get rid of. These spams usually have to be analyzed, and dealt with by manual blocking tables, of which, there are many choices. Depending on what sort of user base you have on your system, you might even be able to block entire countries, or ISP subnets. Just out of curiosity, have you analyzed your logfiles to see what percentage of the total spams are being blocked, versus the percentage of spams getting through? -- Greg
From: rogv24 on 27 Oct 2006 08:22 hello Greg, Thanks for the feedback. Of about 10 emails 3 emails get rejected. I think its very high considering the volume we are getting. We have an older version of postfix 2.013 We plan on upgrading in the near future. I believe there is some thing right now we don't have in postfix that can capture these emails. here is one spam that we got: -----Original Message----- Date: 10/26/2006 09:46 pm -0400 (Thursday) From: "Jenny" <yqc6afa(a)supernet.com.bo> To: "Administrators" <thomaslo(a)si.edu> Subject: Plz. get back Hey, Refill is ready. Plz. reconfirm City . http://cf.geocities.com/Medina8_m120/ Regards, Jenny The mime log looks like this: Return-path: <yqc6afa(a)supernet.com.bo> Received: from si-av04.si.edu [160.111.252.25] by simail1.si.edu; Thu, 26 Oct 2006 21:49:49 -0400 Received: from localhost (localhost [127.0.0.1]) by si-av04.si.edu (SI-Mailer) with ESMTP id 172BB2794 for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:49:49 -0400 (EDT) Received: from si-av04.si.edu ([127.0.0.1]) by localhost (si-av04 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15352-01 for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:49:47 -0400 (EDT) Received: from si-ems01.si.edu (si-ems01.si.edu [160.111.252.31]) by si-av04.si.edu (SI-Mailer) with ESMTP id A0873278E for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:49:47 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by si-ems01.si.edu (SI-Mailer) with ESMTP id 39F931C4E for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:49:46 -0400 (EDT) Received: from si-ems01.si.edu ([127.0.0.1]) by localhost (si-ems01 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26254-04 for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:49:46 -0400 (EDT) Received: from mail2.supernet.com.bo (mail2.supernet.com.bo [200.58.72.21]) by si-ems01.si.edu (SI-Mailer) with ESMTP id C3F8B1C11 for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:49:42 -0400 (EDT) Received: from supernet.com.bo (host-200-58-90-65.supernet.com.bo [200.58.90.65]) by mail2.supernet.com.bo (8.13.1/8.13.1) with ESMTP id k9QHrSFn028309 for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:54:17 +0400 (GMT) Received: from unknown (HELO mail.gimmicc.net) (Thu, 26 Oct 2006 17:35:40 -0900) by relay.2yahoo.com with ESMTP; Thu, 26 Oct 2006 17:35:40 -0900 Received: from unknown (27.52.184.67) by group21.345mail.com with SMTP; Thu, 26 Oct 2006 17:16:52 -0900 Received: from mtu67.syds.piswix.net [56.207.144.130] by rsmail.alkoholic.net with LOCAL; Thu, 26 Oct 2006 17:10:34 -0900 Received: from smtp18.yenddx.com ([146.84.10.118]) by m1.gns.snv.thisdomainl.com with SMTP; Thu, 26 Oct 2006 16:51:40 -0900 Message-ID: <B920605A.F1E29D7(a)supernet.com.bo> Date: Thu, 26 Oct 2006 16:46:48 -0900 From: "Jenny" <yqc6afa(a)supernet.com.bo> X-Accept-Language: en-us MIME-Version: 1.0 To: "Administrators" <thomaslo(a)si.edu> Subject: Plz. get back Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit X-Virus-Scanned: SI-EMS border system (SI+SA) > rogv24(a)yahoo.com wrote: > > I have a unix/postfix environment and I am getting a bunch of emails > > that are not on my rbl's, > > I have spamhaus, spamcop, dynablock, dsbl, ordbl. > > They pass domain, FQDN, host, MX, envelope checking checks. > > They also pass spam assassin checks. > > > > Hell, then how can I get rid of them? > > Thanks > > > It's been my experience that probably the last 5-8 percent of > the spam that gets through after all other automated means > are deployed, are the hardest to get rid of. > > These spams usually have to be analyzed, and dealt with by > manual blocking tables, of which, there are many choices. > > Depending on what sort of user base you have on your system, > you might even be able to block entire countries, or ISP subnets. > > Just out of curiosity, have you analyzed your logfiles to see > what percentage of the total spams are being blocked, versus the > percentage of spams getting through? > > -- > Greg
From: rogv24 on 27 Oct 2006 10:02 I have one more question. How can I tell if an ISP domain is safe enough to add to postfix. rogv24(a)yahoo.com wrote: > hello Greg, > > Thanks for the feedback. Of about 10 emails 3 emails get rejected. I > think its very high > considering the volume we are getting. We have an older version of > postfix 2.013 > We plan on upgrading in the near future. I believe there is some thing > right now we > don't have in postfix that can capture these emails. > > here is one spam that we got: > > -----Original Message----- > Date: 10/26/2006 09:46 pm -0400 (Thursday) > From: "Jenny" <yqc6afa(a)supernet.com.bo> > To: "Administrators" <thomaslo(a)si.edu> > Subject: Plz. get back > > Hey, > > Refill is ready. > Plz. reconfirm City . > > http://cf.geocities.com/Medina8_m120/ > > Regards, > > Jenny > > The mime log looks like this: > Return-path: <yqc6afa(a)supernet.com.bo> > Received: from si-av04.si.edu [160.111.252.25] > by simail1.si.edu; Thu, 26 Oct 2006 21:49:49 -0400 > Received: from localhost (localhost [127.0.0.1]) > by si-av04.si.edu (SI-Mailer) with ESMTP id 172BB2794 > for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:49:49 -0400 (EDT) > Received: from si-av04.si.edu ([127.0.0.1]) > by localhost (si-av04 [127.0.0.1]) (amavisd-new, port 10024) with > ESMTP > id 15352-01 for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:49:47 -0400 > (EDT) > Received: from si-ems01.si.edu (si-ems01.si.edu [160.111.252.31]) > by si-av04.si.edu (SI-Mailer) with ESMTP id A0873278E > for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:49:47 -0400 (EDT) > Received: from localhost (localhost [127.0.0.1]) > by si-ems01.si.edu (SI-Mailer) with ESMTP id 39F931C4E > for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:49:46 -0400 (EDT) > Received: from si-ems01.si.edu ([127.0.0.1]) > by localhost (si-ems01 [127.0.0.1]) (amavisd-new, port 10024) with > ESMTP > id 26254-04 for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:49:46 -0400 > (EDT) > Received: from mail2.supernet.com.bo (mail2.supernet.com.bo > [200.58.72.21]) > by si-ems01.si.edu (SI-Mailer) with ESMTP id C3F8B1C11 > for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:49:42 -0400 (EDT) > Received: from supernet.com.bo (host-200-58-90-65.supernet.com.bo > [200.58.90.65]) > by mail2.supernet.com.bo (8.13.1/8.13.1) with ESMTP id k9QHrSFn028309 > for <thomaslo(a)si.edu>; Thu, 26 Oct 2006 21:54:17 +0400 (GMT) > Received: from unknown (HELO mail.gimmicc.net) (Thu, 26 Oct 2006 > 17:35:40 -0900) > by relay.2yahoo.com with ESMTP; Thu, 26 Oct 2006 17:35:40 -0900 > Received: from unknown (27.52.184.67) > by group21.345mail.com with SMTP; Thu, 26 Oct 2006 17:16:52 -0900 > Received: from mtu67.syds.piswix.net [56.207.144.130] by > rsmail.alkoholic.net with LOCAL; Thu, 26 Oct 2006 17:10:34 -0900 > Received: from smtp18.yenddx.com ([146.84.10.118]) by > m1.gns.snv.thisdomainl.com with SMTP; Thu, 26 Oct 2006 16:51:40 -0900 > Message-ID: <B920605A.F1E29D7(a)supernet.com.bo> > Date: Thu, 26 Oct 2006 16:46:48 -0900 > From: "Jenny" <yqc6afa(a)supernet.com.bo> > X-Accept-Language: en-us > MIME-Version: 1.0 > To: "Administrators" <thomaslo(a)si.edu> > Subject: Plz. get back > Content-Type: text/plain; > charset="us-ascii" > Content-Transfer-Encoding: 8bit > X-Virus-Scanned: SI-EMS border system (SI+SA) > > > > > rogv24(a)yahoo.com wrote: > > > I have a unix/postfix environment and I am getting a bunch of emails > > > that are not on my rbl's, > > > I have spamhaus, spamcop, dynablock, dsbl, ordbl. > > > They pass domain, FQDN, host, MX, envelope checking checks. > > > They also pass spam assassin checks. > > > > > > Hell, then how can I get rid of them? > > > Thanks > > > > > > It's been my experience that probably the last 5-8 percent of > > the spam that gets through after all other automated means > > are deployed, are the hardest to get rid of. > > > > These spams usually have to be analyzed, and dealt with by > > manual blocking tables, of which, there are many choices. > > > > Depending on what sort of user base you have on your system, > > you might even be able to block entire countries, or ISP subnets. > > > > Just out of curiosity, have you analyzed your logfiles to see > > what percentage of the total spams are being blocked, versus the > > percentage of spams getting through? > > > > -- > > Greg
From: Greg Hackney on 27 Oct 2006 13:07
The most efficient way to block spam is by IP address, or RCPT TO or MAIL FROM information, because Postfix blocks those before the message body data is received. That's why RBL lists are so valuable. Secondarily, Postfix can scan the message body for headers such as To:, From:, Subject:, message-content strings, etc. These content scans can be configured to run as pre-queue, or post-queue (the latter actually accepts the email, then scans it). rogv24(a)yahoo.com wrote: > here is one spam that we got: Your sample spam is of the type that's difficult to block by IP address. It arrived via a legit ISP mail relay in Bolivia, which isn't likely to get placed onto a RBL block list. The originating site was one of the ISP's direct customers, whose computer was probably hacked, and used temporarily for spewing spam. The only received: header that you can ever trust is the one generated by your outermost mail relay: > Received: from mail2.supernet.com.bo (mail2.supernet.com.bo > [200.58.72.21]) > by si-ems01.si.edu (SI-Mailer) with ESMTP id C3F8B1C11 It indicates that the ISP's mail relay is at 200.58.72.21. You could block that IP address, or the entire subnet for the ISP, or on the name supernet.com.bo; but I'm guessing that you probably don't want to do that, since your's is a global oriented .edu site. You can't really trust any other headers that follow. Although it does appear in this case that the next header is valid (and the remainder are forged): > Received: from supernet.com.bo (host-200-58-90-65.supernet.com.bo > [200.58.90.65]) > by mail2.supernet.com.bo (8.13.1/8.13.1) with ESMTP id k9QHrSFn028309 That header shows the ISP customers IP address of 200.58.90.65. Again, it's probably not a spammers site, but one that has been hacked. Assuming that you wouldn't want to block all of Bolivia, nor the ISP's mail relay, and assuming that the MAIL FROM's are randomly generated, you are left with examining the message body: > Date: 10/26/2006 09:46 pm -0400 (Thursday) > From: "Jenny" <yqc6afa(a)supernet.com.bo> > To: "Administrators" <thomaslo(a)si.edu> > Subject: Plz. get back You could use some header_checks, such as: /^Subject:.*Plz\. get back/ REJECT /^To:.*\"Administrators\"/ REJECT > Hey, > > Refill is ready. > Plz. reconfirm City . You could use some body_checks such as: body_checks_size_limit = 24576 /Refill is ready\./ REJECT /Plz\..*reconfirm/ REJECT > http://cf.geocities.com/Medina8_m120/ In body_checks, you can also build up a list of spamvertised URLs, using an efficient if/endif statement: if /http:/ /cf.geocities.com/ REJECT /hardpornofilms.com/ REJECT /bestloanz.net/ REJECT endif Also, spamassassin has a bayesian like statistical analysis feature that predicts probabilities of a message being spam or not, which can be trained for your particular site by using the "sa-learn" command. -- Greg |