Chris Funk a écrit :
> Hi All,
>
> I am getting a lot of spam with forged addresses in the From: header.
> They are forging it with our domain addresses. Here is an example:
>
> Received: from localhost (localhost.localdomain [127.0.0.1
> <http://127.0.0.1>]) by
> mail.us-reports.com <http://mail.us-reports.com> (Postfix) with ESMTP
> id 391E716C11F for
> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; Thu, 4 Dec 2008
> 08:40:55 -0700 (MST)
> X-Virus-Scanned: amavisd-new at us-reports.com <http://us-reports.com>
> Received: from mail.us-reports.com <http://mail.us-reports.com>
> ([127.0.0.1 <http://127.0.0.1>]) by localhost
> (mail.us-reports.com <http://mail.us-reports.com> [127.0.0.1
> <http://127.0.0.1>]) (amavisd-new, port 10024) with ESMTP id
> dBAU+DdeGeQd for <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>;
> Thu, 4 Dec 2008 08:40:50 -0700
> (MST)
> Received: from 88-109-126-174.dynamic.dsl.as9105.com
> <http://88-109-126-174.dynamic.dsl.as9105.com>
> (88-109-126-174.dynamic.dsl.as9105.com
> <http://88-109-126-174.dynamic.dsl.as9105.com> [88.109.126.174
> <http://88.109.126.174>]) by
> mail.us-reports.com <http://mail.us-reports.com> (Postfix) with SMTP id
> 4541F16C135 for
> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>; Thu, 4 Dec 2008
> 08:40:35 -0700 (MST)
> To: <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
> Subject: Your Order
> From: <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>
> MIME-Version: 1.0
> Importance: High
> Content-Type: text/html
> Message-ID: <[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>>
> Date: Thu, 4 Dec 2008 08:40:35 -0700
> Return-Path: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>
> Here is the result of postconf | grep restrict
>
> [EMAIL PROTECTED] postfix]# postconf | grep restrict
>
> smtpd_client_restrictions =
>
> smtpd_data_restrictions = reject_unauth_pipelining
>
> smtpd_end_of_data_restrictions =
>
> smtpd_etrn_restrictions =
>
> smtpd_helo_restrictions = permit_mynetworks,
> permit_sasl_authenticated,
> check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname,
> reject_non_fqdn_hostname, permit
>
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,
put
reject_unauth_destination
here.
> check_sender_access hash:/etc/postfix/sender_access,
> reject_non_fqdn_recipient,
> reject_unknown_recipient_domain,
> reject_rbl_client sbl.spamhaus.org
if you used zen.spamhaus.org instead, the spam would have been
blocked... the IP is litsed in xbl.
you can also use check_client_access to block
.dynamic.dsl.as9105.com REJECT blah blah
> reject_rbl_client list.dsbl.org,
dsbl is gone since some time now. please remove it from your configuration.
> reject_unauth_pipelining,
reject_unauth_pipelining is useless here. put it under
smtpd_data_restrictions.
> reject_unauth_destination
>
> smtpd_restriction_classes =
> ***********************************************
> /etc/postfix/sender_access
>
> us-reports.com <http://us-reports.com> 554 SPAM
>
> my.ip.add.res 554 SPAM
>
> I tried setting up a header check that rejected anything from
> *.us-reports.com <http://us-reports.com> in the From:
>
> Obviously not a good thing to do as then no one internally could send mail.
>
and you would reject mailing lists, which is bad...
> Is there anything I can do that would say, If the From: address is
> [EMAIL PROTECTED] <http://us-reports.com> and it is not from mynetworks
> then REJECT it?
>
no. you could write a milter or a proxy_filter, but I don't think this
is worth the pain.
> The check_sender_access option is working great for the MAIL FROM:
> header, but that isn't catching these other ones.
>
> Thanks for any pointers on this.
>
> Postfix version 2.2.10
>
> Chris
>
