Chris Funk <[EMAIL PROTECTED]> wrote: > I am getting a lot of spam with forged addresses in the From: header. They > are forging it with our domain addresses. Here is an example:
This has been discussed recently on the list; check the archives for others' opinions and solutions. > Received: from localhost (localhost.localdomain [127.0.0.1]) by > mail.us-reports.com (Postfix) with ESMTP id 391E716C11F for > <[EMAIL PROTECTED]>; Thu, 4 Dec 2008 08:40:55 -0700 (MST) > X-Virus-Scanned: amavisd-new at us-reports.com > Received: from mail.us-reports.com ([127.0.0.1]) by localhost > (mail.us-reports.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id > dBAU+DdeGeQd for <[EMAIL PROTECTED]>; Thu, 4 Dec 2008 08:40:50 -0700 > (MST) > Received: from 88-109-126-174.dynamic.dsl.as9105.com > (88-109-126-174.dynamic.dsl.as9105.com [88.109.126.174]) by % host 174.126.109.88.zen.spamhaus.org 174.126.109.88.zen.spamhaus.org has address 127.0.0.4 174.126.109.88.zen.spamhaus.org has address 127.0.0.11 You should consider rejecting email at SMTP time with the zen.spamhaus.org RBL. FWIW, this IP is also listed on several other RBLs: http://openrbl.org/client/#88.109.126.174 Did the spam sending machine HELO with that dynamic hostname? Several people block such hosts with the following PCRE (from the archives) in smtpd_helo_checks: /\d+([-\.]\d+){3}/ REJECT Generic hostnames prohibited. > Here is the result of postconf | grep restrict Next time, 'postconf -n' instead. > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, > check_sender_access hash:/etc/postfix/sender_access, Hopefully you don't OK anyone in here; if you do, consider placing it after reject_unauth_destination, which should anyway appear much higher in your set of restrictions. > reject_non_fqdn_recipient, > reject_unknown_recipient_domain, > reject_rbl_client sbl.spamhaus.org, Again, consider zen.spamhaus.org, which combines SBL, XBL and PBL blocklists. > reject_rdbl_client list.dsbl.org, > reject_unauth_pipelining, Move this to smtpd_data_restrictions; from postconf(5): Note: reject_unauth_pipelining is not useful outside smtpd_data_restrictions when 1) the client uses ESMTP (EHLO instead of HELO) and 2) with "smtpd_delay_reject = yes" (the default). The use of reject_unauth_pipelining in the other restriction contexts is therefore not recommended. > smtpd_restriction_classes = > *********************************************** > /etc/postfix/sender_access > > us-reports.com 554 SPAM > > my.ip.add.res 554 SPAM > > I tried setting up a header check that rejected anything from *. > us-reports.com in the From: > > Obviously not a good thing to do as then no one internally could send mail. > > Is there anything I can do that would say, If the From: address is *@ > us-reports.com and it is not from mynetworks then REJECT it? Place the check after permitting your networks, SASL auth'd clients, and reject_unauth_destination. > The check_sender_access option is working great for the MAIL FROM: header, > but that isn't catching these other ones. check_sender_access works on the ENVELOPE, not the HEADER. -- Sahil Tandon <[EMAIL PROTECTED]>
