I am trying to stop a flood of incoming spam that appears in user inboxes as coming from legitimate users.
The intent is to reject any emails claiming to be from inside our own network which do not actually originate from our own server IPs or authenticated sessions. In order to do this I followed the instructions I found at http://tech.groups.yahoo.com/group/postfix-users/message/246702. Specifically I added check_sender_access hash:/etc/postfix/copycats to smtpd_recipient_restrictions= after the mynetworks and SASL authenticated permits, added an /etc/postfix/copycats file containing thisisreallymydomain.com REJECT Ran "postmap copycats", and did a postfix restart. This properly prevents email from domains claiming to be our own, as in: me:~ # telnet www. thisisreallymydomain.com smtp > Trying 72.20.102.100... > Connected to www. thisisreallymydomain.com. > Escape character is '^]'. > 220 www.thisisreallymydomain.com ESMTP Postfix (2.2.5) > EHLO me.somebodysomewhere.com > 250-www.supportwizard.com > 250-PIPELINING [...] > 250 8BITMIME > MAIL FROM: norm@ thisisreallymydomain.com > 250 Ok > RCPT TO: normm@ thisisreallymydomain.com > 554 <norm@ thisisreallymydomain.com>: Sender address rejected: Access denied > QUIT > 221 Bye > Connection closed by foreign host. This seems to be effective at stopping some of the spam, but other still arrives, with headers like: > Received: by www.thisisireallymydomain.com (Postfix) > id 3C916254775; Tue, 30 Dec 2008 03:50:01 -0800 (PST) > Delivered-To: n...@thisisireallymydomain.com > Received: from alkhorayef.com (unknown [91.189.132.54]) > by www.thisisireallymydomain.com (Postfix) with SMTP id B31A025472A > for <n...@thisisireallymydomain.com>; Tue, 30 Dec 2008 03:49:59 -0800 (PST) > To: <n...@thisisireallymydomain.com> > Subject: Celebrate a victory in love > From: <n...@thisisireallymydomain.com> > MIME-Version: 1.0 > Importance: High > Content-Type: text/html > Message-Id: <20081230114959.b31a0254...@www.thisisireallymydomain.com> > Date: Tue, 30 Dec 2008 03:49:59 -0800 (PST) > Return-Path: p...@acculab.com > X-OriginalArrivalTime: 30 Dec 2008 11:50:31.0292 (UTC) FILETIME=[D10EABC0:01C96A74] This arrives in the inbox of no...@thisisreallymydomain.com with no indication of the actual source being a different domain, as "From" n...@thisisreallymydomain.com. How do I filter on the actual domain that it is coming from instead of the forged "From:" sent in the message headers?
