LuKreme a écrit : > > Received a message with the following received header: > > Received: from twitter.com (unknown [152.157.207.191]) > by mail.covisp.net (Postfix) with ESMTP id 3D796118B753 > for <kr...@kreme.com>; Mon, 22 Jun 2009 10:46:37 -0600 (MDT) > > It was a virus payload containing a zip file with a .exe inside it (made > to look like a pdf). > > I got another nearly identical one claiming to be from hallmark ecards > within a few minutes. > > postfix/smtpd[31572]: 94E84118B80D: client=unknown[152.157.207.191] > postfix/cleanup[33547]: 94E84118B80D: > message-id=<20090622164644.94e84118b...@mail.covisp.net> > postfix/qmgr[1043]: 94E84118B80D: from=<e-ca...@hallmark.com>, > size=684311, nrcpt=1 (queue active) > postfix/local[33558]: 94E84118B80D: to=<kr...@covisp.net>, > orig_to=<kr...@kreme.com>, relay=local, delay=70, delays=70/0/0/0.31, > dsn=2.0.0, status=sent (delivered to command: /usr/local/bin/procmail -t > -a $EXTENSION) > postfix/qmgr[1043]: 94E84118B80D: removed > postfix/smtpd[32918]: 3D796118B753: client=unknown[152.157.207.191] > postfix/cleanup[33397]: 3D796118B753: > message-id=<20090622164638.3d796118b...@mail.covisp.net> > postfix/qmgr[1043]: 3D796118B753: from=<invitati...@twitter.com>, > size=688383, nrcpt=1 (queue active) > postfix/local[33558]: 3D796118B753: to=<kr...@covisp.net>, > orig_to=<kr...@kreme.com>, relay=local, delay=65, delays=64/0.01/0/0.44, > dsn=2.0.0, status=sent (delivered to command: /usr/local/bin/procmail -t > -a $EXTENSION) > postfix/qmgr[1043]: 3D796118B753: removed > > I know they aren't hitting the various unknown checks because they are > claiming a valid looking name in the EHLO, but is there something I can > do to drop these at the transaction phase? I searched my mailspool for > all the IDs for "client=unknown" and then searched the maillog for those > IDs grepping on the 'from=' line, printing them out and sorting them. I > don't see anything in the maillogs for the last 31 days that is a > legitimate email. >
you think so, but FPs come in when you don't wait for them... > Is there anyway to, if not outright reject anyone whose DNS shows up as > unknown to at least tempfail them with a "Ooops, your DNS is not > resolving, try back later" or something? > if you insist, you could use one of http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname but use at your own risks. In particular, reject_unknown_client_hostname (previously: reject_unknown_client) _will_ block or delay legitimate mail. > Seems at least half the spam that gets by zen shows up as client=unknown > how much is half of what...
