Rob Brandt wrote, On 7/1/2009 9:09 AM:
Excellent, I now get a match using postmap. If the spam doesn't cease,
I'll be back. Thanks everyone!
Rob
Nuts. I am still getting spam. Is there any reason header_checks might
not be enabled? Is header_checks being run before SA processes it?
Here's my header_checks file:
*********************************************
# X-Spam-Flag
/^X-Spam-Flag: YES$/ DISCARD X-Spam-Flag
Here's my current main.cf:
*********************************************
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = mail.dom.ain
alias_maps = hash:/etc/aliases,hash:/usr/local/mailman/data/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = amd64.dom.ain, localhost.dom.ain,localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
virtual_alias_maps =
hash:/etc/postfix/virtual,hash:/usr/local/mailman/data/virtual-mailman
home_mailbox = Maildir/
content_filter = smtp-amavis:[127.0.0.1]:10024
debug_peer_list = amd64.dom.ain
unknown_local_recipient_reject_code = 550
transport_maps = hash:/etc/postfix/transport
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth-client
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
inet_interfaces = all
smtpd_tls_auth_only = no
smtpd_use_tls = yes
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
header_checks = regexp:/etc/postfix/header_checks
Here's the headers from a very spammy email I just received:
*************************************************************
Return-Path: <ale...@52.red-88-5-123.dynamicip.rima-tde.net>
X-Original-To: bronto-dom....@amd64.dom.ain
Delivered-To: bronto-dom....@amd64.dom.ain
Received: from localhost (localhost [127.0.0.1])
by mail.dom.ain (Postfix) with ESMTP id A24B1422C5
for <bronto-dom....@amd64.dom.ain>; Wed, 1 Jul 2009 10:10:54 -0700
(PDT)
X-Virus-Scanned: Debian amavisd-new at amd64.dom.ain
X-Spam-Flag: YES
X-Spam-Score: 27.191
X-Spam-Level: ***************************
X-Spam-Status: Yes, score=27.191 tagged_above=-999 required=6.31
tests=[BAYES_99=3.5, DIGEST_MULTIPLE=0.001, FH_HELO_ALMOST_IP=3.565,
FH_HOST_EQ_DYNAMICIP=4.058, HELO_DYNAMIC_SPLIT_IP=3.493,
HTML_FONT_SIZE_LARGE=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=1.457,
PYZOR_CHECK=3.7, RAZOR2_CF_RANGE_51_100=0.5,
RAZOR2_CF_RANGE_E4_51_100=1.5, RAZOR2_CHECK=0.5, RCVD_IN_PBL=0.905,
RCVD_IN_SORBS_DUL=0.877, RCVD_IN_XBL=3.033, RDNS_DYNAMIC=0.1]
X-Spam-Report:
* 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
* [score: 1.0000]
* 4.1 FH_HOST_EQ_DYNAMICIP Host is dynamicip
* 3.5 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious hostname (Split
* IP)
* 3.6 FH_HELO_ALMOST_IP Helo is almost an IP addr.
* 0.9 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
* [88.5.123.52 listed in zen.spamhaus.org]
* 3.0 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
* 0.9 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
* [88.5.123.52 listed in dnsbl.sorbs.net]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.0 HTML_FONT_SIZE_LARGE BODY: HTML font size is large
* 1.5 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
* above 50%
* [cf: 100]
* 0.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
* 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives confidence level above 50%
* [cf: 100]
* 3.7 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
* 0.0 DIGEST_MULTIPLE Message hits more than one network digest check
* 0.1 RDNS_DYNAMIC Delivered to trusted network by host with
* dynamic-looking rDNS
Received: from mail.dom.ain ([127.0.0.1])
by localhost (amd64.dom.ain [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id z1oE2BXbOpmz for <bronto-dom....@amd64.dom.ain>;
Wed, 1 Jul 2009 10:10:49 -0700 (PDT)
Received: from 52.Red-88-5-123.dynamicIP.rima-tde.net
(52.Red-88-5-123.dynamicIP.rima-tde.net [88.5.123.52])
by mail.dom.ain (Postfix) with ESMTP id 39BCB42208
for <bro...@dom.ain>; Wed, 1 Jul 2009 10:10:43 -0700 (PDT)
Received: from localhost (nr.ru [127.0.0.1])
by nr.ru (8.14.2/8.14.2) with SMTP id ywaeec63;
Wed, 1 Jul 2009 18:10:21 +0100
(envelope-from ly...@yandex.ru)
To: Bronto <bro...@dom.ain>
Subject: ***SPAM*** =?koi8-r?B?8sHT0M/T1NLBztHFzSDJzsbP0s3Bw8nA?=
X-PHP-Script: nr.ru/index.php
From: =?koi8-r?B?7cHSyyD7wdLP1w==?= <ly...@yandex.ru>
Auto-Submitted: auto-generated
Message-ID: <4694156114.20090701181...@nr.ru>
MIME-Version: 1.0
Content-Type: text/html; charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-Mailer: IPB PHP
