This is excellent. If you have other non-content spam filtering suggestion, I would greatly appreciate it.
On Wed, Jul 29, 2009 at 9:23 PM, Noel Jones <njo...@megan.vbhcs.org> wrote: > Roman Gelfand wrote: > >> It looks like somebody is trying to figure out my internal users as >> evidenced by log excerpts below. Is there something I could do to, if >> not prevent this, reduce it? >> >> Thanks in advance >> >> Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: reject: RCPT from >> unknown[93.85.224.123]: 550 5.1.1 <atil... < >> http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d >> >@abc.com <http://abc.com>>: Recipient address >> rejected: User unknown in virtual mailbox table; >> from=<atoll... < >> http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d >> >@roulottes-moulin-de-cheni.com <http://roulottes-moulin-de-cheni.com>> >> to=<atil... < >> http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d >> >@abc.com <http://abc.com>> >> proto=SMTP helo=<WIVANTR> >> Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: filter: RCPT from >> unknown[93.85.224.123]: <unknown[93.85.224.123]>: Client host triggers >> FILTER dspam:dspam; from=<atoll... < >> http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d >> >@roulottes-moulin-de-cheni.com <http://roulottes-moulin-de-cheni.com>> >> to=<b... < >> http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d >> >@abc.com <http://abc.com>> proto=SMTP helo=<WIVANTR> >> Jul 29 15:00:14 mail postfix/smtpd[2448]: NOQUEUE: reject: RCPT from >> unknown[93.85.224.123]: 550 5.1.1 <b... < >> http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d >> >@abc.com <http://abc.com>>: Recipient address >> rejected: User unknown in virtual mailbox table; >> from=<atoll... < >> http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d >> >@roulottes-moulin-de-cheni.com <http://roulottes-moulin-de-cheni.com>> >> to=<b... < >> http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d >> >@abc.com <http://abc.com>> >> proto=SMTP helo=<WIVANTR> >> Jul 29 15:00:15 mail postfix/smtpd[2451]: NOQUEUE: filter: RCPT from >> unknown[93.85.224.123]: <unknown[93.85.224.123]>: Client host triggers >> FILTER dspam:dspam; from=<finise... < >> http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d >> >@rfstech.com <http://rfstech.com>> >> to=<conning... < >> http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d >> >@abc.com <http://abc.com>> proto=SMTP helo=<JYMQMAWNRE> >> Jul 29 15:00:15 mail postfix/smtpd[2451]: NOQUEUE: reject: RCPT from >> unknown[93.85.224.123]: 550 5.1.1 <conning... < >> http://groups.google.com/groups/unlock?_done=/group/list.postfix.users/browse_thread/thread/97669f7672ab48be&msg=92eb2a9a642a1f0d >> >@abc.com <http://abc.com>>: Recipient >> address rejected: User unknown in virtual mailbox table; >> from=<finise... >> > > logs are much easier to read if you press the [plain text] button when > posting from gmail. > > No need to ever accept mail from this client. > > $ host 93.85.224.123 > Host 123.224.85.93.in-addr.arpa not found: 3(NXDOMAIN) > > The host has no reverse DNS and could be rejected with > reject_unknown_reverse_client_hostname. Some big ISPs reject such clients, > so this is somewhat unlikely to reject legit mail. > > http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname > > The client is listed in several RBLs. Adding > reject_rbl_client zen.spamhaus.org > to one of your smtpd_*_restrictions would get rid of them and lots of other > junk. There are other RBLs you might consider, but currently zen is the > most effective with a very low false positive rate. > http://www.postfix.org/postconf.5.html#reject_rbl_client > http://www.spamhaus.org/organization/dnsblusage.html > > And finally, reducing smtpd_hard_error_limit to something between 1..5 > would hang up on a client after that many > bad recipients. > http://www.postfix.org/postconf.5.html#smtpd_hard_error_limit > > After these things, then you can look at implementing fail2ban or similar. > But do the basics first. > > -- Noel Jones >
