Alex a écrit :
> Hi,
>
>>> Received: from zaphod.chipchaps.com (unknown [65.182.186.13])
>>>
>>> It says 'unknown', but 65.182.186.13 does resolve, to chipchaps.com (a
>>> spam site), which resolves back to 65.182.186.12. Is this where the
>>> problem is?
>> The definition of an "unknown" client hostname is given in
>> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
>> which, as the name suggests, rejects mail from a client with a hostname
>> that Postfix considers "unknown".
>
> Is it common practice to have that restriction in a production environment?
>
> It appears to be the third case here, that the name->address mapping
> does not match the client IP address. Could this be from a legitimate
> cause, or typically intentionally to be evasive?
>
since they put their domain name in their HELO (zaphod.chipchaps.com),
they're not trying to evade anything.
you could try
check_client_access hash:/etc/postfix/access_unknown
smtpd_restriction_classes =
...
policy_strong
policy_strong =
reject_rbl_client bb.barracudacentral.org
...
== access_unknown
unknown policy_strong
as usual, use at your own risk! you can try it with warn_if_reject for
some time if that makes you feel more confident
(and no, I don't use such a check).
> Could it be found in a legitimate dynamic environment, such as at an ISP?
no, these are spammers (illegal "work from home"). the domain probably
belongs to "Global Innovative Marketing" as you can find by visiting
their web page (www.chipchaps...) then clicking on the link at the
bottom, which leads you to a privacy page, and if you scroll down, you
get br...@myvemmaoffice.com. whois of the latter gives "Global
Innovative Marketing" (both chipchaps and bvconsulting.org have hidden
whois).
anyway,
- www.chipchaps... sis enough to convince you they are spammers.
- they have two IPs (.12 and .13) inside a range of IPs with generic
names belonging to pugmarks.com, who provide hosting...
Also look at Senderbase:
http://www.senderbase.org/senderbase_queries/detailip?search_string=65.182.186.0%2F24
you can probably block the whole range...
>
> Is there a way to log these specific failures so I can get a better
> idea of under what circumstances they occur in my environment?
>
> I'm currently rejecting the following, in this order:
>
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_pipelining,
> reject_invalid_hostname,
> reject_non_fqdn_hostname,
> reject_unauth_destination,
> reject_maps_rbl,
>
> Thanks,
> Alex
