Jan-Kaspar Münnich a écrit : > Hello, > > I've setup Postfix 2.7.0 to relay all mails to the local proxy spampd: > > smtp inet n - n - 25 smtpd > -o smtpd_proxy_filter=127.0.0.1:10025 > -o smtpd_proxy_options=speed_adjust > 127.0.0.1:10026 inet n - n - - smtpd > -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > -o smtpd_client_restrictions= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions=permit_mynetworks,reject > -o smtpd_data_restrictions= > -o mynetworks=127.0.0.0/8 > -o receive_override_options=no_unknown_recipient_checks > -o smtpd_client_connection_count_limit=25 > > This works well for ~10.000 mails a day, but not for one kind of spam that > occured first two weeks ago. It is always very similar (one line, just > varying URL and spam bot): http://pastebin.com/4arTzeRu > > These mails are just delivered to the mailbox, without any other log entry. > Unfortunately it's not really possible to run Postfix in debug mode, since I > can't reproduce the problem and would have to wait for the next occurance. > > It's not a big problem since there are max. 5 of these spams getting through > on the whole server per day. But I really want to investigate it and would be > happy if anybody had an idea. > > Jan-Kaspar
check your spampd: as there any cases where it would pass mail without checking it Example: wrong whitelisting mechanism. a common error in spamassassin is to use whitelist_from (which is easily abused by sender forgery). didn't check all your samples, but as for hinet, if you "have no hope from them", then firewall them: # cat /etc/pf.conf ... discard = "block drop quick" ... table <banned> persist file "/etc/pf/banned.net" ... $discard from <banned> label "banned" # cat /etc/pf/banned.net ... #59.112.0.0 - 59.127.255.255 59.112.0.0/12 #61.220.0.0 - 61.231.255.255 61.220.0.0/14 61.224.0.0/14 61.228.0.0/14 #111.240.0.0 - 111.255.255.255 111.240.0.0/12 #114.32.0.0 - 114.47.255.255 114.32.0.0/12 #118.160.0.0 - 118.167.255.255 118.160.0.0/13 #118.168.0.0 - 118.171.255.255 118.168.0.0/14 #122.120.0.0 - 122.127.255.255 122.120.0.0/13 #218.160.0.0 - 218.175.255.255 218.160.0.0/12 #220.128.0.0 - 220.143.255.255 220.128.0.0/12
