http://www.openspf.org/
--------------------------------------------------
From: "donovan jeffrey j" <dono...@beth.k12.pa.us>
Sent: Sunday, August 08, 2010 10:48 AM
To: "Postfix users" <postfix-users@postfix.org>
Subject: need help with forged To and From
greetings
this weekend I have been hit with a ton of forged spam messages.
here is a sample header
From: realu...@beth.k12.pa.us
Subject: realu...@beth.k12.pa.us 62% OFF on Pfizer!
Date: August 8, 2010 9:41:57 AM EDT
To: realu...@beth.k12.pa.us
Return-Path: <realu...@beth.k12.pa.us>
Received: from murder ([unix socket]) by bragg.beth.k12.pa.us (Cyrus
v2.2.12-OS X 10.4.8) with LMTPA; Sun, 08 Aug 2010 09:43:46 -0400
Received: from smtp3.beth.k12.pa.us (smtp3.beth.k12.pa.us [10.135.1.13])
by bragg.beth.k12.pa.us (Postfix) with ESMTP id A327A3D8EE95 for
<basdarch...@beth.k12.pa.us>; Sun, 8 Aug 2010 09:43:46 -0400 (EDT)
Received: from localhost (mx2.beth.k12.pa.us [10.135.1.23]) by
smtp3.beth.k12.pa.us (Postfix) with ESMTP id 2D14229B0822 for
<realu...@beth.k12.pa.us>; Sun, 8 Aug 2010 09:41:49 -0400 (EDT)
Received: from mx2.beth.k12.pa.us ([127.0.0.1]) by localhost
(mx2.beth.k12.pa.us [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
k3Z44V0jwgqW for <realu...@beth.k12.pa.us>; Sun, 8 Aug 2010
09:41:48 -0400 (EDT)
Received: from mail2.beth.k12.pa.us (mail2.beth.k12.pa.us [192.227.0.10])
by mx2.beth.k12.pa.us (Postfix) with ESMTP id AB7AD1F60ED for
<realu...@beth.k12.pa.us>; Sun, 8 Aug 2010 09:41:48 -0400 (EDT)
Received: from 21-182-134-95.pool.ukrtel.net
(21-182-134-95.pool.ukrtel.net [95.134.182.21]) by mail2.beth.k12.pa.us
(Postfix) with ESMTP id BFDF110E19A4 for <realu...@beth.k12.pa.us>; Sun,
8 Aug 2010 09:41:57 -0400 (EDT)
X-Sieve: CMU Sieve 2.2
X-Virus-Scanned: amavisd-new at beth.k12.pa.us
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <20100808134157.bfdf110e1...@mail2.beth.k12.pa.us>
it seems that each of my users has received on of these. I have so many
restrictions in place that I'm not sure where to look at this point.
here are my restrictions on my mx;
smtpd_client_restrictions = permit_mynetworks, check_client_access
hash:/etc/postfix/access, hash:/etc/postfix/smtpdreject reject_rbl_client
zen.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client
bl.spamcop.net permit
smtpd_data_restrictions = check_sender_access
hash:/etc/postfix/backscatter
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/helo_access, reject_non_fqdn_hostname,
reject_invalid_hostname
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/recipient_access check_sender_mx_access
cidr:/etc/postfix/reject_private_mx.cidr warn_if_reject
reject_unknown_client, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unlisted_sender, permit_mynetworks,
reject_non_fqdn_recipient, reject_invalid_hostname,
reject_unknown_recipient_domain, reject_unauth_destination,
reject_unlisted_recipient, reject_unauth_pipelining,
reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org,
permit
smtpd_restriction_classes = reject_ndn
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions =
reject_non_fqdn_sender,reject_unknown_sender_domain,
check_recipient_access hash:/etc/postfix/backscatter_recipient
I do have header checks that should thwart this I thought;
# HEADER_CHECKS(5)
/^Received:.*by beth.k12.pa.us/ REJECT Forged hostname in Received header
if /^Received:/
/^Received: +from +(beth\.k12\.pa\.us) +/ reject forged client name in
Received: header: $1
/^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo
+)(beth\.k12\.pa\.us)\)/ reject forged client name in Received: header: $1
/^Received:.* +by +(beth\.k12\.pa\.us)[[:>:]]/ reject forged mail server
name in Received: header: $1
endif
did I miss something ?
-j
