On 11/28/2012 7:55 AM, vi...@vheuser.com wrote:
> I am receiving spam from ever changing client IP addresses. Each spam
> has other tiny variations that prevent string matching. The one thing
> they all have in common is the owner of the IP addresses. Is there any
> way to do lookup of the client IP owner at Prescreen or SMTP time to
> REJECT the incoming connection? Is this a workable solution? I've
> searched the web, the documentation and archives. No luck. Does anyone
> have a solution or script? Thanks!
This is a classic snowshoe spammer attack and I've seen it hundreds of
times. Snowshoe is incredibly difficult to block with automation but
it's getting better. There are a number of ways to beat this back
without writing custom code. First, are you using both BRBL and
Spamhaus Zen DNSBLs? If not use them. How about Spamhaus DBL? The DBL
contains tons of snowshoe domains. Usage:
smtpd_recipient_restrictions =
...
reject_rbl_client zen.spamhaus.org
reject_rbl_client b.barracudacentral.org
reject_rhsbl_reverse_client dbl.spamhaus.org
reject_rhsbl_sender dbl.spamhaus.org
reject_rhsbl_helo dbl.spamhaus.org
...
If that doesn't knock most of it down, simply use a local CIDR table.
I've been building my ad hoc table for about 5 years now and I'm
blocking 1685 snowshoe netblocks from /27 to /15 that have sent spam
here. You're welcome to use it if you like. WARNING: it is very
aggressive and may cause FPs at your site, so use with care and monitor
it, removing or remarking entries that cause (too many) FPs.
http://www.hardwarefreak.com/spammer.txt
You can append this to your Postscreen blacklist or use it in
smtpd_foo_restrictions such as:
smtpd_recipient_restrictions =
...
check_client_access /etc/postfix/spammer.cidr
...
Later I can teach you how to build/maintain/expand such a file when
snowshoe hits you from new netblocks, and provide you some tools for
looking at a netblock's rDNS entries to see if it's totally spammy or
shared with legit senders.
Happy snowshoe hunting.
--
Stan
