> It does not apply to this message, but I was wondering > if it was safe to block unknown e.g. "connect from > unknown[123.63.85.49]".
It will have limited effectiveness against these kinds of campaigns. If nothing else, it would be a signal to legit senders to only send from IPs with proper rDNS, which is good. :) > Presumably this means no > reverse DNS record, but is it reasonable to block > these or will I reject too much good stuff? If it is > reasonable, what is the best way to block them? I also > use zen.spamhaus.org so I think this blocks many of > them anyway as they seem to be from dynamic IPĀ > address blocks. Best way would be to NOT block but to mark as spam. That way, the sender can be poked to clean up their act. "IMHO", "YMMV", "VWPBL".... > > Nick > > On 10/02/2016 19:39, Michael J Wise wrote: > Hi, In the last few weeks I've seen a > increase in the number of e-mails with > nasty .doc or .xls files, generally > with some sort of invoice supposedly in > them. Can postfix be reliably > configured to block them at source. > There are a number of > techniques that could be deployed > against it. None of them are, "Easy". > And nothing concerning viruses could > ever be classified as, "Safe". > Incoming attachments from people you > don't know ... Considered Harmful. > Especially if those attachment > filetypes support, "Macro"s. :( > Below is a message header, > the relevant but of the maillog and my > configuration: Return-Path: > Received: from localhost (localhost > [127.0.0.1]) by > server.mydomain.co.uk (Cyrus > v2.3.16-Fedora-RPM-2.3.16-13.v6) with > LMTPA; Wed, 10 Feb 2016 17:41:36 > +0000 X-Sieve: CMU Sieve 2.3 > X-Virus-Scanned: amavisd-new at > mydomain.co.uk X-Amavis-Alert: BAD > HEADER SECTION, Improper folded header > field made up entirely of > whitespace (char 09 hex): Content-Type: > > ...80A65A5A6F0709FA513B7426538A615A81AC6E9920_"\n\t > X-Spam-Flag: YES X-Spam-Score: > 5.42 X-Spam-Level: ***** > X-Spam-Status: Yes, score=5.42 > tagged_above=-99 required=5 > tests=[HTML_MESSAGE=0.001, > RCVD_IN_BRBL=2.5, > RCVD_IN_BRBL_LASTEXT=1.644, > RDNS_NONE=1.274, URIBL_BLOCKED=0.001] > autolearn=no Received: from > [51.179.106.180] (unknown > [51.179.106.180]) by > mailserver.mydomain.co.uk (Postfix) > with ESMTP id 9BB74E427F for ; > Wed, 10 Feb 2016 17:41:30 +0000 (GMT) > From: Tim Maier To: > Subject: [virus > VBA/TrojanDownloader.Agent.ASA trojan] > [SPAM] > > =?UTF-8?B?UmVtaXR0YW5jZSBhZHZpY2UgZnJvbSBTa3kgR3JvdXA6IEFjY291bnQgTm8uIDgwNTczOQ==?= > Thread-Topic: Remittance advice > from Sky Group: Account No. 805739 > Thread-Index: > 9E9A0863698CAF3C254C6A950+B141== > Date: Wed, 10 Feb 2016 18:41:27 +0200 > Message-ID: Accept-Language: > en-US Content-Language: en-US > X-MS-Has-Attach: yes > X-MS-TNEF-Correlator: MIME-Version: > 1.0 X-MC-Unique: 223161351459233692 > Content-Type: multipart/mixed; > > boundary="_929_604EEBAB9DEEDAD880A65A5A6F0709FA513B7426538A615A81AC6E9920_" > X-EsetResult: clean (cleaned), > contained > VBA/TrojanDownloader.Agent.ASA trojan > X-EsetId: > 26366E2C4DACF56B3C7E31301FB3F36B677D637342 > Feb 10 17:41:35 server > postfix/qmgr[5845]: 9BB74E427F: from=, > size=70986, nrcpt=1 (queue active) > Feb 10 17:41:35 server > postfix/smtpd[15970]: connect from > localhost[127.0.0.1] Feb 10 > 17:41:35 server postfix/smtpd[15962]: > disconnect from unknown[51.179.106.180] > Feb 10 17:41:35 server > postfix/smtpd[15970]: 300FBE5AD9: > client=localhost[127.0.0.1] Feb 10 > 17:41:35 server postfix/cleanup[15965]: > 300FBE5AD9: message-id= Feb 10 > 17:41:35 server postfix/qmgr[5845]: > 300FBE5AD9: from=, size=70986, nrcpt=1 > (queue active) Feb 10 17:41:35 > server postfix/smtpd[15970]: disconnect > from localhost[127.0.0.1] Feb 10 > 17:41:35 server postfix/pipe[15968]: > 9BB74E427F: to=, relay=mailprefilter, > delay=5, delays=4.8/0.01/0/0.22, > dsn=2.0.0, status=sent (delivered via > mailprefilter service) Feb 10 > 17:41:35 server postfix/qmgr[5845]: > 9BB74E427F: removed Feb 10 17:41:36 > server postfix/smtpd[15974]: connect > from localhost[127.0.0.1] Feb 10 > 17:41:36 server postfix/smtpd[15974]: > 5BAABE55C3: client=localhost[127.0.0.1] > Feb 10 17:41:36 server > amavis[7088]: (07088-14) INFO: unfolded > 1 illegal all-whitespace continuation > lines Feb 10 17:41:36 server > postfix/cleanup[15965]: 5BAABE55C3: > message-id= Feb 10 17:41:36 server > postfix/smtpd[15974]: disconnect from > localhost[127.0.0.1] Feb 10 > 17:41:36 server postfix/qmgr[5845]: > 5BAABE55C3: from=, size=71471, nrcpt=1 > (queue active) Feb 10 17:41:36 > server amavis[7088]: (07088-14) Passed > SPAMMY, LOCAL [127.0.0.1] > [51.179.106.180] -> , Message-ID: , > mail_id: 6AdaL2ErBI7J, Hits: 5.42, > size: 70986, queued_as: 5BAABE55C3, > 1078 ms Feb 10 17:41:36 server > postfix/smtp[15971]: 300FBE5AD9: to=, > relay=127.0.0.1[127.0.0.1]:10024, > delay=1.3, delays=0.1/0.09/0/1.1, > dsn=2.0.0, status=sent (250 2.0.0 from > MTA([127.0.0.1]:10026): 250 2.0.0 Ok: > queued as 5BAABE55C3) Feb 10 > 17:41:36 server postfix/qmgr[5845]: > 300FBE5AD9: removed Feb 10 17:41:36 > server lmtp[15978]: Delivered: to > mailbox: user.ourfamily.Junk Feb 10 > 17:41:36 server postfix/pipe[15976]: > 5BAABE55C3: to=, relay=mailpostfilter, > delay=0.32, delays=0.08/0/0/0.24, > dsn=2.0.0, status=sent (delivered via > mailpostfilter service) Feb 10 > 17:41:36 server postfix/qmgr[5845]: > 5BAABE55C3: removed postconf -n > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > bounce_queue_lifetime = 6h > broken_sasl_auth_clients = yes > command_directory = /usr/sbin > config_directory = /etc/postfix > content_filter = mailprefilter > daemon_directory = /usr/libexec/postfix > data_directory = /var/lib/postfix > debug_peer_level = 2 > disable_vrfy_command = yes > header_checks = > regexp:/etc/postfix/header_checks > html_directory = no inet_interfaces > = all inet_protocols = ipv4 > local_recipient_maps = $alias_maps > $virtual_alias_maps luser_relay = > mail_owner = postfix > mailbox_size_limit = 102400000 > mailbox_transport = mailpostfilter > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > message_size_limit = 51200000 > message_strip_characters = \0 > mydestination = $myhostname, > localhost.$mydomain, localhost, > $mydomain mydomain = mydomain.co.uk > myhostname = > mailserver.mydomain.co.uk > mynetworks = 127.0.0.0/8, > 192.168.10.0/24, 172.17.2.0/23 > myorigin = $mydomain > newaliases_path = > /usr/bin/newaliases.postfix > queue_directory = /var/spool/postfix > readme_directory = > /usr/share/doc/postfix-2.6.6/README_FILES > recipient_delimiter = + > relayhost = [smtp.ntlworld.com]:25 > sample_directory = > /usr/share/doc/postfix-2.6.6/samples > sender_dependent_relayhost_maps = > hash:/etc/postfix/relayhost_map > sendmail_path = > /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtp_sasl_auth_enable = no > smtp_sasl_password_maps = > hash:/etc/postfix/sasl_passwd > smtp_sasl_security_options = > noanonymous > smtp_sender_dependent_authentication = > yes smtp_tls_CAfile = > /etc/pki/tls/certs/ca-bundle.crt > smtp_use_tls = yes > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unknown_recipient_domain, > reject_unauth_pipelining, > reject_invalid_hostname, > reject_non_fqdn_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unauth_destination, > reject_rbl_client zen.spamhaus.org, > reject_rbl_client > 2.0.0.127.b.barracudacentral.org > smtpd_sasl_auth_enable = no > smtpd_sasl_local_domain = $mydomain > smtpd_sasl_security_options = > noanonymous > smtpd_sender_restrictions = > permit_mynetworks, > reject_non_fqdn_sender, > reject_invalid_hostname > smtpd_tls_CAfile = > /etc/pki/CA/ca-cert.pem > smtpd_tls_auth_only = no > smtpd_tls_cert_file = > /etc/pki/CA/mailserver.mydomain.co.uk.pem > smtpd_tls_key_file = > /etc/pki/CA/private/mailserver.mydomain.co.uk.key.pem > smtpd_tls_loglevel = 1 > smtpd_use_tls = yes > strict_rfc821_envelopes = yes > transport_maps = > hash:/etc/postfix/transport > unknown_local_recipient_reject_code = > 550 unverified_sender_reject_code = > 550 virtual_alias_maps = > $alias_maps, $virtual_maps, > ldap:/etc/postfix/imap-aliases.cf, > ldap:/etc/postfix/imap-groups.cf > Regards, Nick Aloha > mai Nai`a. > Aloha mai Nai`a. -- " So this is how Liberty dies ... http://kapu.net/~mjwise/ " To Thunderous Applause.
