On Mon, Mar 28, 2016 at 02:53:41PM -0700, [email protected] wrote:
> How would I match/block access to mail sent from MTAs that have
> FQDNs that start with
>
> mta-wk-*
>
> it's not a header, it's not content, it's not an IP ...
It's a bird! It's a plane! It's ... a FCrDNS hostname!
> but, it's clearly logged in my postfix logs
>
> postfix.log:Mar 24 13:00:42 mail2 postfix/int01/smtpd[20932]:
> connect from mta-wk-1.mk1.ratineer.com[82.196.0.148]
See:
postconf.5.html#check_client_access
access.5.html
pcre_table.5.html (regexp_table(5) is another possibility)
SMTPD_ACCESS_README.html
All of the above can be found at www.postfix.org or in your own
$html_directory.
Example:
/etc/postfix/banned_hostname.pcre :
/^mta-wk/ REJECT ratineer role call!
main.cf :
[ ... ]
smtpd_recipient_restrictions = [ ... ] reject_unauth_destination,
check_client_access pcre:/etc/postfix/banned_hostname.pcre
[ ... ]
[ ... ]
> My goal is to block ALL mail from this list of MTAs
>
>
> https://groups.google.com/d/msg/news.admin.net-abuse.email/_6DLJB8fF9k/ZGBwTTsFBQAJ
>
> DNSBLs get many of them, but they apparently change IP addresses,
> and sneak through on occasion.
And this approach won't work very long. Once they know they're being
blocked by that hostname pattern, they will morph.
> All seem to be hosted by/at SYNAPP.IO
If you can get a list of IP addresses (CIDR blocks), you can use a
cidr_table(5) lookup to block them more safely and surely (until they
buy/steal different hosting, of course.)
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
