Re: Source of spam

Sat, 05 May 2018 17:55:53 -0700 

On 5 May 2018, at 17:33, Proxy wrote:


On 2018-May-05 23:20, Proxy wrote:

On 2018-May-05 17:08, Viktor Dukhovni wrote:



Well, you should now try with "enable_original_recipient = yes" and 
wait
for another message to come in.  Then report logging  for that.  
Perhaps

the second recipient is just local alias expansion, despite the lack
of "orig_to=" in the log entries.


Set to yes and I will report logging. Local alias expansion would

explain relaying to gmail, but not why those emails are even 
accepted.
Coming to port 25, this client doesn't fulfill requirements needed to 
be

talked to at all if I'm not mistaken (generally, you would need to be
another valid email server). Did I miss something?


Or maybe I should set reject_unknown_client_hostname in

smtpd_sender_restrictions and remove permit from the end to achive 
that.



Try reject_unknown_reverse_client_hostname first. It is safer than 
reject_unknown_client_hostname. It won't catch the specific miscreant in 
your log but unlike reject_unknown_client_hostname it won't block random 
outbound IPs of major mailbox providers.



I'm not sure why this specific mail is getting through but looking at 
your config I have a few suggestions:



1. Configure postscreen to run in front of smtpd with main.cf settings 
something like this:


postscreen_access_list = permit_mynetworks
postscreen_disable_vrfy_command = yes
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.2*2
    zen.spamhaus.org=127.0.0.3*2 zen.spamhaus.org=127.0.0.4*2
    zen.spamhaus.org=127.0.0.10*2 zen.spamhaus.org=127.0.0.11*2
    psbl.surriel.com=127.0.0.2*1 ix.dnsbl.manitu.net=127.0.0.2*1
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_ttl = 10m
postscreen_greet_action = drop

(Adjust the postscreen_dnsbl_sites to taste...)

2. If you don't enable postscreen, AT LEAST fix this:


smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, 
reject_rbl_client blackholes.easynet.nl



The "blackholes.easynet.nl" DNSBL has been dead for many years, so you 
should remove it.  Also, while "sbl.spamhaus.org" is a fine DNSBL, there 
is usually no reason for a MTA that has a separate submission service to 
not use the "zen.spamhaus.org" which includes many more problem mail 
sources including the one you've logged.


3. To tell Aisha and other bogus "local" senders to go away:

smtpd_reject_unlisted_sender = yes

























					Reply via email to