Re: HELO regexp file not working to block unwanted sender

Mon, 25 Apr 2022 21:39:23 -0700 

On 25 Apr 2022, at 21:03, Viktor Dukhovni wrote:


On Mon, Apr 25, 2022 at 03:26:52PM -0700, Greg Earle wrote:


All of the sending hostnames are of the form

www-data@vNNN-NNN-NNN-NNN.*.static.cnode.io
That's not a hostname, it is an email address, and not clear whether the 
envelope sender or the "From:" message header.
I originally just typed "vNNN-NNN-NNN-NNN.*.static.cnode.io" and added the "www-data@" at the last second. (No need to be pedantic; you know what I meant.)
For example, here are some examples of the sending IPs from the last few 
months:

v163-44-192-240.a001.g.han1.static.cnode.io
v163-44-207-233.a006.g.han1.static.cnode.io
v150-95-115-46.a017.g.han1.static.cnode.io
v150-95-115-69.a017.g.han1.static.cnode.io
v163-44-155-225.a010.g.sin1.static.cnode.io
v160-251-100-196.wbeh.static.cnode.io
Presumably SMTP client reverse names (PTR records), but these are again 
not necessarily the same as the EHLO names,
Is there a debug setting in Postfix to show each EHLO negotiation, or do I have to run "tcpdump" or "tcpflow" and sort through tons of irrelevant output? (The spams only come in once a week or two.) 

Because of the random IPs I don't think I can use "debug_peer_list" ...

Here are the headers from today's spam:

--
Return-Path: <www-d...@v163-44-207-233.a006.g.han1.static.cnode.io>
Delivered-To: ea...@isolar.dyndns.org
Received: from isolar.DynDNS.ORG
        by isolar.DynDNS.ORG with LMTP
        id Z1ZyNR0VZ2KT4yEAxyqs9g
        (envelope-from <www-d...@v163-44-207-233.a006.g.han1.static.cnode.io>)
        for <ea...@isolar.dyndns.org>; Mon, 25 Apr 2022 14:39:41 -0700
Received: from v163-44-207-233.a006.g.han1.static.cnode.io (unknown [163.44.207.233]) 
        by isolar.DynDNS.ORG (Postfix) with ESMTPS id A76FB2860B81
        for <ea...@isolar.dyndns.org>; Mon, 25 Apr 2022 14:39:39 -0700 (PDT)
Received: by v163-44-207-233.a006.g.han1.static.cnode.io (Postfix, from userid 33) 
        id 0B61114973F; Tue, 26 Apr 2022 04:36:10 +0700 (+07)
To: ea...@isolar.dyndns.org
Subject: [SPAM] Magalu 2022 - Smart TV 60" 4K R$ 1.699,90 - Smart TV 55" 4k R$ 1.359,99 - Smart TV 43" 4k R$ 1.099,00 - Aproveite! - [ 396448569646 ] 
MIME-Version: 1.0
Content-type: text/html; charset=iso-8859-1
From: Magalu-37 <pravoc...@v163-44-207-233.a006.g.han1.static.cnode.io>
Message-Id: <20220425213610.0b611149...@v163-44-207-233.a006.g.han1.static.cnode.io> 
Date: Tue, 26 Apr 2022 04:36:10 +0700 (+07)
--


[root@isolar tmp]# cat /etc/postfix/helo.regexp
/v[0-9]+-[0-9]+-[0-9]+-[0-9]+[.-@]/             REJECT


This pattern is not properly anchored, possibly matching lots of other
sources.  A more conservative pattern would be:

    /^v[0-9]+-[0-9]+-[0-9]+-[0-9]+[.].*[.]static[.]cnode[.]io$  REJECT


Thanks.  I'm not too worried about any other "v[0-9]*" senders.

(I still don't know why it didn't work as-is.)
yet it didn't work - I got a spam from this IP today. What am I doing 
wrong?
Posting output of "grep", rather than full "postconf -nf" and "postconf -Mf" 
results.
I generally try to avoid spamming mailing lists with 60+ output lines of commands if I can help it.
(I'd be happy if I could just block *.static.cnode.io from connecting, but I tried doing that in /etc/postfix/client_access and it didn't work 
there, either.)


The correct lookup keys would be:

    static.cnode.io
    .static.cnode.io
I had "cnode.io" and ".cnode.io" in there, but it wasn't working so I backed them out. 


On Mon, Apr 25, 2022 at 08:57:01PM -0700, Greg Earle wrote:

[root@isolar tmp]# postconf -Px |grep check_helo_access
[...]

The above are submission (port 465 and 587) services, which handle
outbound mail from your users.  But the spammers are sending inbound
mail on port 25.
OK, I wasn't realizing that the "smtps" in Postfix-land was port 465-only. I thought maybe it might've also handled the case of port 25 with TLS. Thanks for the clarification. 

It sounds like you are saying that I should be putting the

check_helo_access regexp:/etc/postfix/helo.regex
entry into some form of "smtpd_*_restrictions" in main.cf, right? (I would assume "smtpd_helo_restrictions" but I've been wrong before, so ... )
But I had previously tried putting these 2 test lines (unrelated) in main.cf: 

--
[root@isolar postfix]# tail -5 main.cf

# Local additions [GKE 11/15/2021]
#smtpd_recipient_restrictions = permit_sasl_authenticated, check_policy_service unix:postgrey/socket, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rbl_client zen.spamhaus.org, reject #smtpd_client_restrictions = permit_sasl_authenticated, check_client_access pcre:/etc/postfix/client_access, reject 

--
and it started rejecting everything incoming, so I had to back it out. I got a bit gun-shy about adding stuff to main.cf as a result.
Your restrictions are a poor choice for submission, where you generally 
would allow all authenticated clients, and reject all else.
I got it from a cookbook page, which in retrospect I clearly shouldn't have used. 

                - Greg

Reply via email to