DevHeads.net

Can this sort of spam be easily and safely blocked in postfix

Hi,
In the last few weeks I've seen a increase in the number of e-mails with
nasty .doc or .xls files, generally with some sort of invoice supposedly
in them. Can postfix be reliably configured to block them at source.
Below is a message header, the relevant but of the maillog and my
configuration:

Return-Path: < ... at safewaydriving dot com>
Received: from localhost (localhost [127.0.0.1])
by server.mydomain.co.uk (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.v6) with LMTPA;
Wed, 10 Feb 2016 17:41:36 +0000
X-Sieve: CMU Sieve 2.3
X-Virus-Scanned: amavisd-new at mydomain.co.uk
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made up
entirely of whitespace (char 09 hex): Content-Type:
...80A65A5A6F0709FA513B7426538A615A81AC6E9920_"\n\t
X-Spam-Flag: YES
X-Spam-Score: 5.42
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.42 tagged_above=-99 required=5
tests=[HTML_MESSAGE=0.001, RCVD_IN_BRBL=2.5,
RCVD_IN_BRBL_LASTEXT=1.644, RDNS_NONE=1.274, URIBL_BLOCKED=0.001]
autolearn=no
Received: from [51.179.106.180] (unknown [51.179.106.180])
by mailserver.mydomain.co.uk (Postfix) with ESMTP id 9BB74E427F
for < ... at mydomain dot co.uk>; Wed, 10 Feb 2016 17:41:30 +0000 (GMT)
=?UTF-8?B?UmVtaXR0YW5jZSBhZHZpY2UgZnJvbSBTa3kgR3JvdXA6IEFjY291bnQgTm8uIDgwNTczOQ==?=
Thread-Topic: Remittance advice from Sky Group: Account No. 805739
Thread-Index: 9E9A0863698CAF3C254C6A950+B141==
Message-ID: < ... at 567D24E77 dot safewaydriving.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
MIME-Version: 1.0
X-MC-Unique: 223161351459233692
Content-Type: multipart/mixed;
boundary="_929_604EEBAB9DEEDAD880A65A5A6F0709FA513B7426538A615A81AC6E9920_"
X-EsetResult: clean (cleaned), contained VBA/TrojanDownloader.Agent.ASA trojan
X-EsetId: 26366E2C4DACF56B3C7E31301FB3F36B677D637342

Feb 10 17:41:35 server postfix/qmgr[5845]: 9BB74E427F: from=< ... at safewaydriving dot com>, size=70986, nrcpt=1 (queue active)
Feb 10 17:41:35 server postfix/smtpd[15970]: connect from localhost[127.0.0.1]
Feb 10 17:41:35 server postfix/smtpd[15962]: disconnect from unknown[51.179.106.180]
Feb 10 17:41:35 server postfix/smtpd[15970]: 300FBE5AD9: client=localhost[127.0.0.1]
Feb 10 17:41:35 server postfix/cleanup[15965]: 300FBE5AD9: message-id=< ... at 567D24E77 dot safewaydriving.com>
Feb 10 17:41:35 server postfix/qmgr[5845]: 300FBE5AD9: from=< ... at safewaydriving dot com>, size=70986, nrcpt=1 (queue active)
Feb 10 17:41:35 server postfix/smtpd[15970]: disconnect from localhost[127.0.0.1]
Feb 10 17:41:35 server postfix/pipe[15968]: 9BB74E427F: to=< ... at mydomain dot co.uk>, relay=mailprefilter, delay=5, delays=4.8/0.01/0/0.22, dsn=2.0.0, status=sent (delivered via mailprefilter service)
Feb 10 17:41:35 server postfix/qmgr[5845]: 9BB74E427F: removed
Feb 10 17:41:36 server postfix/smtpd[15974]: connect from localhost[127.0.0.1]
Feb 10 17:41:36 server postfix/smtpd[15974]: 5BAABE55C3: client=localhost[127.0.0.1]
Feb 10 17:41:36 server amavis[7088]: (07088-14) INFO: unfolded 1 illegal all-whitespace continuation lines
Feb 10 17:41:36 server postfix/cleanup[15965]: 5BAABE55C3: message-id=< ... at 567D24E77 dot safewaydriving.com>
Feb 10 17:41:36 server postfix/smtpd[15974]: disconnect from localhost[127.0.0.1]
Feb 10 17:41:36 server postfix/qmgr[5845]: 5BAABE55C3: from=< ... at safewaydriving dot com>, size=71471, nrcpt=1 (queue active)
Feb 10 17:41:36 server amavis[7088]: (07088-14) Passed SPAMMY, LOCAL [127.0.0.1] [51.179.106.180] < ... at safewaydriving dot com> -> < ... at mydomain dot co.uk>, Message-ID: < ... at 567D24E77 dot safewaydriving.com>, mail_id: 6AdaL2ErBI7J, Hits: 5.42, size: 70986, queued_as: 5BAABE55C3, 1078 ms
Feb 10 17:41:36 server postfix/smtp[15971]: 300FBE5AD9: to=< ... at mydomain dot co.uk>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.3, delays=0.1/0.09/0/1.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 5BAABE55C3)
Feb 10 17:41:36 server postfix/qmgr[5845]: 300FBE5AD9: removed
Feb 10 17:41:36 server lmtp[15978]: Delivered: < ... at 567D24E77 dot safewaydriving.com> to mailbox: user.ourfamily.Junk
Feb 10 17:41:36 server postfix/pipe[15976]: 5BAABE55C3: to=< ... at mydomain dot co.uk>, relay=mailpostfilter, delay=0.32, delays=0.08/0/0/0.24, dsn=2.0.0, status=sent (delivered via mailpostfilter service)
Feb 10 17:41:36 server postfix/qmgr[5845]: 5BAABE55C3: removed

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = mailprefilter
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = $alias_maps $virtual_alias_maps
luser_relay =
mail_owner = postfix
mailbox_size_limit = 102400000
mailbox_transport = mailpostfilter
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
message_strip_characters = \0
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mydomain.co.uk
myhostname = mailserver.mydomain.co.uk
mynetworks = 127.0.0.0/8, 192.168.10.0/24, 172.17.2.0/23
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_delimiter = +
relayhost = [smtp.ntlworld.com]:25
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = no
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client 2.0.0.127.b.barracudacentral.org
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_invalid_hostname
smtpd_tls_CAfile = /etc/pki/CA/ca-cert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/pki/CA/mailserver.mydomain.co.uk.pem
smtpd_tls_key_file = /etc/pki/CA/private/mailserver.mydomain.co.uk.key.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = $alias_maps, $virtual_maps, ldap:/etc/postfix/imap-aliases.cf, ldap:/etc/postfix/imap-groups.cf

Regards,

Nick

Comments

Re: Can this sort of spam be easily and safely blocked in postfi

By LuKreme at 02/11/2016 - 02:14

On Feb 10, 2016, at 12:03 PM, Nick Howitt < ... at howitts dot co.uk> wrote:
Yep. I’ve had this in Postfix for at least a decade:

mime_headers.pcre
/^\s*Content-(Disposition|Type).*name\s*=\s*"?(.*\.(ade|adp|bas|bat|chm|cmd|com|cpl|crt|doc|dll|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pif|prf|reg|scf|scr\??|sct|shb|shs|shm|swf|vb[esx]?|vxd|wsc|wsf|wsh|xls))(\?=)?"?\s*(;|$)/x REJECT Attachment name "$2" may not end with ".$3”

Re: Can this sort of spam be easily and safely blocked in postfi

By Wietse Venema at 02/10/2016 - 15:43

Nick Howitt:
Postfix can block MIME types and even recognize some known-to-be-bad
content, but it can't distinguish between "nasty" content and benign
content. You'd need some kind of anti-malware system for that.

Wietse

Re: Can this sort of spam be easily and safely blocked in postfi

By Michael J Wise at 02/10/2016 - 15:39

There are a number of techniques that could be deployed against it.
None of them are, "Easy".
And nothing concerning viruses could ever be classified as, "Safe".

Incoming attachments from people you don't know ... Considered Harmful.
Especially if those attachment filetypes support, "Macro"s.

:(

Aloha mai Nai`a.

Re: Can this sort of spam be easily and safely blocked in postfi

By Nick Howitt at 02/10/2016 - 16:22

<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
It does not apply to this message, but I was wondering if it was
safe to block unknown e.g. "connect from unknown[123.63.85.49]".
Presumably this means no reverse DNS record, but is it reasonable to
block these or will I reject too much good stuff? If it is
reasonable, what is the best way to block them? I also use
zen.spamhaus.org so I think this blocks many of them anyway as they
seem to be from dynamic IP  address blocks.<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 10/02/2016 19:39, Michael J Wise
</div>
<blockquote
cite="mid:0fbe047bf87a42ad40accd2794751880. ... at secure dot kapu.net"
type="cite">
<pre wrap="">

</pre>
<blockquote type="cite">
<pre wrap="">Hi,
In the last few weeks I've seen a increase in the number of e-mails with
nasty .doc or .xls files, generally with some sort of invoice supposedly
in them. Can postfix be reliably configured to block them at source.
</pre>
</blockquote>
<pre wrap="">
There are a number of techniques that could be deployed against it.
None of them are, "Easy".
And nothing concerning viruses could ever be classified as, "Safe".

Incoming attachments from people you don't know ... Considered Harmful.
Especially if those attachment filetypes support, "Macro"s.

:(

</pre>
<blockquote type="cite">
<pre wrap="">Below is a message header, the relevant but of the maillog and my
configuration:

Return-Path: <a class="moz-txt-link-rfc2396E" href="mailto: ... at safewaydriving dot com">&lt; ... at safewaydriving dot com&gt;</a>
Received: from localhost (localhost [127.0.0.1])
by server.mydomain.co.uk (Cyrus v2.3.16-Fedora-RPM-2.3.16-13.v6)
with LMTPA;
Wed, 10 Feb 2016 17:41:36 +0000
X-Sieve: CMU Sieve 2.3
X-Virus-Scanned: amavisd-new at mydomain.co.uk
X-Amavis-Alert: BAD HEADER SECTION, Improper folded header field made
up
entirely of whitespace (char 09 hex): Content-Type:
...80A65A5A6F0709FA513B7426538A615A81AC6E9920_"\n\t
X-Spam-Flag: YES
X-Spam-Score: 5.42
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.42 tagged_above=-99 required=5
tests=[HTML_MESSAGE=0.001, RCVD_IN_BRBL=2.5,
RCVD_IN_BRBL_LASTEXT=1.644, RDNS_NONE=1.274, URIBL_BLOCKED=0.001]
autolearn=no
Received: from [51.179.106.180] (unknown [51.179.106.180])
by mailserver.mydomain.co.uk (Postfix) with ESMTP id 9BB74E427F
for <a class="moz-txt-link-rfc2396E" href="mailto: ... at mydomain dot co.uk">&lt; ... at mydomain dot co.uk&gt;</a>; Wed, 10 Feb 2016 17:41:30 +0000 (GMT)
=?UTF-8?B?UmVtaXR0YW5jZSBhZHZpY2UgZnJvbSBTa3kgR3JvdXA6IEFjY291bnQgTm8uIDgwNTczOQ==?=
Thread-Topic: Remittance advice from Sky Group: Account No. 805739
Thread-Index: 9E9A0863698CAF3C254C6A950+B141==
Message-ID:
<a class="moz-txt-link-rfc2396E" href="mailto: ... at 567D24E77 dot safewaydriving.com">&lt; ... at 567D24E77 dot safewaydriving.com&gt;</a>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
MIME-Version: 1.0
X-MC-Unique: 223161351459233692
Content-Type: multipart/mixed;
boundary="_929_604EEBAB9DEEDAD880A65A5A6F0709FA513B7426538A615A81AC6E9920_"
X-EsetResult: clean (cleaned), contained
VBA/TrojanDownloader.Agent.ASA trojan
X-EsetId: 26366E2C4DACF56B3C7E31301FB3F36B677D637342

Feb 10 17:41:35 server postfix/qmgr[5845]: 9BB74E427F:
from=<a class="moz-txt-link-rfc2396E" href="mailto: ... at safewaydriving dot com">&lt; ... at safewaydriving dot com&gt;</a>, size=70986, nrcpt=1 (queue
active)
Feb 10 17:41:35 server postfix/smtpd[15970]: connect from
localhost[127.0.0.1]
Feb 10 17:41:35 server postfix/smtpd[15962]: disconnect from
unknown[51.179.106.180]
Feb 10 17:41:35 server postfix/smtpd[15970]: 300FBE5AD9:
client=localhost[127.0.0.1]
Feb 10 17:41:35 server postfix/cleanup[15965]: 300FBE5AD9:
message-id=<a class="moz-txt-link-rfc2396E" href="mailto: ... at 567D24E77 dot safewaydriving.com">&lt; ... at 567D24E77 dot safewaydriving.com&gt;</a>
Feb 10 17:41:35 server postfix/qmgr[5845]: 300FBE5AD9:
from=<a class="moz-txt-link-rfc2396E" href="mailto: ... at safewaydriving dot com">&lt; ... at safewaydriving dot com&gt;</a>, size=70986, nrcpt=1 (queue
active)
Feb 10 17:41:35 server postfix/smtpd[15970]: disconnect from
localhost[127.0.0.1]
Feb 10 17:41:35 server postfix/pipe[15968]: 9BB74E427F:
to=<a class="moz-txt-link-rfc2396E" href="mailto: ... at mydomain dot co.uk">&lt; ... at mydomain dot co.uk&gt;</a>, relay=mailprefilter, delay=5,
delays=4.8/0.01/0/0.22, dsn=2.0.0, status=sent (delivered via
mailprefilter service)
Feb 10 17:41:35 server postfix/qmgr[5845]: 9BB74E427F: removed
Feb 10 17:41:36 server postfix/smtpd[15974]: connect from
localhost[127.0.0.1]
Feb 10 17:41:36 server postfix/smtpd[15974]: 5BAABE55C3:
client=localhost[127.0.0.1]
Feb 10 17:41:36 server amavis[7088]: (07088-14) INFO: unfolded 1
illegal all-whitespace continuation lines
Feb 10 17:41:36 server postfix/cleanup[15965]: 5BAABE55C3:
message-id=<a class="moz-txt-link-rfc2396E" href="mailto: ... at 567D24E77 dot safewaydriving.com">&lt; ... at 567D24E77 dot safewaydriving.com&gt;</a>
Feb 10 17:41:36 server postfix/smtpd[15974]: disconnect from
localhost[127.0.0.1]
Feb 10 17:41:36 server postfix/qmgr[5845]: 5BAABE55C3:
from=<a class="moz-txt-link-rfc2396E" href="mailto: ... at safewaydriving dot com">&lt; ... at safewaydriving dot com&gt;</a>, size=71471, nrcpt=1 (queue
active)
Feb 10 17:41:36 server amavis[7088]: (07088-14) Passed SPAMMY, LOCAL
[127.0.0.1] [51.179.106.180] <a class="moz-txt-link-rfc2396E" href="mailto: ... at safewaydriving dot com">&lt; ... at safewaydriving dot com&gt;</a> -&gt;
<a class="moz-txt-link-rfc2396E" href="mailto: ... at mydomain dot co.uk">&lt; ... at mydomain dot co.uk&gt;</a>, Message-ID:
<a class="moz-txt-link-rfc2396E" href="mailto: ... at 567D24E77 dot safewaydriving.com">&lt; ... at 567D24E77 dot safewaydriving.com&gt;</a>,
mail_id: 6AdaL2ErBI7J, Hits: 5.42, size: 70986, queued_as: 5BAABE55C3,
1078 ms
Feb 10 17:41:36 server postfix/smtp[15971]: 300FBE5AD9:
to=<a class="moz-txt-link-rfc2396E" href="mailto: ... at mydomain dot co.uk">&lt; ... at mydomain dot co.uk&gt;</a>, relay=127.0.0.1[127.0.0.1]:10024,
delay=1.3, delays=0.1/0.09/0/1.1, dsn=2.0.0, status=sent (250 2.0.0
from MTA([127.0.0.1]:10026): 250 2.0.0 Ok: queued as 5BAABE55C3)
Feb 10 17:41:36 server postfix/qmgr[5845]: 300FBE5AD9: removed
Feb 10 17:41:36 server lmtp[15978]: Delivered:
<a class="moz-txt-link-rfc2396E" href="mailto: ... at 567D24E77 dot safewaydriving.com">&lt; ... at 567D24E77 dot safewaydriving.com&gt;</a>
to mailbox: user.ourfamily.Junk
Feb 10 17:41:36 server postfix/pipe[15976]: 5BAABE55C3:
to=<a class="moz-txt-link-rfc2396E" href="mailto: ... at mydomain dot co.uk">&lt; ... at mydomain dot co.uk&gt;</a>, relay=mailpostfilter, delay=0.32,
delays=0.08/0/0/0.24, dsn=2.0.0, status=sent (delivered via
mailpostfilter service)
Feb 10 17:41:36 server postfix/qmgr[5845]: 5BAABE55C3: removed

postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = mailprefilter
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = $alias_maps $virtual_alias_maps
luser_relay =
mail_owner = postfix
mailbox_size_limit = 102400000
mailbox_transport = mailpostfilter
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
message_strip_characters = \0
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mydomain.co.uk
myhostname = mailserver.mydomain.co.uk
mynetworks = 127.0.0.0/8, 192.168.10.0/24, 172.17.2.0/23
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_delimiter = +
relayhost = [smtp.ntlworld.com]:25
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = no
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unknown_recipient_domain,
reject_unauth_pipelining, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unauth_destination,
reject_rbl_client zen.spamhaus.org, reject_rbl_client
2.0.0.127.b.barracudacentral.org
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks,
reject_non_fqdn_sender, reject_invalid_hostname
smtpd_tls_CAfile = /etc/pki/CA/ca-cert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/pki/CA/mailserver.mydomain.co.uk.pem
smtpd_tls_key_file =
/etc/pki/CA/private/mailserver.mydomain.co.uk.key.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = $alias_maps, $virtual_maps,
<a class="moz-txt-link-freetext" href="ldap:/etc/postfix/imap-aliases.cf">ldap:/etc/postfix/imap-aliases.cf</a>, <a class="moz-txt-link-freetext" href="ldap:/etc/postfix/imap-groups.cf">ldap:/etc/postfix/imap-groups.cf</a>

Regards,

Nick

</pre>
</blockquote>
<pre wrap="">

Aloha mai Nai`a.
</pre>
</blockquote>
<br>
</body>
</html>

Re: Can this sort of spam be easily and safely blocked in postfi

By Michael J Wise at 02/10/2016 - 17:16

It will have limited effectiveness against these kinds of campaigns.
If nothing else, it would be a signal to legit senders to only send from
IPs with proper rDNS, which is good. :)

Best way would be to NOT block but to mark as spam.
That way, the sender can be poked to clean up their act.

"IMHO", "YMMV", "VWPBL"....

Aloha mai Nai`a.

Re: Can this sort of spam be easily and safely blocked in postfi

By Noel Jones at 02/10/2016 - 15:39

On 2/10/2016 1:03 PM, Nick Howitt wrote:
Some low hanging fruit:

Looks as if you're using amavisd-new. Are you using clamav also?
If so, I highly recommend the Sanesecurity addon spam signatures.
They stop a lot of this kind of stuff for me.
<a href="http://sanesecurity.com/usage/signatures/" title="http://sanesecurity.com/usage/signatures/">http://sanesecurity.com/usage/signatures/</a>
The signatures marked "low risk" should be safe for anyone to use.
you can make your own decision for the "Med" and "High" sigs.

This particular client has no reverse DNS hostname. Most sites find
it safe to use reject_unknown_reverse_client_hostname to reject such
clients. This similar to restrictions at many big mail providers and
is a much safer alternative than reject_unknown_client_hostname.
<a href="http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname" title="http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname">http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hos...</a>

This client used an IP literal as their HELO name. This is
permitted by RFC and common with end-user mail software, but rarely
found in a legit mail server. You can use a check_helo_access
regexp to reject such clients after permit_mynetworks,
permit_sasl_authenticated.

The logs you include show the mail passing through your
content_filter. It would have been much more interesting to see the
original connection from the outside client.

I didn't really look at your postconf output, other than noticing
that you use some good RBLs already, and have some questionable
settings for alias_maps, local_recipient_maps, and
virtual_alias_maps. Maybe someone else will analyze that for you.

-- Noel Jones

Re: Can this sort of spam be easily and safely blocked in postfi

By Karel at 02/11/2016 - 06:59

are there any legitimate (non-spam) senders, that would be blocked by
reject_unknown_client_hostname ?

According to the documentation, it should reject if:

1) the client IP address->name mapping fails
2) the name->address mapping fails
3) the name->address mapping does not match the client IP address

that seems fine to me

Re: Can this sort of spam be easily and safely blocked in postfi

By Bill Cole at 02/14/2016 - 13:34

Do you consider Microsoft's Office365 to be "legitimate?"

They send substantial non-spam, yet many of their output IPs have PTR
addresses which yield addresses which do not resolve back to the
original IPs.

Re: Can this sort of spam be easily and safely blocked in postfi

By Karel at 02/15/2016 - 05:19

sorry for keep dwelling on this, but is there any reason why a
legitimate sender (ie Microsoft) would not use corresponding IP ->
hostname -> IP ?

Is there some technical limitation that prevents them from doing it?

SV: Can this sort of spam be easily and safely blocked in postfi

By Sebastian Nielsen at 02/15/2016 - 05:52

Yes, there is a reason.
If they have a large amount of virtualized servers set up using wildcarding,
like:
*.123.123.123.in-addr.arpa IN PTR mailservers.office365.com

Its of course not possible to add the corresponding forward record, because
that would create a pretty large forward zone, especially if Microsoft does
this with a large amount of IP-adresses.

Dynamically assigning reverse/forward, like *.123.123.123.in-addr.arpa IN
PTR *.mailservers.office365.com, so a server like 72.123.123.123 has a PTR
of 72.mailservers.office365.com, would require specialised name server
software, same with the forward zone, if you don't want unneccesarly large
zones.

You could however check which ASN's microsoft has, and then whitelist these
in a rule file so these IPs will be let through without any spam checking.
(Be careful however, so you don't put the whitelist too early and let
through mails you don't want to let through at all)

Från: <a href="mailto:owner-postfix- ... at postfix dot org">owner-postfix- ... at postfix dot org</a>
[mailto:owner-postfix- ... at postfix dot org] För Karel
Skickat: den 15 februari 2016 10:19
Till: postfix users <postfix- ... at postfix dot org>
Ämne: Re: Can this sort of spam be easily and safely blocked in postfix

sorry for keep dwelling on this, but is there any reason why a legitimate
sender (ie Microsoft) would not use corresponding IP -> hostname -> IP ?

Is there some technical limitation that prevents them from doing it?

SV: Can this sort of spam be easily and safely blocked in postfi

By Sebastian Nielsen at 02/15/2016 - 05:57

Oops, I meant 123.123.123.72
Just a bit tired here in the morning.

But what I wanted to say is that Microsoft is a extremely large internet
corporation, actually the largest, I think they own most IP-adresses too, so
what they do need to scale well.

Från: <a href="mailto:owner-postfix- ... at postfix dot org">owner-postfix- ... at postfix dot org</a>
[mailto:owner-postfix- ... at postfix dot org] För Sebastian Nielsen
Skickat: den 15 februari 2016 10:53
Till: 'postfix users' <postfix- ... at postfix dot org>
Ämne: SV: Can this sort of spam be easily and safely blocked in postfix
[signed]

Yes, there is a reason.
If they have a large amount of virtualized servers set up using wildcarding,
like:
*.123.123.123.in-addr.arpa IN PTR mailservers.office365.com

Its of course not possible to add the corresponding forward record, because
that would create a pretty large forward zone, especially if Microsoft does
this with a large amount of IP-adresses.

Dynamically assigning reverse/forward, like *.123.123.123.in-addr.arpa IN
PTR *.mailservers.office365.com, so a server like 72.123.123.123 has a PTR
of 72.mailservers.office365.com, would require specialised name server
software, same with the forward zone, if you don't want unneccesarly large
zones.

You could however check which ASN's microsoft has, and then whitelist these
in a rule file so these IPs will be let through without any spam checking.
(Be careful however, so you don't put the whitelist too early and let
through mails you don't want to let through at all)

Från: <a href="mailto:owner-postfix- ... at postfix dot org">owner-postfix- ... at postfix dot org</a>
[mailto:owner-postfix- ... at postfix dot org] För Karel
Skickat: den 15 februari 2016 10:19
Till: postfix users <postfix- ... at postfix dot org>
Ämne: Re: Can this sort of spam be easily and safely blocked in postfix

sorry for keep dwelling on this, but is there any reason why a legitimate
sender (ie Microsoft) would not use corresponding IP -> hostname -> IP ?

Is there some technical limitation that prevents them from doing it?

Re: Can this sort of spam be easily and safely blocked in postfi

By LuKreme at 02/16/2016 - 06:17

On Feb 15, 2016, at 2:57 AM, Sebastian Nielsen < ... at sebbe dot eu> wrote:
How do you figure that?

Oh, I don’t think so. both Apple and IBM own an entire class A (16 million addresses). Level 3 and HP each own TWO class As.

Re: Can this sort of spam be easily and safely blocked in postfi

By Noel Jones at 02/11/2016 - 13:31

The reject_unknown_client_hostname restriction is known to reject
legitimate non-spam senders.

reject_unknown_client_hostname is a very strict test and is known to
reject a significant amount of legit mail. It will reject tons of
spam, but the amount of good mail rejected is too high for most people.

The less strict reject_unknown_reverse_client_hostname checks if the
there is a client IP to name mapping, but does not check if that
name maps back to the client IP. Very few legit hosts fail this
test. This is safe for most sites to use and is an effective part
of a multilayer spam defense, and would have blocked the spam
message that started this whole thread.

You can safely try either or both of these restrictions with
"warn_if_reject" and check your logs to see how it would perform for
your mail flow without actually rejecting any mail.

<a href="http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname" title="http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname">http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname</a>
<a href="http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname" title="http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname">http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hos...</a>
<a href="http://www.postfix.org/postconf.5.html#warn_if_reject" title="http://www.postfix.org/postconf.5.html#warn_if_reject">http://www.postfix.org/postconf.5.html#warn_if_reject</a>

-- Noel Jones

Re: Can this sort of spam be easily and safely blocked in postfi

By Nick Howitt at 02/10/2016 - 16:35

Hi Noel,

On 10/02/2016 19:39, Noel Jones wrote:
Feb 10 17:41:29 server postfix/smtpd[15962]: connect from
unknown[51.179.106.180]
Feb 10 17:41:30 server postfix/smtpd[15962]: 9BB74E427F:
client=unknown[51.179.106.180]
Feb 10 17:41:31 server postfix/cleanup[15965]: 9BB74E427F:
message-id=< ... at 567D24E77 dot safewaydriving.com>

Presumably if I want more I need to change the verbosity.

Re: Can this sort of spam be easily and safely blocked in postfi

By Noel Jones at 02/10/2016 - 17:02

On 2/10/2016 2:35 PM, Nick Howitt wrote:
This particular client isn't in zen, and probably not dynamic. The
reject_unknown_reverse_client_hostname is quite safe. You can try
it out for a while with
warn_if_reject reject_unknown_reverse_client_hostname
somewhere in your config. It's quite rare for a legit mail server
to fail this check. The few failures I see are typically when
someone moved to a new IP and forgot to set up the rDNS.

Everything you need is in the normal logs.

-- Noel Jones