I had a dictionary attack this morning and had to remove about 150k
emails with "hi how are you" in the header coming from a swbell dsl
client in St.Louis I think. They were all from a random hotmail.com
account.
Jan 28 07:14:39 scooter postfix/smtpd[21983]: 7B9517BCA5:
client=adsl-65-71-214-5.dsl.stlsmo.swbell.net[65.71.214.5]
Now I'm trying to "close the barn door". I have a file:
account_control.map that has my valid clients in it like this:
grep internetworks.net account_control.map
[EMAIL PROTECTED] OK
[EMAIL PROTECTED] OK
[EMAIL PROTECTED] OK
[EMAIL PROTECTED] OK
[EMAIL PROTECTED] OK
in main.cf I have:
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
hash:/etc/postfix/account_control.map, <<<<<<<<<<<<
reject_unknown_sender_domain,
permit_mynetworks,
reject_unauth_destination,
check_client_access hash:/etc/postfix/mta_clients_bw.map,
check_sender_access regexp:/etc/postfix/from_senders.regexp,
check_sender_access hash:/etc/postfix/from_senders_bw.map,
check_helo_access hash:/etc/postfix/helo_hostnames.map,
check_sender_access hash:/etc/postfix/from_senders_slet.map,
check_sender_access hash:/etc/postfix/from_senders_clueless.map,
check_sender_access hash:/etc/postfix/from_senders_bogus.map,
check_sender_access hash:/etc/postfix/from_senders_mybogus.map,
check_sender_access hash:/etc/postfix/from_senders.map,
check_sender_access hash:/etc/postfix/spamlist-extended.map,
reject_rbl_client,
reject
And it happily accepts mail to any of my domains regardless of existing
addresses.
Jan 28 14:18:23 scooter postfix/smtpd[28478]: connect from
f46.pav2.hotmail.com[64.4.37.46]
Jan 28 14:18:24 scooter postfix/smtpd[28478]: 21E057BC48:
client=f46.pav2.hotmail.com[64.4.37.46]
Jan 28 14:18:24 scooter postfix/cleanup[28479]: 21E057BC48:
message-id=<[EMAIL PROTECTED]>
Jan 28 14:18:24 scooter postfix/qmgr[28476]: 21E057BC48:
from=<[EMAIL PROTECTED]>, size=1388, nrcpt=1 (queue active)
Jan 28 14:18:24 scooter postfix/smtp[28484]: 21E057BC48:
to=<[EMAIL PROTECTED]>, relay=primary.spammiser.com[65.167.19.45],
delay=0, status=sent (250 Ok: queued as 8B068BC5FA)
Jan 28 14:18:24 scooter postfix/smtpd[28478]: disconnect from
f46.pav2.hotmail.com[64.4.37.46]
grep [EMAIL PROTECTED] account_control.map
yields nothing...
What am I doing wrong? ( besides haveing shut off SAV last night)
SAV would have stopped this in it's tracks.
Also, I used this script to clear my queue based on the header.
I placed a copy of this program in /var/spool/postfix and ran it.
I placed a copy there because it will delete itself too.
less removemail.pl
-----------------------------------------------------------
#!/usr/bin/perl
open (FILES,"grep -alHr 'Subject: HI, HOW ARE YOU' * |");
print "Msg count: ";
while ($line = <FILES>)
{
$count++;
printf ("%6d",$count);
chomp($line);
unlink($line);
print "\b\b\b\b\b\b";
}
close (FILES);
print "\nDone... Msgs removed $count\n";
-----------------------------------------------------------
Thanks in advance!
David
