meet me at the bottom
>1. make a file called /etc/postfix/helo_world.regexp :))
>
>2. containing one line:
>
>/.*/ 554 4tuple
>
>... which matches the entire world's helo hostname.
>
>3. put the restriction just before permit at the end of your
>smtpd_recipient_restrictions:
>
> warn_if_reject check_helo_access pcre:/etc/postfix/helo_world.regexp,
> permit
>
>4. postfix reload
>
>5. This restriction will match ALL ("world") msgs that escape all earlier
>SMTPD restrictions, ie, what you are receiving, and log a line reject_warning.
>
>6. Observe the 4tuple of "PTR[IP] [EMAIL PROTECTED] [EMAIL PROTECTED] helo_hostname"
>in real time with:
>
>tail -f -n 100 /var/log/maillog | awk '/4tuple/ {print $10" "$17" "$18"
>"$20" "$22}'
>
>7. report sorted by PTR with this line:
>
>egrep -i "4tuple" /var/log/maillog | awk '{print $10" "$17" "$18" "$20"
>"$22}' | sort -t[ -k2 | less
>
>It's very easy (and perhaps depressing) to see the crap that is getting
>through.
>
>Your blocking should be by PTR hostname or IP, if possible.
this is a really powerful tool. I recommend everybody implement it. It a
very powerful, unambiguous visualization to see the crap that is getting
through.
first, make sure you TTY/SSH terminal screen is 130 or more column wide,
and with 8 or 7 pt font, so the lines don't wrap
some variations on the sorting give very different views
1. egrep -i "4tuple" /var/log/maillog | awk '{print $10" "$17" "$18" "$20}'
| sort -t[ -k2 | less
... sorts by IP
2. egrep -i "from unknown\[4tuple" /var/log/maillog | awk '{print $10"
"$17" "$18" "$20}' | sort -t[ -k2 | less
... sorts by IP, only for PTR-less IPs.
3. egrep -i "4tuple" /var/log/maillog | egrep -iv "from unknown\[" | awk
'{print $10" "$17" "$18" "$20}' | sort -t[ -k2 | less
... sorts by IP, only for PTR-full IPs.
Use the trick with "from unknown\[" above to get those variations in any
commands here.
4. egrep -i "from unknown\[.*4tuple" /var/log/maillog | awk '{print $10"
"$17" "$18" "$20}' | sort -f -k2 | less
... sort by the from= field, from 1st character in the field
5. egrep -i "from unknown\[.*4tuple" /var/log/maillog | awk '{print $10"
"$17" "$18" "$20}' | sort -f -t@ -k2 | less
... sort by the from= field, but on the sender.domain.
you can also change the order of the $10, $17, $18, $20 so the 2nd, 3rd, or
4th fields are printed in first column, nice and straight, easier to analyze.
etc, etc.
Play with it, it will really pay off.
I've already located a bunch of .br, .cl, .py, .ar subscriber nets with PTR
hostnames spamming like hell to add to my mta_clients_subscriber.regexp.
Len
