Here's a couple of commands that give you two report files for subscriber,
one with subscriber blocks for explicit matches:
zegrep -i "smtpd.*reject.*subscriber" /var/log/maillog.[0-9].gz | egrep -iv
"joker" | awk '{print $10}' | sort -f | uniq -i | sort -t[ -k2 >
/var/tmp/subscriber_nojoker.txt
and one for the jokers:
zegrep -i "smtpd.*reject.*subscriber" /var/log/maillog.[0-9].gz | egrep -i
"joker" | awk '{print $10}' | sort -f | uniq -i | sort -t[ -k2 >
/var/tmp/subscriber_joker.txt
I'm amazed at how many joker networks there are, since I spent a LOT of
time harvesting the original explicit network regexps.
I can't see any way, other than manually, of extracting
subscriber_joker.txt PTR hostname groups into individual /regex/, so it's
tedious work.
Also note, if you find any legit non-subscriber MTAs using subscriber-style
PTRs, like these beauties:
12-14-115-040.mastercard.com[12.14.115.40]:
host-12-154-167-140.citizensbank.com[12.154.167.140]:
205-158-62-67.outblaze.com[205.158.62.67]:
... then share them here so we can DUNNO them:
/mastercard\.com/ DUNNO
/citizensbank.com/ DUNNO
/outblaze\.com/ DUNNO
(btw, outblaze is not a spammer, even if you sees tons of mail from them
for unknown recipients. The head mail guy is a famous, vociferous
anti-spammer, but his hosted legit, non-spamming mail domains do send a lot
of mail to unknown users (dirty lists, I guess).)
======================
The report files are sorted by IP address, so it will be easier to see a
group of subscriber PTR's, so the new regex pattern to block them, that
will be added as an explicit match to the non-joker regex's.
For those who want to whitelist a network regex, here's a suggestion.
A comment to remove the regex is not recommended:
#/regex/ 554 .......
... will cause postfix to continue processing the file (uselessly), while
/regex/ DUNNO
.... will cause a match and postfix to exit from the file.
Practically (and the size of file demands practical skill and tricks),
rather than going into the file and editing each line's "554 text" into a
"DUNNO", identify the networks' regex's you want to whitelist and put them
at the top of the file (giving a fast exit), leaving the body of the file
untouched:
#whitelist subscriber networks with too many legit server for my users
/regex/ DUNNO
/regex/ DUNNO
/regex/ DUNNO
#all explicit network regex
/(kbl.*\.zeelandnet\.nl)/ 554 ACL mta_clients_subscriber The IP address of
your sending machine is on a proscribed subscriber access network. Send
from a non-subscriber network, PTR = "$1"
etc.
#network jokers
/(.*[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}\-[0-9]{1,3}.*\..*\..*)/ 554 ACL
mta_clients_subscriber_joker The IP address of your sending machine is on a
proscribed subscriber access network. Send from a non-subscriber network,
PTR = "$1"
/(.*[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*\..*\..*)/ 554 ACL
mta_clients_subscriber_joker The IP address of your sending machine is on a
proscribed subscriber access network. Send from a non-subscriber network,
PTR = "$1"
#shorties
/(.*[0-9]{2,3}\-[0-9]{2,3}.*\..*\..*)/ 554 ACL
mta_clients_subscriber_joker2 The IP address of your sending machine is on
a proscribed subscriber access network. Send from a non-subscriber network,
PTR = "$1"
"shorties" does catch a lot of obvious subscriber nets, but, no surprise,
it catches some non-sub PTRs, also. vigilance
===================================================
btw, you CANNOT accomplish the above whitelisting with two files, putting
all the DUNNOs in the first file (that would be too, nice, huh?, my own
private whitelist file running before the big common file):
check_client_access pcre:/etc/postfix/mta_clients_subscriber_dunno.regexp,
check_client_access pcre:/etc/postfix/mta_clients_subscriber.regexp
... because a DUNNO match exits from the first file and postfix proceeds to
the next, so the DUNNO has to be in same file as the reject rule, and
before it, since regexp: and pcre: files are processed in physical order.
( And note that cleanup's filter *_checks.regexp files are not processed in
the same way as smtpd's access .regexp files.)
And the ACTIONs in a *_checks file are different from the ACTIONs in an
access file (man 5 access and man pcre_table)
This "joker" maintenance is no joke, it's a pain in the @ss (but we don't
have to do it every day, only once a month or so), so sharing here will
help everyone. Promoiting stuff from joke to explicit is to help people
DUNNO specific networks that get caught by the jokers.
As I mentioned earlier, marketing reports are that cable/DSL subscriber
uptake is booming, so the mail abuse (and compromised subscriber machines)
will continue booming also. Nothing has changed, other than for the much
worse, as the boom in subscriber IPs that spam, and the above all volumes
they spam with, will always dominate the comparatively tiny number of legit
IPs and their legit volume.
Len
