I have been getting some rather annoying spam lately.
>From the headers:
Received: from imgate01.cybertime.net [209.203.82.24] by cybertime.net
with ESMTP (SMTPD32-8.05) id AAEC61C0130; Tue, 13 Jan 2004 10:37:32
-0800
Received: from 216.117.206.24 (unknown [219.249.104.155]) by
imgate01.cybertime.net (Postfix IMGate01 Hub) with SMTP id
1A75DD714D for <[EMAIL PROTECTED]>; Tue, 13 Jan 2004
10:47:21 -0800 (PST)
Received: from [219.249.104.155] by 123.214.200.11 with HTTP;
Tue, 13 Jan 2004 11:36:13 +0500
From: "Monica" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: EH, and fell asleep
Mime-Version: 1.0
X-Mailer: mPOP Web-Mail 2.19
X-Originating-IP: [210.29.236.4]
Date: Tue, 13 Jan 2004 07:32:13 +0100
Reply-To: "Contreras" <[EMAIL PROTECTED]>
Content-Type: multipart/alternative;
boundary="3882424324972495"
Message-Id: <[EMAIL PROTECTED]>
X-RCPT-TO: <[EMAIL PROTECTED]>
Status: U
X-IMail-Rule: [EMAIL PROTECTED]:Postmaster
Data- [EMAIL PROTECTED]
X-UIDL: 313025738
Now this is to the postmaster address, which means it will bypass most of
my restrictions.
One thing it will not get past is where I check for forged HELOs that use
my IP as the HELO. But the above seems to be using my IP as the HELO and
still getting through.
My IMGate has two addresses on it, 209.203.82.24 and 216.117.206.24. That
way if one feed it down, it should still get mail via the other feed.
Both of these are tested with my helo_local_forged.pcre.
imgate01# cat /etc/postfix/helo_local_forged.pcre
# A PCRE check on the inbound host name to see it it is forged as our IP,
# using our host name, or using an invalid host name
# NOTE: This is intended as an early check, after local networks but
before
# exemptions.
/216.117.206.24/ REJECT RFC 1893 Err. 5.1.8 Hostname invalid
/\[?216.117.206.24/ REJECT RFC 1893 Err. 5.1.8 Hostname invalid
/209.203.82.24/ REJECT RFC 1893 Err. 5.1.8 Hostname invalid
/\[?209.203.82.24/ REJECT RFC 1893 Err. 5.1.8 Hostname invalid
/^cybertime\.net/ REJECT RFC 1893 Err. 5.1.8 Hostname invalid
/^mail\.cybertime\.net/ REJECT RFC 1893 Err. 5.1.8 Hostname invalid
/^imgate01\.cybertime\.net/ REJECT RFC 1893 Err. 5.1.8 Hostname invalid
/^imgate01a\.cybertime\.net/ REJECT RFC 1893 Err. 5.1.8 Hostname invalid
/localhost/ REJECT RFC 1893 Err. 5.1.8 Hostname invalid
/localdomain/ REJECT RFC 1893 Err. 5.1.8 Hostname invalid
Yes, there is a little redundancy in there on the IPs.
I did a little log digging to see what else I could see.
Here is the logs for the above noted message that made it:
Jan 13 10:47:22 imgate01 postfix/smtpd[37338]: 1A75DD714D:
client=unknown[219.249.104.155]
Jan 13 10:47:25 imgate01 postfix/cleanup[37345]: 1A75DD714D:
message-id=<[EMAIL PROTECTED]>
Jan 13 10:47:25 imgate01 postfix/qmgr[10657]: 1A75DD714D:
from=<[EMAIL PROTECTED]>, size=2739, nrcpt=1 (queue active)
Jan 13 10:47:25 imgate01 postfix/smtp[37192]: 1A75DD714D:
to=<[EMAIL PROTECTED]>, relay=209.203.82.26[209.203.82.26],
delay=4, status=sent (250 Message queued)
Jan 13 10:47:25 imgate01 postfix/qmgr[10657]: 1A75DD714D: removed
And here is another that was blocked by the same PCRE check on the same
day.
Jan 13 23:57:41 imgate01 postfix/smtpd[39525]: NOQUEUE: reject:
RCPT from unknown[220.73.42.11]: 554 <216.117.206.24>:
Helo command rejected: RFC 1893 Err. 5.1.8 Hostname invalid;
from=<[EMAIL PROTECTED]> to=<REMOVED>
proto=SMTP helo=<216.117.206.24>
Since /etc/postfix/helo_local_forged.pcre is the only file with that "RFC
1893 Err. 5.1.8 Hostname invalid" I can tell the check is working.
I have only one "permit" before /etc/postfix/helo_local_forged.pcre,
permit_mynetworks, and the rest are rejects. The postmaster@ exemption is
two lines after in the order. So I can not see any reason why this would
be marked as "good" when their use of my IP should cause it to reject.
Anyone else have any ideas?
--Eric
