Jose Hales-Garcia put forth on 4/11/2011 8:00 PM: > > On Apr 11, 2011, at 3:44 PM, Stan Hoeppner wrote: > >>> My first idea for handling these messages is writing a filter in >>> header_checks using regexp. Is this the best approach to take using >>> Postfix 2.4.3? >> >> Probably not. Provide the full header and we may be able to give you >> better options. > > I've put it below (from the latest one to arrive).
> Received: from [190.221.28.39] (unknown [190.221.28.39]) In this example, reject_unknown_reverse_client_hostname would have generated a 450 rejection. You should always use reject_unknown_reverse_client_hostname at minimum, or the more restrictive reject_unknown_client_hostname, though this one can cause problems with FPs on occasion. Best to use it with warn_if_reject for a while and monitor what it would have rejected. http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname However, it appears that 190.221.28.39 has rDNS of Name: host39.190-221-28.telmex.net.ar Address: 190.221.28.39 so reject_unknown_reverse_client_hostname isn't a permanent solution here. The host is HELO'ing with an IP address, something legitimate hosts don't normally do. A check_helo_access pcre table with an expression that rejects dotted quads (and other undesirable HELO strings) would work well here. Rejecting hosts with generic rDNS, or scoring generic rDNS aggressively in SA, is also a good way to stop spam from such hosts. fqrdns.pcre would have rejected this mail outright: $ postmap -q host39.190-221-28.telmex.net.ar pcre:fqrdns.pcre REJECT Generic - Please relay via ISP (telmex.net.ar) See: http://www.hardwarefreak.com/fqrdns.pcre This pcre table stops a lot of spam. Many OPs here use it with good success. Instructions are comments at the top of the file. Very low FP rate. If most of the spam that's causing you a problem is from sources similar to this host, you'll be pleasantly surprised how much of it fqrdns.pcre rejects. -- Stan
