On 4/27/2019 2:15 PM, @lbutlr wrote:
I've had the following in my fqrdns.pcre checks for quite awhile:/^ec2(-[12]?[0-9]{1,2}){4}\.compute-[0-9]\.amazonaws\.com$/ REJECT Generic - Please relay via ISP (amazonaws.com)
Yes, that's in the fqrdns.pcre download
And I have noticed that I frequently get a series of 50 or more connection attempts from some aws server out there in a burst (50+ connections in a few minutes).
I don't notice bursts like that, but that doesn't sound like ham. A quick browse through my aws rejects doesn't show anything that looks like wanted mail, but that's just guessing from the sender domain.
Fine, everything is working as it should with my settings, the connection is dropped right away (although the REJECT is not logged).
Postfix will log all rejects. Are you maybe filtering your log file somehow?
Am I right in blocking these connections? Is there any reason for an aws server to be sending mail directly that I am overlooking?
Probably ok to block these. Generic aws servers may not be 100% spam, but I think it's pretty close.
(the fqrdns.pcre file is a file I downloaded several years back and have made occasional modifications too, so I am not sure if this was something I added or part of the original file, though I suspect the latter)
I still use the fqrdns.pcre too, and I can't remember the last false negative when it rejected good mail. But its effectiveness has slipped lately, I guess because (my)? spammers seem to have mostly moved to hijacking legit servers and email accounts, and/or postscreen catches them before they get to smtpd. It still seems safe.
-- Noel Jones
