Re: Spoofed freemail domains protection not working for postmaster
В Пнд, 14/06/2010 в 09:39 -0500, Noel Jones пишет: On 6/14/2010 2:46 AM, Покотиленко Костик wrote: Also can somebody state that my postfix version (Debian say its 2.5.5-1.1) doesn't have postmaster hardcoded internal checks? It seems like it have, because there is no postmaster accepting rule in my configuration: /etc/postfix # grep -R postmaster * main.cf:address_verify_sender = postmas...@meteor.dp.ua post-install:that send mail for root and postmaster to a real person, then That's your problem right there. The default for postfix 2.5 is: address_verify_sender = $double_bounce_sender So either remove that line from your configuration or change it to the recommended value. Thanks alot, you got it! With this applied (also with sorbs and my spoof protection) no spam at all for 2 days. -- Покотиленко Костик cas...@meteor.dp.ua
Re: Spoofed freemail domains protection not working for postmaster
В Пнд, 14/06/2010 в 09:39 -0500, Noel Jones пишет: On 6/14/2010 2:46 AM, Покотиленко Костик wrote: Also can somebody state that my postfix version (Debian say its 2.5.5-1.1) doesn't have postmaster hardcoded internal checks? It seems like it have, because there is no postmaster accepting rule in my configuration: /etc/postfix # grep -R postmaster * main.cf:address_verify_sender = postmas...@meteor.dp.ua post-install:that send mail for root and postmaster to a real person, then That's your problem right there. The default for postfix 2.5 is: address_verify_sender = $double_bounce_sender So either remove that line from your configuration or change it to the recommended value. Thanks, I'll try that out. -- Покотиленко Костик cas...@meteor.dp.ua
Re: Spoofed freemail domains protection not working for postmaster
В Птн, 11/06/2010 в 17:48 -0400, Sahil Tandon пишет: You mention that /etc/postfix/recipients_access is empty, but why then do you keep it in smtpd_recipient_restrictions? And although the flat file is empty, did you postmap it to rebuild the hash (.db file) as well? Actually, before going down that road: did the abovementioned file contain an OK for postmaster before you emptied it? /etc/postfix/recipients_access was to blacklist (not to whitelist) some recipients, we have had another domain which was sharing usernames/mailboxes, then it has splitted. And I was receiving mail for their postmaster during the time of move when I didn't removed they domain from mydomains yet. So There where lines like this: postmas...@otherdomain REJECT webmas...@otherdomain REJECT After the move has beed completed I emptied this file, postmaped it and removed domain from mydomain. I left it there to be able to do such kind of things later if I need. # ls -la recipients_access* -rw-r--r-- 1 root root0 Июн 9 13:02 recipients_access -rw-r--r-- 1 root root 3072 Июн 9 13:03 recipients_access.db -- Покотиленко Костик cas...@meteor.dp.ua
Re: Spoofed freemail domains protection not working for postmaster
В Суб, 12/06/2010 в 20:27 -0500, Stan Hoeppner пишет: Покотиленко Костик put forth on 6/11/2010 2:24 PM: This client name unmungled: smtp.harddriveme.com [111.67.206.181] This should have been caught by one of the two SORBS lists you said you added per my advice. SORBS has been listing the parent /20 since Nov 2009. Netblock: 111.67.192.0/20 (111.67.192.0-111.67.207.255) Record Created: Thu Nov 12 03:59:27 2009 GMT Record Updated: Thu Nov 12 03:59:27 2009 GMT Additional Information: Viagra / Medz Mass spammers spam support http://www.au.sorbs.net/using.shtml Did you reload Postfix after editing main.cf? If so, you need to make sure your white listing and other checks that precede and follow your dnsbl checks aren't causing these spam connections to be accepted. I had similar problems quite some time ago until folks here convinced me to go with the everything under smtpd_recipient_restrictions method. This allows you to more easily dictate and verify the exact processing order of your restrictions. I only changed my domain name to example.com. This mail server smtp/pop/imap box which is MX for my domain. Mail server is in DMZ, darkstar is it's local name. Router is doing DNAT for connects on 25 port on external domain and mx ip. Ok, got it. If I made log unreadable I can repost it unchanged, just let me know. No, I just needed to see that client unmunged for reasons stated above. That particular IP address is listed by SORBS. Your MX should be rejecting it based on that. Like I said, if it's not, something else is wrong that needs to be looked into. When I do Database check on Sorbs website it gives me a red line saying: Currently active and flagged to be published in DNS What does it means? Is it listed? Or it scheduled to be listed? Also can somebody state that my postfix version (Debian say its 2.5.5-1.1) doesn't have postmaster hardcoded internal checks? It seems like it have, because there is no postmaster accepting rule in my configuration: /etc/postfix # grep -R postmaster * main.cf:address_verify_sender = postmas...@meteor.dp.ua post-install:that send mail for root and postmaster to a real person, then -- Покотиленко Костик cas...@meteor.dp.ua
Re: Spoofed freemail domains protection not working for postmaster
On 6/14/2010 2:46 AM, Покотиленко Костик wrote: Also can somebody state that my postfix version (Debian say its 2.5.5-1.1) doesn't have postmaster hardcoded internal checks? It seems like it have, because there is no postmaster accepting rule in my configuration: /etc/postfix # grep -R postmaster * main.cf:address_verify_sender = postmas...@meteor.dp.ua post-install:that send mail for root and postmaster to a real person, then That's your problem right there. The default for postfix 2.5 is: address_verify_sender = $double_bounce_sender So either remove that line from your configuration or change it to the recommended value. -- Noel Jones
Re: Spoofed freemail domains protection not working for postmaster
Покотиленко Костик put forth on 6/11/2010 2:24 PM: This client name unmungled: smtp.harddriveme.com [111.67.206.181] This should have been caught by one of the two SORBS lists you said you added per my advice. SORBS has been listing the parent /20 since Nov 2009. Netblock: 111.67.192.0/20 (111.67.192.0-111.67.207.255) Record Created: Thu Nov 12 03:59:27 2009 GMT Record Updated: Thu Nov 12 03:59:27 2009 GMT Additional Information: Viagra / Medz Mass spammers spam support http://www.au.sorbs.net/using.shtml Did you reload Postfix after editing main.cf? If so, you need to make sure your white listing and other checks that precede and follow your dnsbl checks aren't causing these spam connections to be accepted. I had similar problems quite some time ago until folks here convinced me to go with the everything under smtpd_recipient_restrictions method. This allows you to more easily dictate and verify the exact processing order of your restrictions. I only changed my domain name to example.com. This mail server smtp/pop/imap box which is MX for my domain. Mail server is in DMZ, darkstar is it's local name. Router is doing DNAT for connects on 25 port on external domain and mx ip. Ok, got it. If I made log unreadable I can repost it unchanged, just let me know. No, I just needed to see that client unmunged for reasons stated above. That particular IP address is listed by SORBS. Your MX should be rejecting it based on that. Like I said, if it's not, something else is wrong that needs to be looked into. -- Stan
Re: Spoofed freemail domains protection not working for postmaster
В Чтв, 10/06/2010 в 16:48 +0300, Покотиленко Костик пишет: В Чтв, 10/06/2010 в 08:32 -0500, Stan Hoeppner пишет: Покотиленко Костик put forth on 6/10/2010 8:04 AM: Thanks for suggestion, I'll apply it. You're welcome. But if somebody can help discover (configuration) error which prioritizing postmaster that would be nice. postconf -d | grep mail_version might be helpful. IIRC some early versions of Postfix had some things related to postmaster hard coded. This is Debian lenny. # postconf -d | grep mail_version mail_version = 2.5.5 milter_macro_v = $mail_name $mail_version Any comments on this? I've applied configuration that Stan Hoeppner suggested, and it didn't helped much: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org + reject_rbl_client b.barracudacentral.org [1] reject_rbl_client spam.dnsbl.sorbs.net reject_rbl_client recent.spam.dnsbl.sorbs.net reject_rhsbl_client dbl.spamhaus.org smtpd_sender_restrictions = + reject_rhsbl_sender dbl.spamhaus.org smtpd_helo_restrictions = + reject_rhsbl_helo dbl.spamhaus.org I didn't registered at barracudacentral yet, so not added. Here is sample header of spam which got through after those additions: == Return-Path: olgarebrr...@mail.ru Received: from example.com ([unix socket]) by darkstar.example.com (Cyrus v2.2.13-Debian-2.2.13-14+lenny3) with LMTPA; Fri, 11 Jun 2010 03:54:41 +0300 X-Sieve: CMU Sieve 2.2 Received: from smtp.harddriveme.com (smtp.harddriveme.com [111.67.206.181]) by example.com (Postfix) with ESMTP id 0753E11B9D5 for postmas...@example.com; Fri, 11 Jun 2010 03:54:24 +0300 (EEST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.96.1 at darkstar.example.com Date: Fri, 11 Jun 2010 04:21:30 +0400 (03:21 EEST) From: Импoрт из Китaя olgarebrr...@mail.ru To: postmas...@example.com Reply-To: Импoрт из Китaя olgarebrr...@mail.ru Subject: Организация импортa X-Priority: 3 (Normal) Message-ID: 3457841698.20091029461...@smtp.harddriveme.com MIME-Version: 1.0 Content-Type: text/html; charset=windows-1251 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=1.1 required=5.0 tests=FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,MIME_HTML_ONLY=1.105,UNPARSEABLE_RELAY=0.001 autolearn=no version=3.3.0 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on darkstar.example.com == -- Покотиленко Костик cas...@meteor.dp.ua
Re: Spoofed freemail domains protection not working for postmaster
Покотиленко Костик put forth on 6/11/2010 1:37 PM: В Чтв, 10/06/2010 в 16:48 +0300, Покотиленко Костик пишет: В Чтв, 10/06/2010 в 08:32 -0500, Stan Hoeppner пишет: Покотиленко Костик put forth on 6/10/2010 8:04 AM: Thanks for suggestion, I'll apply it. You're welcome. But if somebody can help discover (configuration) error which prioritizing postmaster that would be nice. postconf -d | grep mail_version might be helpful. IIRC some early versions of Postfix had some things related to postmaster hard coded. This is Debian lenny. # postconf -d | grep mail_version mail_version = 2.5.5 milter_macro_v = $mail_name $mail_version Any comments on this? I've applied configuration that Stan Hoeppner suggested, and it didn't helped much: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org + reject_rbl_client b.barracudacentral.org [1] reject_rbl_client spam.dnsbl.sorbs.net reject_rbl_client recent.spam.dnsbl.sorbs.net reject_rhsbl_client dbl.spamhaus.org smtpd_sender_restrictions = + reject_rhsbl_sender dbl.spamhaus.org smtpd_helo_restrictions = + reject_rhsbl_helo dbl.spamhaus.org I didn't registered at barracudacentral yet, so not added. Here is sample header of spam which got through after those additions: == Return-Path: olgarebrr...@mail.ru Received: from example.com ([unix socket]) by darkstar.example.com (Cyrus v2.2.13-Debian-2.2.13-14+lenny3) with LMTPA; Fri, 11 Jun 2010 03:54:41 +0300 X-Sieve: CMU Sieve 2.2 Received: from smtp.harddriveme.com (smtp.harddriveme.com [111.67.206.181]) by example.com (Postfix) with ESMTP id 0753E11B9D5 for postmas...@example.com; Fri, 11 Jun 2010 03:54:24 +0300 (EEST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.96.1 at darkstar.example.com Date: Fri, 11 Jun 2010 04:21:30 +0400 (03:21 EEST) From: Импoрт из Китaя olgarebrr...@mail.ru To: postmas...@example.com Reply-To: Импoрт из Китaя olgarebrr...@mail.ru Subject: Организация импортa X-Priority: 3 (Normal) Message-ID: 3457841698.20091029461...@smtp.harddriveme.com MIME-Version: 1.0 Content-Type: text/html; charset=windows-1251 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=1.1 required=5.0 tests=FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,MIME_HTML_ONLY=1.105,UNPARSEABLE_RELAY=0.001 autolearn=no version=3.3.0 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on darkstar.example.com == You've munged the headers so badly it's almost impossible to see what's going on here. Why did you munge the client name? BTW, this is an MX host, correct? -- Stan
Re: Spoofed freemail domains protection not working for postmaster
В Птн, 11/06/2010 в 13:54 -0500, Stan Hoeppner пишет: Покотиленко Костик put forth on 6/11/2010 1:37 PM: В Чтв, 10/06/2010 в 16:48 +0300, Покотиленко Костик пишет: В Чтв, 10/06/2010 в 08:32 -0500, Stan Hoeppner пишет: Покотиленко Костик put forth on 6/10/2010 8:04 AM: Thanks for suggestion, I'll apply it. You're welcome. But if somebody can help discover (configuration) error which prioritizing postmaster that would be nice. postconf -d | grep mail_version might be helpful. IIRC some early versions of Postfix had some things related to postmaster hard coded. This is Debian lenny. # postconf -d | grep mail_version mail_version = 2.5.5 milter_macro_v = $mail_name $mail_version Any comments on this? I've applied configuration that Stan Hoeppner suggested, and it didn't helped much: smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org + reject_rbl_client b.barracudacentral.org [1] reject_rbl_client spam.dnsbl.sorbs.net reject_rbl_client recent.spam.dnsbl.sorbs.net reject_rhsbl_client dbl.spamhaus.org smtpd_sender_restrictions = + reject_rhsbl_sender dbl.spamhaus.org smtpd_helo_restrictions = + reject_rhsbl_helo dbl.spamhaus.org I didn't registered at barracudacentral yet, so not added. Here is sample header of spam which got through after those additions: == Return-Path: olgarebrr...@mail.ru Received: from example.com ([unix socket]) by darkstar.example.com (Cyrus v2.2.13-Debian-2.2.13-14+lenny3) with LMTPA; Fri, 11 Jun 2010 03:54:41 +0300 X-Sieve: CMU Sieve 2.2 Received: from smtp.harddriveme.com (smtp.harddriveme.com [111.67.206.181]) by example.com (Postfix) with ESMTP id 0753E11B9D5 for postmas...@example.com; Fri, 11 Jun 2010 03:54:24 +0300 (EEST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.96.1 at darkstar.example.com Date: Fri, 11 Jun 2010 04:21:30 +0400 (03:21 EEST) From: Импoрт из Китaя olgarebrr...@mail.ru To: postmas...@example.com Reply-To: Импoрт из Китaя olgarebrr...@mail.ru Subject: Организация импортa X-Priority: 3 (Normal) Message-ID: 3457841698.20091029461...@smtp.harddriveme.com MIME-Version: 1.0 Content-Type: text/html; charset=windows-1251 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=1.1 required=5.0 tests=FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001,MIME_HTML_ONLY=1.105,UNPARSEABLE_RELAY=0.001 autolearn=no version=3.3.0 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on darkstar.example.com == You've munged the headers so badly it's almost impossible to see what's going on here. Why did you munge the client name? This client name unmungled: smtp.harddriveme.com [111.67.206.181] I only changed my domain name to example.com. This mail server smtp/pop/imap box which is MX for my domain. Mail server is in DMZ, darkstar is it's local name. Router is doing DNAT for connects on 25 port on external domain and mx ip. BTW, this is an MX host, correct? Yes. If I made log unreadable I can repost it unchanged, just let me know. -- Покотиленко Костик cas...@meteor.dp.ua
Re: Spoofed freemail domains protection not working for postmaster
Покотиленко Костик put forth on 6/10/2010 4:15 AM: I'd attack the problem from another angle. You may be better served by adding some more dnsbl checks rather that fighting spoofs: http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a111.67.207.126 As you can see the IP sample you gave is already listed by multiple dnsbls. smtpd_delay_reject = yes smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org + reject_rbl_client b.barracudacentral.org [1] reject_rbl_client spam.dnsbl.sorbs.net reject_rbl_client recent.spam.dnsbl.sorbs.net reject_rhsbl_client dbl.spamhaus.org smtpd_sender_restrictions = + reject_rhsbl_sender dbl.spamhaus.org smtpd_helo_restrictions = + reject_rhsbl_helo dbl.spamhaus.org [1] The BRBL is free to use but requires a sign-up: http://barracudacentral.org/account/register -- Stan
Re: Spoofed freemail domains protection not working for postmaster
В Чтв, 10/06/2010 в 08:01 -0500, Stan Hoeppner пишет: Покотиленко Костик put forth on 6/10/2010 4:15 AM: I'd attack the problem from another angle. You may be better served by adding some more dnsbl checks rather that fighting spoofs: http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a111.67.207.126 As you can see the IP sample you gave is already listed by multiple dnsbls. smtpd_delay_reject = yes smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, reject_rbl_client list.dsbl.org, reject_rbl_client zen.spamhaus.org + reject_rbl_client b.barracudacentral.org [1] reject_rbl_client spam.dnsbl.sorbs.net reject_rbl_client recent.spam.dnsbl.sorbs.net reject_rhsbl_client dbl.spamhaus.org smtpd_sender_restrictions = + reject_rhsbl_sender dbl.spamhaus.org smtpd_helo_restrictions = + reject_rhsbl_helo dbl.spamhaus.org [1] The BRBL is free to use but requires a sign-up: http://barracudacentral.org/account/register Thanks for suggestion, I'll apply it. But if somebody can help discover (configuration) error which prioritizing postmaster that would be nice. -- Покотиленко Костик cas...@meteor.dp.ua
Re: Spoofed freemail domains protection not working for postmaster
Покотиленко Костик put forth on 6/10/2010 8:04 AM: Thanks for suggestion, I'll apply it. You're welcome. But if somebody can help discover (configuration) error which prioritizing postmaster that would be nice. postconf -d | grep mail_version might be helpful. IIRC some early versions of Postfix had some things related to postmaster hard coded. -- Stan
Re: Spoofed freemail domains protection not working for postmaster
В Чтв, 10/06/2010 в 08:32 -0500, Stan Hoeppner пишет: Покотиленко Костик put forth on 6/10/2010 8:04 AM: Thanks for suggestion, I'll apply it. You're welcome. But if somebody can help discover (configuration) error which prioritizing postmaster that would be nice. postconf -d | grep mail_version might be helpful. IIRC some early versions of Postfix had some things related to postmaster hard coded. This is Debian lenny. # postconf -d | grep mail_version mail_version = 2.5.5 milter_macro_v = $mail_name $mail_version -- Покотиленко Костик cas...@meteor.dp.ua
Re: Spoofed freemail domains protection not working for postmaster
If the postmaster address is excluded from spam checks then you may want to change the address_verify_sender setting. The current default is: address_verify_sender = $double_bounce_sender The older (problematic) default is address_verify_sender = postmaster The final ultimate fix is to make address_verify_sender time-dependent, so that it does not become a spam sink itself. Wietse
Re: Spoofed freemail domains protection not working for postmaster
On Thu, Jun 10, 2010 at 09:50:16AM -0400, Wietse Venema wrote: If the postmaster address is excluded from spam checks then you may want to change the address_verify_sender setting. The current default is: address_verify_sender = $double_bounce_sender The older (problematic) default is address_verify_sender = postmaster The final ultimate fix is to make address_verify_sender time-dependent, so that it does not become a spam sink itself. Making it time-dependent address_verify_sender may somewhat compound issues with grey-listing at the origin domain. It is useful to have a value that is stable enough to not repeatedly be subjected to greylisting. -- Viktor.
Re: Spoofed freemail domains protection not working for postmaster
On Thu, Jun 10, 2010 at 04:55:30PM +0200, Ralf Hildebrandt wrote: * Victor Duchovni victor.ducho...@morganstanley.com: On Thu, Jun 10, 2010 at 09:50:16AM -0400, Wietse Venema wrote: If the postmaster address is excluded from spam checks then you may want to change the address_verify_sender setting. The current default is: address_verify_sender = $double_bounce_sender The older (problematic) default is address_verify_sender = postmaster The final ultimate fix is to make address_verify_sender time-dependent, so that it does not become a spam sink itself. Making it time-dependent address_verify_sender may somewhat compound issues with grey-listing at the origin domain. It is useful to have a value that is stable enough to not repeatedly be subjected to greylisting. Maybe if it changes once a week (configurable), but the idea is good. I don't know how long typical greylist whitelist entries last, but even a week may be too short if greylist whitelists are typically expected to last longer. Of course sensible folks auto-whitelist client IPs, rather than (IP, sender, rcpt) triples and in that case, a (long-term) stable envelope sender is less important. -- Viktor.
Re: Spoofed freemail domains protection not working for postmaster
Victor Duchovni: On Thu, Jun 10, 2010 at 09:50:16AM -0400, Wietse Venema wrote: If the postmaster address is excluded from spam checks then you may want to change the address_verify_sender setting. The current default is: address_verify_sender = $double_bounce_sender The older (problematic) default is address_verify_sender = postmaster The final ultimate fix is to make address_verify_sender time-dependent, so that it does not become a spam sink itself. Making it time-dependent address_verify_sender may somewhat compound issues with grey-listing at the origin domain. It is useful to have a value that is stable enough to not repeatedly be subjected to greylisting. I was thinking of a monthly change just enough to frustrate harvesting but not enough to cause problems. Quarterly might do it too. Wietse
