Re: [Exim-users] торможу
Надо ещё понаблюдать, но как я заметил у них пока from первого Recieved однозначно совпадает с HELO сервера при коннекте. Остальные письма из моей ловушки с аналогичным заголовком Postfix (нашлось несколько) такой особенностью не отличаются. Поэтому пока попробую ограничиться своей однострочной конструкциейю -- With best regards, Max Kostikov BBM: 24CA5DF8 | W: https://kostikov.co ___ Exim-users mailing list Exim-users@mailground.net http://mailground.net/mailman/listinfo/exim-users
Re: [Exim-users] торможу
Ой, ошибся в \N. Вот так. deny condition = ${if match{$bh_Received:}{from $sender_helo_name \N\(unknown \[([0-9]{1,3}\.){3}[0-9]{1,3}\]\)\N}} message= Spammers network detected Alexander Titaev писал 2016-11-25 09:36: Здравствуйте, Max. Вы писали 25 ноября 2016 г., 15:32:31: Тогда можно как-то так. deny condition = ${if match{$bh_Received:}{\Nfrom $sender_helo_name \(unknown \[([0-9]{1,3}\.){3}[0-9]{1,3}\]\)\N}} message= Spammers network detected Главное, чтобы "хорошие" при этом не рубились. у меня так warn condition = ${if match{$sender_helo_name}{(?i)\N^[-0-9-a-z]+\.(co\.ua|eu|ru)$\N} {yes}{no}} condition = ${if eq{$sender_helo_name}{${lc:$sender_address_domain}} {yes}{no}} condition = ${if match{$rh_Received:}{from $sender_helo_name.*unknow.*\n.*by $sender_helo_name.*Postfix.*with ESMTPA id.*;} {yes}{no}} add_header = X-SPAM-Like: from_by_unknown set acl_m_spam_msg = yes -- With best regards, Max Kostikov BBM: 24CA5DF8 | W: https://kostikov.co ___ Exim-users mailing list Exim-users@mailground.net http://mailground.net/mailman/listinfo/exim-users
Re: [Exim-users] торможу
Здравствуйте, Alexander. Вы писали 25 ноября 2016 г., 15:36:01: > Здравствуйте, Max. > Вы писали 25 ноября 2016 г., 15:32:31: >> Тогда можно как-то так. >>deny condition = ${if match{$bh_Received:}{\Nfrom >> $sender_helo_name \(unknown \[([0-9]{1,3}\.){3}[0-9]{1,3}\]\)\N}} >> message= Spammers network detected >> Главное, чтобы "хорошие" при этом не рубились. > у меня так > warn > condition = ${if > match{$sender_helo_name}{(?i)\N^[-0-9-a-z]+\.(co\.ua|eu|ru)$\N} {yes}{no}} > condition = ${if > eq{$sender_helo_name}{${lc:$sender_address_domain}} {yes}{no}} > condition = ${if match{$rh_Received:}{from > $sender_helo_name.*unknow.*\n.*by $sender_helo_name.*Postfix.*with ESMTPA > id.*;} {yes}{no}} > add_header = X-SPAM-Like: from_by_unknown > set acl_m_spam_msg = yes для паранойи можно еще добавить TZ EET и у них стабильно время в Date: Fri, 25 Nov 2016 05:03:38 +0200 чуть больше чем в Received: from lookingers.eu (unknown [81.177.26.121]) by lookingers.eu (Postfix) with ESMTPA id 41233294D4F; Fri, 25 Nov 2016 05:03:31 +0200 (EET) -- С уважением, Alexander mailto:t...@irk.ru ___ Exim-users mailing list Exim-users@mailground.net http://mailground.net/mailman/listinfo/exim-users
Re: [Exim-users] торможу
Тогда можно как-то так. deny condition = ${if match{$bh_Received:}{\Nfrom $sender_helo_name \(unknown \[([0-9]{1,3}\.){3}[0-9]{1,3}\]\)\N}} message= Spammers network detected Главное, чтобы "хорошие" при этом не рубились. Alexander Titaev писал 2016-11-25 07:50: Там всё ещё прекраснее. Отправитель там изначальный с одного хоста идёт - 81.177.26.121 Сразу все домены, надо сказать грамотно с точки зрения почтовой системы настроенные, будут видны как на ладони. То есть задача решается проверкой на наличие в recieved этого IP. 1) этот Receivied фэйковый 2) и ip отнюдь не один root@irgiredmet:/var/mail/spamtrap # grep -h -B1 -E '\(Postfix\) with -- With best regards, Max Kostikov BBM: 24CA5DF8 | W: https://kostikov.co ___ Exim-users mailing list Exim-users@mailground.net http://mailground.net/mailman/listinfo/exim-users
Re: [Exim-users] торможу
Да-да. Эта милая компания. У меня с двух мною упомянутых IP за неделю получено ~60% всего спама. Отправлено с моего смартфона BlackBerry 10 по сети TELE2 Исходное сообщение От: Alexander Titaev Отправлено: пятница, 25 ноября 2016 г., 7:53 Кому: Exim MTA на русском Ответить: Exim MTA на русском Тема: Re: [Exim-users] торможу Здравствуйте, Max. Вы писали 25 ноября 2016 г., 4:31:18: > Там всё ещё прекраснее. > Отправитель там изначальный с одного хоста идёт - 81.177.26.121 > Сразу все домены, надо сказать грамотно с точки зрения почтовой системы > настроенные, будут видны как на ладони. > То есть задача решается проверкой на наличие в recieved этого IP. 1) этот Receivied фэйковый 2) и ip отнюдь не один root@irgiredmet:/var/mail/spamtrap # grep -h -B1 -E '\(Postfix\) with ESMTPA id [0-9A-Z]+\;' * | grep unknown | sort -u Received: from airmaxe.eu (unknown [46.38.48.34]) Received: from airmaxe.eu (unknown [78.153.151.208]) Received: from airmaxe.eu (unknown [81.177.26.121]) Received: from airmaxe.eu (unknown [93.170.104.43]) Received: from airpotes.ru (unknown [194.1.236.153]) Received: from airpotes.ru (unknown [46.38.48.34]) Received: from airpotes.ru (unknown [78.153.151.208]) Received: from airpotes.ru (unknown [81.171.2.239]) Received: from airpotes.ru (unknown [81.177.26.121]) Received: from airpotes.ru (unknown [93.170.104.43]) Received: from bilabonges.eu (unknown [81.177.26.121]) Received: from bilabonges.eu (unknown [91.107.105.54]) Received: from bilabonges.eu (unknown [93.170.104.43]) Received: from bizneroa.co.ua (unknown [194.1.236.153]) Received: from bookigemse.ru (unknown [185.159.131.237]) Received: from bookigemse.ru (unknown [194.1.236.153]) Received: from bookigemse.ru (unknown [194.67.201.161]) Received: from bookigemse.ru (unknown [81.177.26.121]) Received: from bookigemse.ru (unknown [91.107.105.54]) Received: from bookigemse.ru (unknown [93.170.104.43]) Received: from coolmasters.eu (unknown [46.38.48.34]) Received: from coolmasters.eu (unknown [78.153.151.208]) Received: from coolmasters.eu (unknown [81.177.26.121]) Received: from coolmasters.eu (unknown [87.248.247.117]) Received: from coolmasters.eu (unknown [93.170.104.43]) Received: from cooperhant.ru (unknown [194.1.236.153]) Received: from cooperhant.ru (unknown [78.153.151.208]) Received: from cooperhant.ru (unknown [81.177.26.121]) Received: from cooperhant.ru (unknown [93.170.104.43]) Received: from daikinia.eu (unknown [194.1.236.153]) Received: from daikinia.eu (unknown [81.177.26.121]) Received: from daikinia.eu (unknown [91.107.105.54]) Received: from daikinia.eu (unknown [93.170.104.43]) Received: from embarione.ru (unknown [194.1.236.153]) Received: from embarione.ru (unknown [46.38.48.34]) Received: from embarione.ru (unknown [78.153.151.208]) Received: from embarione.ru (unknown [81.177.26.121]) Received: from embarione.ru (unknown [91.107.105.54]) Received: from embarione.ru (unknown [93.170.104.43]) Received: from excluzivem.eu (unknown [185.159.131.237]) Received: from excluzivem.eu (unknown [194.67.201.161]) Received: from excluzivem.eu (unknown [78.153.151.208]) Received: from excluzivem.eu (unknown [81.177.26.121]) Received: from excluzivem.eu (unknown [93.170.104.43]) Received: from fendirtoon.co.ua (unknown [194.1.236.153]) Received: from filamest.eu (unknown [194.1.236.153]) Received: from filamest.eu (unknown [194.87.238.27]) Received: from filamest.eu (unknown [46.38.48.34]) Received: from filamest.eu (unknown [78.153.151.208]) Received: from filamest.eu (unknown [81.177.26.121]) Received: from filamest.eu (unknown [91.107.105.54]) Received: from filamest.eu (unknown [93.170.104.43]) Received: from golemint.eu (unknown [78.153.151.208]) Received: from golemint.eu (unknown [81.171.2.239]) Received: from golemint.eu (unknown [81.177.26.121]) Received: from golemint.eu (unknown [93.170.104.43]) Received: from gomelins.co.ua (unknown [194.1.236.153]) Received: from hebraica.eu (unknown [185.118.65.242]) Received: from hebraica.eu (unknown [46.38.48.34]) Received: from hebraica.eu (unknown [81.177.26.121]) Received: from hebraica.eu (unknown [93.170.104.43]) Received: from hooperise.eu (unknown [194.1.236.153]) Received: from hooperise.eu (unknown [46.38.48.34]) Received: from hooperise.eu (unknown [81.177.26.121]) Received: from hooperise.eu (unknown [93.170.104.43]) Received: from informazion.eu (unknown [185.159.131.237]) Received: from informazion.eu (unknown [194.67.201.161]) Received: from informazion.eu (unknown [46.38.48.34]) Received: from informazion.eu (unknown [81.177.26.121]) Received: from informazion.eu (unknown [91.107.105.54]) Received: from informazion.eu (unknown [93.170.104.43]) Received: from informeste.ru (unknown [194.67.201.161]) Received: from informeste.ru (unknown [46.38.48.34]) Received: from informeste.ru (unknown [81.177.26.121]) Received: from informeste.ru (unknown [93.170.104.43]) Received: from intermagic.eu (unknown [185.159.131.237]) Received: from intermagic.eu
Re: [Exim-users] торможу
Здравствуйте, Lena. Вы писали 25 ноября 2016 г., 14:10:15: >> 1) этот Receivied фэйковый > А можно пример заголовка одного спама полностью? From ycpe...@lookingers.eu Fri Nov 25 11:57:17 2016 Return-path:Delivery-date: Fri, 25 Nov 2016 11:57:17 +0800 Received: from mail.lookingers.eu ([199.217.119.224] helo=lookingers.eu) by mail.irgiredmet.ru with esmtp (Exim 4.86 (FreeBSD)) (envelope-from ) id 1cA7dR-000CdH-71 for exp...@irgiredmet.ru; Fri, 25 Nov 2016 11:57:14 +0800 Received: from lookingers.eu (unknown [81.177.26.121]) by lookingers.eu (Postfix) with ESMTPA id E7B522977EF; Fri, 25 Nov 2016 05:01:09 +0200 (EET) Message-ID: From: "=?windows-1251?B?1+Dx+yBBbm5lIEtlbGVu?=" To: Subject: =?windows-1251?B?xuXt8ero5SD34PH7IEFubmUgS2VsZW4gLSDI5/vx6uDt7e7x8vwg6CDG5e3x8uLl7e3u8fL8?= Date: Fri, 25 Nov 2016 05:01:11 +0200 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="=_NextPart_000_0006_01D246D8.EC83DA30" X-MSMail-Priority: Normal X-Mailer: Microsoft Windows Live Mail 14.0.8117.416 X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8117.416 -- С уважением, Alexander mailto:t...@irk.ru ___ Exim-users mailing list Exim-users@mailground.net http://mailground.net/mailman/listinfo/exim-users
Re: [Exim-users] торможу
Здравствуйте, Max. Вы писали 25 ноября 2016 г., 4:31:18: > Там всё ещё прекраснее. > Отправитель там изначальный с одного хоста идёт - 81.177.26.121 > Сразу все домены, надо сказать грамотно с точки зрения почтовой системы > настроенные, будут видны как на ладони. > То есть задача решается проверкой на наличие в recieved этого IP. 1) этот Receivied фэйковый 2) и ip отнюдь не один root@irgiredmet:/var/mail/spamtrap # grep -h -B1 -E '\(Postfix\) with ESMTPA id [0-9A-Z]+\;' * | grep unknown | sort -u Received: from airmaxe.eu (unknown [46.38.48.34]) Received: from airmaxe.eu (unknown [78.153.151.208]) Received: from airmaxe.eu (unknown [81.177.26.121]) Received: from airmaxe.eu (unknown [93.170.104.43]) Received: from airpotes.ru (unknown [194.1.236.153]) Received: from airpotes.ru (unknown [46.38.48.34]) Received: from airpotes.ru (unknown [78.153.151.208]) Received: from airpotes.ru (unknown [81.171.2.239]) Received: from airpotes.ru (unknown [81.177.26.121]) Received: from airpotes.ru (unknown [93.170.104.43]) Received: from bilabonges.eu (unknown [81.177.26.121]) Received: from bilabonges.eu (unknown [91.107.105.54]) Received: from bilabonges.eu (unknown [93.170.104.43]) Received: from bizneroa.co.ua (unknown [194.1.236.153]) Received: from bookigemse.ru (unknown [185.159.131.237]) Received: from bookigemse.ru (unknown [194.1.236.153]) Received: from bookigemse.ru (unknown [194.67.201.161]) Received: from bookigemse.ru (unknown [81.177.26.121]) Received: from bookigemse.ru (unknown [91.107.105.54]) Received: from bookigemse.ru (unknown [93.170.104.43]) Received: from coolmasters.eu (unknown [46.38.48.34]) Received: from coolmasters.eu (unknown [78.153.151.208]) Received: from coolmasters.eu (unknown [81.177.26.121]) Received: from coolmasters.eu (unknown [87.248.247.117]) Received: from coolmasters.eu (unknown [93.170.104.43]) Received: from cooperhant.ru (unknown [194.1.236.153]) Received: from cooperhant.ru (unknown [78.153.151.208]) Received: from cooperhant.ru (unknown [81.177.26.121]) Received: from cooperhant.ru (unknown [93.170.104.43]) Received: from daikinia.eu (unknown [194.1.236.153]) Received: from daikinia.eu (unknown [81.177.26.121]) Received: from daikinia.eu (unknown [91.107.105.54]) Received: from daikinia.eu (unknown [93.170.104.43]) Received: from embarione.ru (unknown [194.1.236.153]) Received: from embarione.ru (unknown [46.38.48.34]) Received: from embarione.ru (unknown [78.153.151.208]) Received: from embarione.ru (unknown [81.177.26.121]) Received: from embarione.ru (unknown [91.107.105.54]) Received: from embarione.ru (unknown [93.170.104.43]) Received: from excluzivem.eu (unknown [185.159.131.237]) Received: from excluzivem.eu (unknown [194.67.201.161]) Received: from excluzivem.eu (unknown [78.153.151.208]) Received: from excluzivem.eu (unknown [81.177.26.121]) Received: from excluzivem.eu (unknown [93.170.104.43]) Received: from fendirtoon.co.ua (unknown [194.1.236.153]) Received: from filamest.eu (unknown [194.1.236.153]) Received: from filamest.eu (unknown [194.87.238.27]) Received: from filamest.eu (unknown [46.38.48.34]) Received: from filamest.eu (unknown [78.153.151.208]) Received: from filamest.eu (unknown [81.177.26.121]) Received: from filamest.eu (unknown [91.107.105.54]) Received: from filamest.eu (unknown [93.170.104.43]) Received: from golemint.eu (unknown [78.153.151.208]) Received: from golemint.eu (unknown [81.171.2.239]) Received: from golemint.eu (unknown [81.177.26.121]) Received: from golemint.eu (unknown [93.170.104.43]) Received: from gomelins.co.ua (unknown [194.1.236.153]) Received: from hebraica.eu (unknown [185.118.65.242]) Received: from hebraica.eu (unknown [46.38.48.34]) Received: from hebraica.eu (unknown [81.177.26.121]) Received: from hebraica.eu (unknown [93.170.104.43]) Received: from hooperise.eu (unknown [194.1.236.153]) Received: from hooperise.eu (unknown [46.38.48.34]) Received: from hooperise.eu (unknown [81.177.26.121]) Received: from hooperise.eu (unknown [93.170.104.43]) Received: from informazion.eu (unknown [185.159.131.237]) Received: from informazion.eu (unknown [194.67.201.161]) Received: from informazion.eu (unknown [46.38.48.34]) Received: from informazion.eu (unknown [81.177.26.121]) Received: from informazion.eu (unknown [91.107.105.54]) Received: from informazion.eu (unknown [93.170.104.43]) Received: from informeste.ru (unknown [194.67.201.161]) Received: from informeste.ru (unknown [46.38.48.34]) Received: from informeste.ru (unknown [81.177.26.121]) Received: from informeste.ru (unknown [93.170.104.43]) Received: from intermagic.eu (unknown [185.159.131.237]) Received: from intermagic.eu (unknown [194.1.236.153]) Received: from intermagic.eu (unknown [194.67.201.161]) Received: from intermagic.eu (unknown [78.153.151.208]) Received: from intermagic.eu (unknown [81.177.26.121]) Received: from intermagic.eu (unknown [93.170.104.43]) Received: from lookingers.eu (unknown [185.118.65.242]) Received: from lookingers.eu
Re: [Exim-users] торможу
> привык в сообщениях smtp-сессии > давать пространственные ответы, без намёков на истинную причину отлупа. > А вот в сам лог (log_message) писать что-то конкретное, чтобы сразу было > понятно, какой acl и по какой причине сработал. Не говорить конкретно имеет смысл только в случае нигерийских спамеров (там спам, бывает, рассылают люди вручную). В остальных случаях скрывать конкретику от роботов смысла не имеет - они всё равно на тексты сообщений не смотрят. А в случае false positive конкретика полезна человеку - честному отправителю. ___ Exim-users mailing list Exim-users@mailground.net http://mailground.net/mailman/listinfo/exim-users
Re: [Exim-users] торможу
Спасибо, это, вроятно, имеет смысл. George L. Yermulnik писал 2016-11-24 23:44: Просто мысли в слух: ещё работая в ISP, привык в сообщениях smtp-сессии давать пространственные ответы, без намёков на истинную причину отлупа. А вот в сам лог (log_message) писать что-то конкретное, чтобы сразу было понятно, какой acl и по какой причине сработал. -- With best regards, Max Kostikov BBM: 24CA5DF8 | W: https://kostikov.co ___ Exim-users mailing list Exim-users@mailground.net http://mailground.net/mailman/listinfo/exim-users
Re: [Exim-users] торможу
Hello! On Thu, 24 Nov 2016 at 22:52:19 (+0200), Max Kostikov wrote: > message= Spammers network detected Просто мысли в слух: ещё работая в ISP, привык в сообщениях smtp-сессии давать пространственные ответы, без намёков на истинную причину отлупа. А вот в сам лог (log_message) писать что-то конкретное, чтобы сразу было понятно, какой acl и по какой причине сработал. -- George L. Yermulnik [YZ-RIPE] ___ Exim-users mailing list Exim-users@mailground.net http://mailground.net/mailman/listinfo/exim-users
Re: [Exim-users] торможу
И ещё один нашёлся - 78.153.151.208. То есть можно как-то так. deny condition = ${if match{$bh_Received:}{\N\(unknown \[(81\.177\.26\.121|78\.153\.151\.208)\]\)\N}} message= Spammers network detected Max Kostikov писал 2016-11-24 22:31: Там всё ещё прекраснее. Отправитель там изначальный с одного хоста идёт - 81.177.26.121 Сразу все домены, надо сказать грамотно с точки зрения почтовой системы настроенные, будут видны как на ладони. То есть задача решается проверкой на наличие в recieved этого IP. Alexander Titaev писал 2016-11-23 13:50: Received: from cooperhant.ru (unknown [81.177.26.121]) by cooperhant.ru (Postfix) with ESMTPA id 07613113BB0; а то! Это спамеры, доменов штук 20. Но регулярно ротэйтят, а вот -- With best regards, Max Kostikov BBM: 24CA5DF8 | W: https://kostikov.co ___ Exim-users mailing list Exim-users@mailground.net http://mailground.net/mailman/listinfo/exim-users
Re: [Exim-users] торможу
Здравствуйте, Oleksandr. Вы писали 24 ноября 2016 г., 21:10:32: > Попутно - в каком acl правило стоит > $bh_Received: появляется только в acl_data ну это понятно -- С уважением, Alexander mailto:t...@irk.ru ___ Exim-users mailing list Exim-users@mailground.net http://mailground.net/mailman/listinfo/exim-users
Re: [Exim-users] торможу
Попутно - в каком acl правило стоит $bh_Received: появляется только в acl_data On Wed, Nov 23, 2016 at 06:48:42PM +0800, Alexander Titaev wrote: Alexander> Здравствуйте, Exim. Alexander> Alexander> Received: from cooperhant.ru (unknown [81.177.26.121]) Alexander> by cooperhant.ru (Postfix) with ESMTPA id 07613113BB0; Alexander> Alexander> Alexander> не ловит Alexander> condition = ${if match{$bh_Received:}{from $sender_helo_name .*by} {yes}{no}} Alexander> Alexander> те то что идет после перевода строки теряется Alexander> Alexander> condition = ${if match{$message_headers} не помогает Alexander> Alexander> ну и что бы два раза не вставать - как юзать переменные внутри \N \N ? Alexander> condition = ${if match{$rh_Received:}{\Nfrom $sender_helo_name\N} {yes}{no}} Alexander> Alexander> -- Alexander> С уважением, Alexander> Alexander mailto:t...@irk.ru Alexander> Alexander> Alexander> ___ Alexander> Exim-users mailing list Alexander> Exim-users@mailground.net Alexander> http://mailground.net/mailman/listinfo/exim-users Alexander> -- Best regard, Aleksander Trotsai aka MAGE-RIPE aka MAGE-UANIC My public PGP key placed at http://mvps.adamant.ua/pgp/trotsai.asc Big trouble: BOFH excuse #433: error: one bad user found in front of screen ___ Exim-users mailing list Exim-users@mailground.net http://mailground.net/mailman/listinfo/exim-users