Re: Rejecting based on From is...not rejecting
On Fri, 16 Nov 2018 at 06:49, Dennis Carr wrote: > On Fri, 16 Nov 2018 06:10:28 + > Dominic Raferd wrote: > > > - you say you want to ban based on the 'From:' address which if true > > would require you to use header_checks ( > > http://www.postfix.org/header_checks.5.html) not sender_access > > That'd work better, then. > > > I think you actually want to reject based on the envelope sender (not > > From header), in which case you want main.cf unchanged and > > sender_access like: qq.com REJECT > > Here's the thing, it's a spam campaign where emails from qq.com are > coming from what appears to be a few different IP blocks on two > different providers and cycling through the IPs as to dodge > blacklisting, as well as randomizing their FQDNs - so in this case, I > don't think scanning the envelope is going to work unless there's > something I'm missing. I've tried contacting the providers' upstream, > but the upstream doesn't seem to listen either - at least, not if I > send a third party report from Spamcop. > > The ONLY other common thing is that everything is 'From: *@qq.com' in > the headers. I could probably figure out the IP ranges, but that > opens the possibility of changing the IP ranges if the providers are > so flexible - and I'd be patient with the BLs, but this is affecting > users. > The reason I think you actually want to reject based on the envelope sender is because I too see lots of attempted spam from @qq.com envelope sender addresses. On our servers these are blocked by fqrdns ( https://github.com/stevejenkins/hardwarefreak.com-fqrdns.pcre). I can't tell what the 'From' header is because they are all blocked before data is sent. Blocking by sender (or using fqrdns) is much cheaper than blocking by header.
Re: Rejecting based on From is...not rejecting
On Fri, 16 Nov 2018 01:08:42 -0500 Viktor Dukhovni wrote: > On Nov 16, 2018, at 12:17 AM, Dennis Carr > wrote: > > > Suffice it to say, I seem to be doing it wrong. > > In a creatively diverse number of ways. :-) Well Viktor, we can't say I do everything right, now, can we? =D I noted too in Dominic's response the pointer to header_checks instead; sounds like the better option. I'll give that a go. -Dennis Carr
Re: Rejecting based on From is...not rejecting
On Fri, 16 Nov 2018 at 05:18, Dennis Carr wrote: > Heya. Postfix 3.1.8 on Debian Stable. > > I'm trying to use /etc/postfix/sender_access to pretty much reject > anything showing as 'From: *@qq.com' as there's a plethora of spam > coming from that domain - and it's not rejecting. Suffice it to say, I > seem to be doing it wrong. > > In sender_access, I have: > > \/.qq.com$/ REJECT > > ...and the reference to this file in main.cf is: > > smtpd_sender_restrictions = > check_sender_access hash:/etc/postfix/sender_access, > ... > > ...what'd I miss? > > If needed I can stick the files up on a pastebin. > I'm afraid there are several mistakes here: - you say you want to ban based on the 'From:' address which if true would require you to use header_checks ( http://www.postfix.org/header_checks.5.html) not sender_access - you are using a 'hash' table in main.cf but have put regex (or pcre) format in your table - the regex contains errors I think you actually want to reject based on the envelope sender (not From header), in which case you want main.cf unchanged and sender_access like: qq.com REJECT Then do 'postmap /etc/postfix/sender_access' to create the sender_access.db file which is what postfix will be looking for.
Re: Rejecting based on From is...not rejecting
> On Nov 16, 2018, at 12:17 AM, Dennis Carr > wrote: > > I'm trying to use /etc/postfix/sender_access to pretty much reject > anything showing as 'From: *@qq.com' Postfix access(5) tables restrict the message envelope, not the message headers. > Suffice it to say, I seem to be doing it wrong. In a creatively diverse number of ways. :-) > In sender_access, I have: > > \/.qq.com$/ REJECT If were supposed to be a regular expression table, it would be: /\.qq\.com$/REJECT But there's no need to use regular expressions to match literal domain names. You'd use a "cdb" or "hash" table for something so simple, with literal keys: qq.com REJECT > ...and the reference to this file in main.cf is: > > smtpd_sender_restrictions = >check_sender_access hash:/etc/postfix/sender_access, > ... And so you are, but you're using regular expression syntax, that's broken while you're at it. > ...what'd I miss? Well, everything really. > If needed I can stick the files up on a pastebin. No need. -- Viktor.
Rejecting based on From is...not rejecting
Heya. Postfix 3.1.8 on Debian Stable. I'm trying to use /etc/postfix/sender_access to pretty much reject anything showing as 'From: *@qq.com' as there's a plethora of spam coming from that domain - and it's not rejecting. Suffice it to say, I seem to be doing it wrong. In sender_access, I have: \/.qq.com$/ REJECT ...and the reference to this file in main.cf is: smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access, ... ...what'd I miss? If needed I can stick the files up on a pastebin. -Dennis Carr
