Am 01.02.2016 um 17:22 schrieb Thomas Barth:
Hi, txbweb.de is my private address only for testing and learning. The domain of the company I m working for is affected. And for this company domain it already exists an spf entry. root@mailserver1 /etc # host -t TXT domain.de domain.de descriptive text "v=spf1 ip4:188.40.xxx.xx -all" And that means that only our mailserver should be allowed to send mails with our domain, am I right? Working SPF checking mailservers should block the email from spammers, because their ip-addresses are different from our domain ip address?
yes "-all" means "hard SPF policy"at least SPamAssassin and other solutions would give scores for SPF_HARD_FAIL and/or SPF_SOFT_FAIL - the main point is in case of such forged mail that someone is able to distinct that it did not come from the domains servers before penalty the sender
Am 01.02.2016 um 16:26 schrieb Reindl Harald:maybe you learn about SPF then...... Am 01.02.2016 um 16:23 schrieb Thomas Barth:The Mails with docs attached are getting rejected successfully. I m getting a lot of these mails from a botnet now, each mail with a different generated mail suffix, but always with our top level domain. I hope that we dont get problems that the spammers are using our main domain for spreading their spam :-/[harry@rh:~]$ dig TXT txbweb.de ; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> TXT txbweb.de ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13842 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1024 ;; QUESTION SECTION: ;txbweb.de. IN TXT ;; AUTHORITY SECTION: txbweb.de. 120 IN SOA dns1.kontent.com. hostmaster.kontent.com. 2015050806 10800 3600 604800 86400 ;; Query time: 115 msec ;; SERVER: 10.0.0.6#53(10.0.0.6) ;; WHEN: Mo Feb 01 16:24:56 CET 2016 ;; MSG SIZE rcvd: 101Am 01.02.2016 um 15:09 schrieb Reindl Harald:Am 01.02.2016 um 15:05 schrieb Thomas Barth:No viruses were found. Banned name: .exe,.exe-ms,23676883772984656662(1).doc.exe Content type: Banned Not quarantined. The message WAS NOT relayed to: xxx 554 5.7.0 Reject, id=09201-09 - BANNED: .exe,.exe-ms,23676883772984656662(1).doc.exe This message is a test result of ClamAV? I would like to add .doc as banned namesounds like amavis and as already suggested: reject it at smtpd level mime_header_checks = pcre:/etc/postfix/mime_header_checks.cf [root@mail-gw:~]$ cat /etc/postfix/mime_header_checks.cf # Reject Attachment Extensions /^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* = \s*"?(.*?(\.|=2E)(386|acm|ade|adp|apk|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)?"?\s*(;|$)/x REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) "$1"Am 01.02.2016 um 13:50 schrieb Reindl Harald:Am 01.02.2016 um 13:48 schrieb Thomas Barth:for a week or so I get a lot of mails with bills as doc-documents and Spamassassin is actually not able to mark it as spamit is able combined BAYES scores and other rules on a proper trained SA leads to 99.9% milter-reject rate of these malware mails here
signature.asc
Description: OpenPGP digital signature
