Hi,
txbweb.de is my private address only for testing and learning. The
domain of the company I m working for is affected. And for this company
domain it already exists an spf entry.
root@mailserver1 /etc # host -t TXT domain.de
domain.de descriptive text "v=spf1 ip4:188.40.xxx.xx -all"
And that means that only our mailserver should be allowed to send mails
with our domain, am I right? Working SPF checking mailservers should
block the email from spammers, because their ip-addresses are different
from our domain ip address?
Thomas B
Am 01.02.2016 um 16:26 schrieb Reindl Harald:
maybe you learn about SPF then......
Am 01.02.2016 um 16:23 schrieb Thomas Barth:
The Mails with docs attached are getting rejected successfully. I m
getting a lot of these mails from a botnet now, each mail with a
different generated mail suffix, but always with our top level domain. I
hope that we dont get problems that the spammers are using our main
domain for spreading their spam :-/
[harry@rh:~]$ dig TXT txbweb.de
; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> TXT txbweb.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13842
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1024
;; QUESTION SECTION:
;txbweb.de. IN TXT
;; AUTHORITY SECTION:
txbweb.de. 120 IN SOA dns1.kontent.com.
hostmaster.kontent.com. 2015050806 10800 3600 604800 86400
;; Query time: 115 msec
;; SERVER: 10.0.0.6#53(10.0.0.6)
;; WHEN: Mo Feb 01 16:24:56 CET 2016
;; MSG SIZE rcvd: 101
Am 01.02.2016 um 15:09 schrieb Reindl Harald:
Am 01.02.2016 um 15:05 schrieb Thomas Barth:
No viruses were found.
Banned name: .exe,.exe-ms,23676883772984656662(1).doc.exe
Content type: Banned
Not quarantined.
The message WAS NOT relayed to:
xxx
554 5.7.0 Reject, id=09201-09 - BANNED:
.exe,.exe-ms,23676883772984656662(1).doc.exe
This message is a test result of ClamAV? I would like to add .doc as
banned name
sounds like amavis and as already suggested: reject it at smtpd level
mime_header_checks = pcre:/etc/postfix/mime_header_checks.cf
[root@mail-gw:~]$ cat /etc/postfix/mime_header_checks.cf
# Reject Attachment Extensions
/^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
\s*"?(.*?(\.|=2E)(386|acm|ade|adp|apk|awx|ax|bas|bat|bin|cdf|chm|class|cmd|cnv|com|cpl|crt|csh|dll|dlo|drv|exe|hlp|hta|inf|ins|isp|jar|jse|lnk|mde|mdt|mdw|msc|msi|msp|mst|nws|ocx|ops|pcd|pif|pl|prf|rar|reg|scf|scr|script|sct|sh|shb|shm|shs|so|sys|tlb|vb|vbe|vbs|vbx|vxd|wiz|wll|wpc|wsc|wsf|wsh))(?:\?=)?"?\s*(;|$)/x
REJECT Attachment Blocked (Executables And RAR-Files Not Allowed) "$1"
Am 01.02.2016 um 13:50 schrieb Reindl Harald:
Am 01.02.2016 um 13:48 schrieb Thomas Barth:
for a week or so I get a lot of mails with bills as doc-documents
and
Spamassassin is actually not able to mark it as spam
it is able
combined BAYES scores and other rules on a proper trained SA leads to
99.9% milter-reject rate of these malware mails here
