[NCLUG] Spam Help

Bob Proulx bob at proulx.com
Wed Dec 3 10:09:02 MST 2008 

Chris Funk wrote:
> Hi All,

Please, when you start a new topic please start a new message.  You
replied using a message in the "power supply size" thread of
discussion but your message has nothing to do with it.  But now your
message is constricted to be threaded there.

  http://nclug.org/pipermail/nclug/2008-December/thread.html

> I am having a horrible time with spam that has a Mail From address
> of my users.  i.e.  the email appears to come from their own
> address.  In the header the From address is their own, but the
> return to address is something else, not in our domain.

Sure.  Anyone can put anything they want in the From: address.  Around
April Fool's Day email spoofing used to be great fun.  Now it is a
burden of the legacy mail system.  But like democracy being the worst
form of government except for all those other forms SMTP is the worst
mail transport except for all of those other forms that have been
tried.[1]

> Received: from adsl-84-226-68-102.adslplus.ch (adsl-84-226-68-102.adslplus.ch
>  [84.226.68.102])       by mail.us-reports.com (Postfix) with SMTP id EBF9E16C0F1
>         for <chris at us-reports.com>; Wed,  3 Dec 2008 06:16:28 -0700 (MST)

That address is in a dynamic address block.  It is listed in SORBS in
the dul.dnsbl.sorbs.net list.  I might as well start the zillion long
post discussion by saying that there is no reason to accept anonymous
mail from hosts on dynamic addresses.  I highly recommend blocking
those at smtp time.  This will greatly improve your mail environment.

Note that this will have no effect on hosts on your own network (due
to permit_mynetworks) nor will it affect SASL authenticated hosts (due
to permit_sasl_authenticated).

> Here is my smtpd_sender_restrictions line from main.cf
[...reformatted for readability...]
> smtpd_sender_restrictions = permit_mynetworks,
> 	permit_sasl_authenticated,
>	check_sender_access hash:/etc/postfix/sender_access,
> 	reject_non,fqdn_sender,
> 	reject_unknown_sender_domain

First, fix that typo:

  s/reject_non,fqdn_sender/reject_non_fqdn_sender/

Next I think you should collapse all of your rules into
smtpd_recipient_restrictions instead of trying to split them out into
smtpd_sender_restrictions plus others.  I can't recall the specific
details but I remember that the event timing when these take place is
such that putting everything in smtpd_recipient_restrictions is now
the best practice.

> My sender_access file is:
> us-reports.com  REJECT  NO SPAMMING
> My.ip.add.res   REJECT  NO SPAMMING
> 
> When I telnet in and try to do a
> HELO junk.com
> MAIL FROM:chris at us-reports.com

That is the envelope sender not the header sender.  Instead, try
putting something else there.

You are seeing the header From: in the headers of your mail.  But that
is not the SMTP envelope "MAIL FROM:" above.  They are different and
separate things.

> RCPT TO:chris at us-reports.com
> 
> It stops me with "Sender address rejected: NO SPAMMING
>
> Any idea how the spammers are getting around this?  I can send my
> entire main.cf file if that will help.

The envelope sender is not the same as the header sender.  I am sure
they are not setting the envelope to be the same as your block on the
header.

I would definitely block on dul.dnsbl.sorbs.net.  Also I recommend
putting all checks into smtpd_recipient_restrictions.

Bob

[1] "Democracy is the worst form of government, except for all those
other forms that have been tried from time to time."  (Winston
Churchill from a House of Commons speech on Nov. 11, 1947)

More information about the NCLUG mailing list