On Mon, 9 Mar 2026, Dan Mahoney via Postfix-users wrote:
Return-Path: <[email protected]>
Received: from server-623641.inespre.gob.do
(server-623641.inespre.gob.do [50.6.199.138])
Does postfix have a knob to just let me block any server with any fully
qualified RDNS of *.gob.do, if this is the kind of thing that they're
letting happen? (Versus blocking the sender/recipient, or an IP block?)
you can block via check_client_access type:table by putting into access map:
.gob.do REJECT
see more at http://www.postfix.org/access.5.html
If your parent_domain_matches_subdomains contains "smtpd_access_maps",
either use "gob.do" without the leading dot, or remove "smtpd_access_maps"
from parent_domain_matches_subdomains - I recommend the latter.
Alternatively you can block the IP or use DNS blocklist that contains the IP
(but currently only UCEPROTECT-L2 that should not be used alone)
On Mar 9, 2026, at 1:40 PM, Fred Morris via Postfix-users
<[email protected]> wrote:
You're mixing categories there, Dan. Return-Path: is the envelope sender; that
is MAIL FROM, right? Received: is client.
On 10.03.26 22:44, Dan Mahoney via Postfix-users wrote:
I am aware. But the point of including that was to show that this wasn't
completely spoofed -- return-path is likely coming from a compromised
user-account and thus captured into the data. (The sender doesn't
particularly seem to "care" about spoofing the reported hostname, as he
isn't setting a From-Header value different to this domain. Nobody said
the sender is "smart"). That said, on a compromised machine, spoofing
this is trivial.
Telnet tells me this is an Exim box, so this points to compromised and
widely-shared UID/auth credentials, picked up in a data breach. Good
enough for gobernment work.
That said, this is a Dominican Republic government entity (Instituto
Nacional de Estabilización de Precios), and one would think they'd at
least grok abuse@ reports, as I've been sending with Spamcop. (I don't
guess they'd be reading Mailop).
At this point, there's a fine line here between "state-sponsored attack"
and "state-being-clueless-and-taking-no-action-and-enabling attack".
You can use dnsbl within spam checking for scoring.
It's a bit safer than blocking at SMTP level (even if you are spam checking
at SMTP level and blocking spam).
--
Matus UHLAR - fantomas, [email protected] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
