On Wed, 11 Dec 2019 21:56:48 -0500
Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> > On Dec 11, 2019, at 9:38 PM, li...@lazygranch.com wrote:
> >
> > I have a spammer who uses all sorts of "from" addresses but the same
> > "reply" address. Any way to block this spammer in Postfix.
>
> main.cf:
> pcre = pcre:${config_directory}/
> header_checks = ${pcre}header-checks.pcre
> # Set empty, or keep existing non-default value
> nested_header_checks =
> mime_header_checks =
>
> header-checks.pcre:
> if /^Reply-To:/
> # Adjust to exactly match the observed header
> # Includes rule id in reject message
> /[:\s<]spammer@example\.net[>\s]/ REJECT 5.7.1 Access
> denied R0001 /^/ DUNNO no more
> Reply-To rules endif
>
Well I tried this with no luck. Here are my comments:
1) I don't understand this line:
pcre = pcre:${config_directory}/
Doing a search I can't find this line used. However I think my pcre is
working anyway. Within my main.cf, I have the line:
header_checks = pcre:/etc/postfix/header_checks.pcre
2) I RTFM postfix section on header_checks and did a few tests to see
if they are working. The first one I did was put a long sequence of
letters and numbers similar to a password to be detected in the
subject line. Inside header_checks.pcre, I added this line:
/^Subject: moDjbQje7duHkYI0TNc/ REJECT
Sending an email with that sequence to my server did bounce the
message. Incidentally I am doing these tests from a yahoo email account
rather than my own domain.
3) I found no way to spoof the reply-to field from yahoo email. But as
a test, I decided to block my yahoo email from my own email server.
Here is the line in header_checks.pcre:
if /^From:/
/[:\s<]me@yahoo\.com[>\s]/ REJECT 1.1.1
endif
This did bounce the message.
4) Here is the entry to reject the reply-to:
if /^Reply-To:/
/[:\s<]damnspammer\.org[>\s]/ REJECT
endif
That was a shortened version from Viktor's suggestion. Howver I had
also used:
if /^Reply-To:/
# Adjust to exactly match the observed header
# Includes rule id in reject message
/[:\s<]reply@mysecuritycamera\.org[>\s]/ REJECT 5.7.1 Access
denied R0001
/^/ DUNNO no more Reply-To rules
endif
Excuse the word wrap due to the Claws. Note that every time I changed
the header_checks.pcre file I did a
systemctl reload postfix
systemctl restart postfix
Having no way to send the spoofed Reply-To line, I waited for spam to
arrive. And of course I wasn't disappointed.
I will supply the sanitized versions of the maillog and the received
email header from Claws. (Sanitized due to google. No use having my
real domain in the message.)
From Claws email header:
-------------
Return-Path: <bou...@trump.damnspammer.org>
X-Original-To: m...@mydomain.com
Delivered-To: m...@mydomain.com
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
client-ip=1.2.3.4; helo=trump.damnspammer.org;
envelope-from=bou...@trump.damnspammer.org; receiver=m...@mydomain.com
DMARC-Filter: OpenDMARC Filter v1.3.2 www.mydomain.com 5C82C6F591
Authentication-Results: mydomain.com; dmarc=none (p=none dis=none)
header.from=dog.cat.jp
Authentication-Results: mydomain.com; spf=pass
smtp.mailfrom=bou...@trump.damnspammer.org
DKIM-Filter: OpenDKIM Filter v2.11.0 www.mydomain.com 5C82C6F591
Received: from trump.damnspammer.org (ec.compute.amazonaws.com [1.2.3.4])
by www.mydomain.com (Postfix) with ESMTP id 5C82C6F591
for <m...@mydomain.com>; Tue, 17 Dec 2019 22:35:52 +0000 (UTC)
MIME-Version: 1.0
From: "oxygen flow" to your begonia !<deadnewsupd...@dog.cat.jp>
Subject: "oxygen flow" fruits for better garden performance
Reply-To: re...@damnspammer.org
To: m...@mydomain.com
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset="UTF-8"
------------------------------------
From /var/log/maillog:
----------------------
Dec 17 22:35:51 mydomain postfix/smtpd[28909]: connect from
ec.compute.amazonaws.com[1.2.3.4]
Dec 17 22:35:53 mydomain policyd-spf[28914]: spfcheck: pyspf result: "['Pass',
'sender SPF authorized', 'helo']"
Dec 17 22:35:53 mydomain policyd-spf[28914]: Pass; identity=helo;
client-ip=1.2.3.4; helo=trump.damnspammer.org;
envelope-from=bou...@trump.damnspammer.org; receiver=m...@mydomain.com
Dec 17 22:35:53 mydomain policyd-spf[28914]: spfcheck: pyspf result: "['Pass',
'sender SPF authorized', 'mailfrom']"
Dec 17 22:35:53 mydomain policyd-spf[28914]: Pass; identity=mailfrom;
client-ip=1.2.3.4; helo=trump.damnspammer.org;
envelope-from=bou...@trump.damnspammer.org; receiver=m...@mydomain.com
Dec 17 22:35:53 mydomain postfix/smtpd[28909]: 5C82C6F591:
client=ec.compute.amazonaws.com[1.2.3.4]
Dec 17 22:35:53 mydomain postfix/cleanup[28915]: 5C82C6F591: message-id=<>
Dec 17 22:35:53 mydomain opendkim[1272]: 5C82C6F591: ec.compute.amazonaws.com
[1.2.3.4] not internal
Dec 17 22:35:53 mydomain opendkim[1272]: 5C82C6F591: not authenticated
Dec 17 22:35:53 mydomain opendkim[1272]: 5C82C6F591: no signature data
Dec 17 22:35:53 mydomain opendmarc[1262]: 5C82C6F591: SPF(mailfrom):
bou...@trump.damnspammer.org pass
Dec 17 22:35:53 mydomain opendmarc[1262]: 5C82C6F591: dog.cat.jp none
Dec 17 22:35:53 mydomain postfix/qmgr[772]: 5C82C6F591:
from=<bou...@trump.damnspammer.org>, size=17184, nrcpt=1 (queue active)
Dec 17 22:35:53 mydomain postfix/virtual[28916]: 5C82C6F591:
to=<m...@mydomain.com>, relay=virtual, delay=1.9, delays=1.8/0.01/0/0,
dsn=2.0.0, status=sent (delivered to maildir)
Dec 17 22:35:53 mydomain postfix/qmgr[772]: 5C82C6F591: removed
Dec 17 22:35:54 mydomain postfix/smtpd[28909]: disconnect from
ec.compute.amazonaws.com[1.2.3.4] ehlo=1 mail=1 rcpt=1 bdat=3 quit=1 commands=7
------------------------
Incidentally I had added the same Reply-To block in the mime header
check even though it made no sense.
Server info:
Linux mydomain.com 3.10.0-1062.9.1.el7.x86_64 #1 SMP Fri Dec 6
15:49:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
sh-4.2# postconf -m
btree
cidr
environ
fail
hash
inline
internal
memcache
nis
pcre
pipemap
proxy
randmap
regexp
socketmap
static
tcp
texthash
unionmap
unix
sh-4.2# postconf mail_version
mail_version = 3.4.7
