Re: Block email based on reply field
On Wed, 18 Dec 2019 13:10:50 -0500
Viktor Dukhovni wrote:
> [ I'm on the list, there's no need to Cc: me directly]
>
> On Wed, Dec 18, 2019 at 01:36:17AM -0800, li...@lazygranch.com wrote:
>
> > Viktor Dukhovni wrote:
> >
> > > header-checks.pcre:
> > > if /^Reply-To:/
> > > # Adjust to exactly match the observed header
> > > # Includes rule id in reject message
> > > /[:\s<]spammer@example\.net[>\s]/ REJECT 5.7.1 Access
> > > denied R0001 /^/ DUNNO no
> > > more Reply-To rules endif
>
> Note the "Adjust to exactly match ..."
>
> > 1) I don't understand this line:
> > pcre = pcre:${config_directory}/
>
> This is just defines a convenient shorthand. You can then use
> ${pcre} instead of "pcre:${config_directory}/" each time you specify
> a PCRE table.
>
> > header_checks = pcre:/etc/postfix/header_checks.pcre
>
> This uses the expansion rather than the shorthand.
>
> > 4) Here is the entry to reject the reply-to:
> >
> > if /^Reply-To:/
> > /[:\s<]damnspammer\.org[>\s]/ REJECT
> > endif
>
> This has no localpart, so won't match the Reply-To:
>
> > That was a shortened version from Viktor's suggestion. Howver I had
> > also used:
> >
> > if /^Reply-To:/
> > # Adjust to exactly match the observed header
> > # Includes rule id in reject message
> > /[:\s<]reply@mysecuritycamera\.org[>\s]/ REJECT 5.7.1 Access
> > denied R0001 /^/DUNNO no more
> > Reply-To rules endif
>
> See below.
>
> > Received: from trump.damnspammer.org (ec.compute.amazonaws.com
> > [1.2.3.4]) by www.mydomain.com (Postfix) with ESMTP id 5C82C6F591
> > for ; Tue, 17 Dec 2019 22:35:52 + (UTC)
> > Subject: "oxygen flow" fruits for better garden performance
> > Reply-To: re...@damnspammer.org
> > To: m...@mydomain.com
>
> In the above "Reply-To" the address has no surrounding "<>" and is
> not followed by anything. Therefore, the PCRE match needs to be made
> a bit more flexible, allowing for the domain part to not have
> anything after it at all:
>
> if /^Reply-To:/
> /[:\s<]reply@mysecuritycamera\.org([>\s]|$)/REJECT 5.7.1
> Access denied R0001 /^/
> DUNNO no more Reply-To rules endif
>
> To test (this uses the "bash" <(...) inline file syntax):
>
> $ postmap -q 'Reply-To: re...@mysecuritycamera.org' pcre:<(
> printf 'if /^Reply-To:/\n%s %s\n/^/ %s\n%s\n' \
> '/[:\s<]reply@mysecuritycamera\.org([>\s]|$)/' \
> 'REJECT 5.7.1 Access denied R0001' \
> 'DUNNO no more Reply-To rules' \
> 'endif'
> )
>
Well that was weird. Having a lot of faith in your code, I assumed the
cut and paste from email was putting in an invisible character. I kept
getting complaints about an unknow option. I just ended up typing the 4
lines myself. Seems to me you search for the ":" twice, so I need to
study PCRE some more. I got the white space search and end of line
check.
Given the invisible character issue via cut and paste, I
wrote a very small script and just fed the test string right to postfix.
(postmap -q "string" file)
I think is should just discard rather than reject, though reject is
more polite.
Thanks again. Now to wait for the spammer to er um offer me
pills to supercharge my begonia. It won't be a long wait.
Re: Block email based on reply field
[ I'm on the list, there's no need to Cc: me directly]
On Wed, Dec 18, 2019 at 01:36:17AM -0800, li...@lazygranch.com wrote:
> Viktor Dukhovni wrote:
>
> > header-checks.pcre:
> > if /^Reply-To:/
> > # Adjust to exactly match the observed header
> > # Includes rule id in reject message
> > /[:\s<]spammer@example\.net[>\s]/ REJECT 5.7.1 Access denied R0001
> > /^/ DUNNO no more Reply-To rules
> > endif
Note the "Adjust to exactly match ..."
> 1) I don't understand this line:
> pcre = pcre:${config_directory}/
This is just defines a convenient shorthand. You can then use ${pcre} instead
of "pcre:${config_directory}/" each time you specify a PCRE table.
> header_checks = pcre:/etc/postfix/header_checks.pcre
This uses the expansion rather than the shorthand.
> 4) Here is the entry to reject the reply-to:
>
> if /^Reply-To:/
> /[:\s<]damnspammer\.org[>\s]/ REJECT
> endif
This has no localpart, so won't match the Reply-To:
> That was a shortened version from Viktor's suggestion. Howver I had
> also used:
>
> if /^Reply-To:/
> # Adjust to exactly match the observed header
> # Includes rule id in reject message
> /[:\s<]reply@mysecuritycamera\.org[>\s]/ REJECT 5.7.1 Access denied
> R0001
> /^/DUNNO no more Reply-To rules
> endif
See below.
> Received: from trump.damnspammer.org (ec.compute.amazonaws.com [1.2.3.4])
> by www.mydomain.com (Postfix) with ESMTP id 5C82C6F591
> for ; Tue, 17 Dec 2019 22:35:52 + (UTC)
> Subject: "oxygen flow" fruits for better garden performance
> Reply-To: re...@damnspammer.org
> To: m...@mydomain.com
In the above "Reply-To" the address has no surrounding "<>" and is not followed
by anything. Therefore, the PCRE match needs to be made a bit more flexible,
allowing for the domain part to not have anything after it at all:
if /^Reply-To:/
/[:\s<]reply@mysecuritycamera\.org([>\s]|$)/REJECT 5.7.1 Access denied
R0001
/^/ DUNNO no more Reply-To rules
endif
To test (this uses the "bash" <(...) inline file syntax):
$ postmap -q 'Reply-To: re...@mysecuritycamera.org' pcre:<(
printf 'if /^Reply-To:/\n%s %s\n/^/ %s\n%s\n' \
'/[:\s<]reply@mysecuritycamera\.org([>\s]|$)/' \
'REJECT 5.7.1 Access denied R0001' \
'DUNNO no more Reply-To rules' \
'endif'
)
--
Viktor.
Re: Block email based on reply field
On Wed, 11 Dec 2019 21:56:48 -0500
Viktor Dukhovni wrote:
> > On Dec 11, 2019, at 9:38 PM, li...@lazygranch.com wrote:
> >
> > I have a spammer who uses all sorts of "from" addresses but the same
> > "reply" address. Any way to block this spammer in Postfix.
>
> main.cf:
> pcre = pcre:${config_directory}/
> header_checks = ${pcre}header-checks.pcre
> # Set empty, or keep existing non-default value
> nested_header_checks =
> mime_header_checks =
>
> header-checks.pcre:
> if /^Reply-To:/
> # Adjust to exactly match the observed header
> # Includes rule id in reject message
> /[:\s<]spammer@example\.net[>\s]/ REJECT 5.7.1 Access
> denied R0001 /^/ DUNNO no more
> Reply-To rules endif
>
Well I tried this with no luck. Here are my comments:
1) I don't understand this line:
pcre = pcre:${config_directory}/
Doing a search I can't find this line used. However I think my pcre is
working anyway. Within my main.cf, I have the line:
header_checks = pcre:/etc/postfix/header_checks.pcre
2) I RTFM postfix section on header_checks and did a few tests to see
if they are working. The first one I did was put a long sequence of
letters and numbers similar to a password to be detected in the
subject line. Inside header_checks.pcre, I added this line:
/^Subject: moDjbQje7duHkYI0TNc/ REJECT
Sending an email with that sequence to my server did bounce the
message. Incidentally I am doing these tests from a yahoo email account
rather than my own domain.
3) I found no way to spoof the reply-to field from yahoo email. But as
a test, I decided to block my yahoo email from my own email server.
Here is the line in header_checks.pcre:
if /^From:/
/[:\s<]me@yahoo\.com[>\s]/ REJECT 1.1.1
endif
This did bounce the message.
4) Here is the entry to reject the reply-to:
if /^Reply-To:/
/[:\s<]damnspammer\.org[>\s]/ REJECT
endif
That was a shortened version from Viktor's suggestion. Howver I had
also used:
if /^Reply-To:/
# Adjust to exactly match the observed header
# Includes rule id in reject message
/[:\s<]reply@mysecuritycamera\.org[>\s]/ REJECT 5.7.1 Access
denied R0001
/^/DUNNO no more Reply-To rules
endif
Excuse the word wrap due to the Claws. Note that every time I changed
the header_checks.pcre file I did a
systemctl reload postfix
systemctl restart postfix
Having no way to send the spoofed Reply-To line, I waited for spam to
arrive. And of course I wasn't disappointed.
I will supply the sanitized versions of the maillog and the received
email header from Claws. (Sanitized due to google. No use having my
real domain in the message.)
From Claws email header:
-
Return-Path:
X-Original-To: m...@mydomain.com
Delivered-To: m...@mydomain.com
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
client-ip=1.2.3.4; helo=trump.damnspammer.org;
envelope-from=bou...@trump.damnspammer.org; receiver=m...@mydomain.com
DMARC-Filter: OpenDMARC Filter v1.3.2 www.mydomain.com 5C82C6F591
Authentication-Results: mydomain.com; dmarc=none (p=none dis=none)
header.from=dog.cat.jp
Authentication-Results: mydomain.com; spf=pass
smtp.mailfrom=bou...@trump.damnspammer.org
DKIM-Filter: OpenDKIM Filter v2.11.0 www.mydomain.com 5C82C6F591
Received: from trump.damnspammer.org (ec.compute.amazonaws.com [1.2.3.4])
by www.mydomain.com (Postfix) with ESMTP id 5C82C6F591
for ; Tue, 17 Dec 2019 22:35:52 + (UTC)
MIME-Version: 1.0
From: "oxygen flow" to your begonia !
Subject: "oxygen flow" fruits for better garden performance
Reply-To: re...@damnspammer.org
To: m...@mydomain.com
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset="UTF-8"
From /var/log/maillog:
--
Dec 17 22:35:51 mydomain postfix/smtpd[28909]: connect from
ec.compute.amazonaws.com[1.2.3.4]
Dec 17 22:35:53 mydomain policyd-spf[28914]: spfcheck: pyspf result: "['Pass',
'sender SPF authorized', 'helo']"
Dec 17 22:35:53 mydomain policyd-spf[28914]: Pass; identity=helo;
client-ip=1.2.3.4; helo=trump.damnspammer.org;
envelope-from=bou...@trump.damnspammer.org; receiver=m...@mydomain.com
Dec 17 22:35:53 mydomain policyd-spf[28914]: spfcheck: pyspf result: "['Pass',
'sender SPF authorized', 'mailfrom']"
Dec 17 22:35:53 mydomain policyd-spf[28914]: Pass; identity=mailfrom;
client-ip=1.2.3.4; helo=trump.damnspammer.org;
envelope-from=bou...@trump.damnspammer.org; receiver=m...@mydomain.com
Dec 17 22:35:53 mydomain postfix/smtpd[28909]: 5C82C6F591:
client=ec.compute.amazonaws.com[1.2.3.4]
Dec 17 22:35:53 mydomain postfix/cleanup[28915]: 5C82C6F591: message-id=<>
Dec 17 22:35:53 mydomain opendkim[1272]: 5C82C6F591: ec.compute.amazonaws.com
[1.2.3.4] not internal
Dec 17 22:35:53 mydomain opendkim[1272]: 5C82C6F591: not authenticated
Dec 17 22:35:53 mydomain opendkim[1272]: 5C82C6F591: no signature data
Dec 17 22:35:53 mydomain opendmarc[1262]:
Re: [External] Block email based on reply field
Kevin A. McGrail skrev den 2019-12-12 03:45: If you have integrated with Apache SpamAssassin, then v3.4.3 introduces the ability to do RBL lookups on the domain in Reply-to as well as the ability to do hashed lookups. and spamassassin 3.4.3 is out before xmax :=) is TxRep working with non default settings ?, i see most is ignored from local.cf, so it seems only hardcoded in TxRep.pm is what is saved to database on postgresql
Re: Block email based on reply field
li...@lazygranch.com skrev den 2019-12-12 03:38: I have a spammer who uses all sorts of "from" addresses but the same "reply" address. Any way to block this spammer in Postfix. milter-regex or make a clamav-signaturee
Re: Block email based on reply field
Thanks. Not the smartest spammer. The "from" lasts a while but the "reply" is
static for months. I just got tired of blocking the "from" periodically.
Original Message
From: postfix-us...@dukhovni.org
Sent: December 11, 2019 6:57 PM
To: postfix-users@postfix.org
Reply-to: postfix-users@postfix.org
Subject: Re: Block email based on reply field
> On Dec 11, 2019, at 9:38 PM, li...@lazygranch.com wrote:
>
> I have a spammer who uses all sorts of "from" addresses but the same
> "reply" address. Any way to block this spammer in Postfix.
main.cf:
pcre = pcre:${config_directory}/
header_checks = ${pcre}header-checks.pcre
# Set empty, or keep existing non-default value
nested_header_checks =
mime_header_checks =
header-checks.pcre:
if /^Reply-To:/
# Adjust to exactly match the observed header
# Includes rule id in reject message
/[:\s<]spammer@example\.net[>\s]/ REJECT 5.7.1 Access denied R0001
/^/ DUNNO no more Reply-To rules
endif
--
Viktor.
Re: Block email based on reply field
> On Dec 11, 2019, at 9:38 PM, li...@lazygranch.com wrote:
>
> I have a spammer who uses all sorts of "from" addresses but the same
> "reply" address. Any way to block this spammer in Postfix.
main.cf:
pcre = pcre:${config_directory}/
header_checks = ${pcre}header-checks.pcre
# Set empty, or keep existing non-default value
nested_header_checks =
mime_header_checks =
header-checks.pcre:
if /^Reply-To:/
# Adjust to exactly match the observed header
# Includes rule id in reject message
/[:\s<]spammer@example\.net[>\s]/ REJECT 5.7.1 Access denied R0001
/^/ DUNNO no more Reply-To rules
endif
--
Viktor.
Re: Block email based on reply field
* li...@lazygranch.com: > I have a spammer who uses all sorts of "from" addresses but the same > "reply" address. Any way to block this spammer in Postfix. You can use Postfix header checks. The following example is PCRE based: /^Reply-To:.+\bexample\.com\b/i REJECT -Ralph
Re: [External] Block email based on reply field
If you have integrated with Apache SpamAssassin, then v3.4.3 introduces the ability to do RBL lookups on the domain in Reply-to as well as the ability to do hashed lookups. Regards, KAM On 12/11/2019 9:38 PM, li...@lazygranch.com wrote: > I have a spammer who uses all sorts of "from" addresses but the same > "reply" address. Any way to block this spammer in Postfix.
Block email based on reply field
I have a spammer who uses all sorts of "from" addresses but the same "reply" address. Any way to block this spammer in Postfix.
