Re: Block email based on reply field
On Wed, 18 Dec 2019 13:10:50 -0500 Viktor Dukhovni wrote: > [ I'm on the list, there's no need to Cc: me directly] > > On Wed, Dec 18, 2019 at 01:36:17AM -0800, li...@lazygranch.com wrote: > > > Viktor Dukhovni wrote: > > > > > header-checks.pcre: > > > if /^Reply-To:/ > > > # Adjust to exactly match the observed header > > > # Includes rule id in reject message > > > /[:\s<]spammer@example\.net[>\s]/ REJECT 5.7.1 Access > > > denied R0001 /^/ DUNNO no > > > more Reply-To rules endif > > Note the "Adjust to exactly match ..." > > > 1) I don't understand this line: > > pcre = pcre:${config_directory}/ > > This is just defines a convenient shorthand. You can then use > ${pcre} instead of "pcre:${config_directory}/" each time you specify > a PCRE table. > > > header_checks = pcre:/etc/postfix/header_checks.pcre > > This uses the expansion rather than the shorthand. > > > 4) Here is the entry to reject the reply-to: > > > > if /^Reply-To:/ > > /[:\s<]damnspammer\.org[>\s]/ REJECT > > endif > > This has no localpart, so won't match the Reply-To: > > > That was a shortened version from Viktor's suggestion. Howver I had > > also used: > > > > if /^Reply-To:/ > > # Adjust to exactly match the observed header > > # Includes rule id in reject message > > /[:\s<]reply@mysecuritycamera\.org[>\s]/ REJECT 5.7.1 Access > > denied R0001 /^/DUNNO no more > > Reply-To rules endif > > See below. > > > Received: from trump.damnspammer.org (ec.compute.amazonaws.com > > [1.2.3.4]) by www.mydomain.com (Postfix) with ESMTP id 5C82C6F591 > > for ; Tue, 17 Dec 2019 22:35:52 + (UTC) > > Subject: "oxygen flow" fruits for better garden performance > > Reply-To: re...@damnspammer.org > > To: m...@mydomain.com > > In the above "Reply-To" the address has no surrounding "<>" and is > not followed by anything. Therefore, the PCRE match needs to be made > a bit more flexible, allowing for the domain part to not have > anything after it at all: > > if /^Reply-To:/ > /[:\s<]reply@mysecuritycamera\.org([>\s]|$)/REJECT 5.7.1 > Access denied R0001 /^/ > DUNNO no more Reply-To rules endif > > To test (this uses the "bash" <(...) inline file syntax): > > $ postmap -q 'Reply-To: re...@mysecuritycamera.org' pcre:<( > printf 'if /^Reply-To:/\n%s %s\n/^/ %s\n%s\n' \ > '/[:\s<]reply@mysecuritycamera\.org([>\s]|$)/' \ > 'REJECT 5.7.1 Access denied R0001' \ > 'DUNNO no more Reply-To rules' \ > 'endif' > ) > Well that was weird. Having a lot of faith in your code, I assumed the cut and paste from email was putting in an invisible character. I kept getting complaints about an unknow option. I just ended up typing the 4 lines myself. Seems to me you search for the ":" twice, so I need to study PCRE some more. I got the white space search and end of line check. Given the invisible character issue via cut and paste, I wrote a very small script and just fed the test string right to postfix. (postmap -q "string" file) I think is should just discard rather than reject, though reject is more polite. Thanks again. Now to wait for the spammer to er um offer me pills to supercharge my begonia. It won't be a long wait.
Re: Block email based on reply field
[ I'm on the list, there's no need to Cc: me directly] On Wed, Dec 18, 2019 at 01:36:17AM -0800, li...@lazygranch.com wrote: > Viktor Dukhovni wrote: > > > header-checks.pcre: > > if /^Reply-To:/ > > # Adjust to exactly match the observed header > > # Includes rule id in reject message > > /[:\s<]spammer@example\.net[>\s]/ REJECT 5.7.1 Access denied R0001 > > /^/ DUNNO no more Reply-To rules > > endif Note the "Adjust to exactly match ..." > 1) I don't understand this line: > pcre = pcre:${config_directory}/ This is just defines a convenient shorthand. You can then use ${pcre} instead of "pcre:${config_directory}/" each time you specify a PCRE table. > header_checks = pcre:/etc/postfix/header_checks.pcre This uses the expansion rather than the shorthand. > 4) Here is the entry to reject the reply-to: > > if /^Reply-To:/ > /[:\s<]damnspammer\.org[>\s]/ REJECT > endif This has no localpart, so won't match the Reply-To: > That was a shortened version from Viktor's suggestion. Howver I had > also used: > > if /^Reply-To:/ > # Adjust to exactly match the observed header > # Includes rule id in reject message > /[:\s<]reply@mysecuritycamera\.org[>\s]/ REJECT 5.7.1 Access denied > R0001 > /^/DUNNO no more Reply-To rules > endif See below. > Received: from trump.damnspammer.org (ec.compute.amazonaws.com [1.2.3.4]) > by www.mydomain.com (Postfix) with ESMTP id 5C82C6F591 > for ; Tue, 17 Dec 2019 22:35:52 + (UTC) > Subject: "oxygen flow" fruits for better garden performance > Reply-To: re...@damnspammer.org > To: m...@mydomain.com In the above "Reply-To" the address has no surrounding "<>" and is not followed by anything. Therefore, the PCRE match needs to be made a bit more flexible, allowing for the domain part to not have anything after it at all: if /^Reply-To:/ /[:\s<]reply@mysecuritycamera\.org([>\s]|$)/REJECT 5.7.1 Access denied R0001 /^/ DUNNO no more Reply-To rules endif To test (this uses the "bash" <(...) inline file syntax): $ postmap -q 'Reply-To: re...@mysecuritycamera.org' pcre:<( printf 'if /^Reply-To:/\n%s %s\n/^/ %s\n%s\n' \ '/[:\s<]reply@mysecuritycamera\.org([>\s]|$)/' \ 'REJECT 5.7.1 Access denied R0001' \ 'DUNNO no more Reply-To rules' \ 'endif' ) -- Viktor.
Re: Block email based on reply field
On Wed, 11 Dec 2019 21:56:48 -0500 Viktor Dukhovni wrote: > > On Dec 11, 2019, at 9:38 PM, li...@lazygranch.com wrote: > > > > I have a spammer who uses all sorts of "from" addresses but the same > > "reply" address. Any way to block this spammer in Postfix. > > main.cf: > pcre = pcre:${config_directory}/ > header_checks = ${pcre}header-checks.pcre > # Set empty, or keep existing non-default value > nested_header_checks = > mime_header_checks = > > header-checks.pcre: > if /^Reply-To:/ > # Adjust to exactly match the observed header > # Includes rule id in reject message > /[:\s<]spammer@example\.net[>\s]/ REJECT 5.7.1 Access > denied R0001 /^/ DUNNO no more > Reply-To rules endif > Well I tried this with no luck. Here are my comments: 1) I don't understand this line: pcre = pcre:${config_directory}/ Doing a search I can't find this line used. However I think my pcre is working anyway. Within my main.cf, I have the line: header_checks = pcre:/etc/postfix/header_checks.pcre 2) I RTFM postfix section on header_checks and did a few tests to see if they are working. The first one I did was put a long sequence of letters and numbers similar to a password to be detected in the subject line. Inside header_checks.pcre, I added this line: /^Subject: moDjbQje7duHkYI0TNc/ REJECT Sending an email with that sequence to my server did bounce the message. Incidentally I am doing these tests from a yahoo email account rather than my own domain. 3) I found no way to spoof the reply-to field from yahoo email. But as a test, I decided to block my yahoo email from my own email server. Here is the line in header_checks.pcre: if /^From:/ /[:\s<]me@yahoo\.com[>\s]/ REJECT 1.1.1 endif This did bounce the message. 4) Here is the entry to reject the reply-to: if /^Reply-To:/ /[:\s<]damnspammer\.org[>\s]/ REJECT endif That was a shortened version from Viktor's suggestion. Howver I had also used: if /^Reply-To:/ # Adjust to exactly match the observed header # Includes rule id in reject message /[:\s<]reply@mysecuritycamera\.org[>\s]/ REJECT 5.7.1 Access denied R0001 /^/DUNNO no more Reply-To rules endif Excuse the word wrap due to the Claws. Note that every time I changed the header_checks.pcre file I did a systemctl reload postfix systemctl restart postfix Having no way to send the spoofed Reply-To line, I waited for spam to arrive. And of course I wasn't disappointed. I will supply the sanitized versions of the maillog and the received email header from Claws. (Sanitized due to google. No use having my real domain in the message.) From Claws email header: - Return-Path: X-Original-To: m...@mydomain.com Delivered-To: m...@mydomain.com Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=1.2.3.4; helo=trump.damnspammer.org; envelope-from=bou...@trump.damnspammer.org; receiver=m...@mydomain.com DMARC-Filter: OpenDMARC Filter v1.3.2 www.mydomain.com 5C82C6F591 Authentication-Results: mydomain.com; dmarc=none (p=none dis=none) header.from=dog.cat.jp Authentication-Results: mydomain.com; spf=pass smtp.mailfrom=bou...@trump.damnspammer.org DKIM-Filter: OpenDKIM Filter v2.11.0 www.mydomain.com 5C82C6F591 Received: from trump.damnspammer.org (ec.compute.amazonaws.com [1.2.3.4]) by www.mydomain.com (Postfix) with ESMTP id 5C82C6F591 for ; Tue, 17 Dec 2019 22:35:52 + (UTC) MIME-Version: 1.0 From: "oxygen flow" to your begonia ! Subject: "oxygen flow" fruits for better garden performance Reply-To: re...@damnspammer.org To: m...@mydomain.com Content-Transfer-Encoding: 7bit Content-Type: text/html; charset="UTF-8" From /var/log/maillog: -- Dec 17 22:35:51 mydomain postfix/smtpd[28909]: connect from ec.compute.amazonaws.com[1.2.3.4] Dec 17 22:35:53 mydomain policyd-spf[28914]: spfcheck: pyspf result: "['Pass', 'sender SPF authorized', 'helo']" Dec 17 22:35:53 mydomain policyd-spf[28914]: Pass; identity=helo; client-ip=1.2.3.4; helo=trump.damnspammer.org; envelope-from=bou...@trump.damnspammer.org; receiver=m...@mydomain.com Dec 17 22:35:53 mydomain policyd-spf[28914]: spfcheck: pyspf result: "['Pass', 'sender SPF authorized', 'mailfrom']" Dec 17 22:35:53 mydomain policyd-spf[28914]: Pass; identity=mailfrom; client-ip=1.2.3.4; helo=trump.damnspammer.org; envelope-from=bou...@trump.damnspammer.org; receiver=m...@mydomain.com Dec 17 22:35:53 mydomain postfix/smtpd[28909]: 5C82C6F591: client=ec.compute.amazonaws.com[1.2.3.4] Dec 17 22:35:53 mydomain postfix/cleanup[28915]: 5C82C6F591: message-id=<> Dec 17 22:35:53 mydomain opendkim[1272]: 5C82C6F591: ec.compute.amazonaws.com [1.2.3.4] not internal Dec 17 22:35:53 mydomain opendkim[1272]: 5C82C6F591: not authenticated Dec 17 22:35:53 mydomain opendkim[1272]: 5C82C6F591: no signature data Dec 17 22:35:53 mydomain opendmarc[1262]:
Re: [External] Block email based on reply field
Kevin A. McGrail skrev den 2019-12-12 03:45: If you have integrated with Apache SpamAssassin, then v3.4.3 introduces the ability to do RBL lookups on the domain in Reply-to as well as the ability to do hashed lookups. and spamassassin 3.4.3 is out before xmax :=) is TxRep working with non default settings ?, i see most is ignored from local.cf, so it seems only hardcoded in TxRep.pm is what is saved to database on postgresql
Re: Block email based on reply field
li...@lazygranch.com skrev den 2019-12-12 03:38: I have a spammer who uses all sorts of "from" addresses but the same "reply" address. Any way to block this spammer in Postfix. milter-regex or make a clamav-signaturee
Re: Block email based on reply field
Thanks. Not the smartest spammer. The "from" lasts a while but the "reply" is static for months. I just got tired of blocking the "from" periodically. Original Message From: postfix-us...@dukhovni.org Sent: December 11, 2019 6:57 PM To: postfix-users@postfix.org Reply-to: postfix-users@postfix.org Subject: Re: Block email based on reply field > On Dec 11, 2019, at 9:38 PM, li...@lazygranch.com wrote: > > I have a spammer who uses all sorts of "from" addresses but the same > "reply" address. Any way to block this spammer in Postfix. main.cf: pcre = pcre:${config_directory}/ header_checks = ${pcre}header-checks.pcre # Set empty, or keep existing non-default value nested_header_checks = mime_header_checks = header-checks.pcre: if /^Reply-To:/ # Adjust to exactly match the observed header # Includes rule id in reject message /[:\s<]spammer@example\.net[>\s]/ REJECT 5.7.1 Access denied R0001 /^/ DUNNO no more Reply-To rules endif -- Viktor.
Re: Block email based on reply field
> On Dec 11, 2019, at 9:38 PM, li...@lazygranch.com wrote: > > I have a spammer who uses all sorts of "from" addresses but the same > "reply" address. Any way to block this spammer in Postfix. main.cf: pcre = pcre:${config_directory}/ header_checks = ${pcre}header-checks.pcre # Set empty, or keep existing non-default value nested_header_checks = mime_header_checks = header-checks.pcre: if /^Reply-To:/ # Adjust to exactly match the observed header # Includes rule id in reject message /[:\s<]spammer@example\.net[>\s]/ REJECT 5.7.1 Access denied R0001 /^/ DUNNO no more Reply-To rules endif -- Viktor.
Re: Block email based on reply field
* li...@lazygranch.com: > I have a spammer who uses all sorts of "from" addresses but the same > "reply" address. Any way to block this spammer in Postfix. You can use Postfix header checks. The following example is PCRE based: /^Reply-To:.+\bexample\.com\b/i REJECT -Ralph
Re: [External] Block email based on reply field
If you have integrated with Apache SpamAssassin, then v3.4.3 introduces the ability to do RBL lookups on the domain in Reply-to as well as the ability to do hashed lookups. Regards, KAM On 12/11/2019 9:38 PM, li...@lazygranch.com wrote: > I have a spammer who uses all sorts of "from" addresses but the same > "reply" address. Any way to block this spammer in Postfix.
Block email based on reply field
I have a spammer who uses all sorts of "from" addresses but the same "reply" address. Any way to block this spammer in Postfix.