Re: Chinese Spam

2017-09-07 Thread pgndev 
​Fwiw I keep a pre-queue instance of milter-regex

   https://www.benzedrine.ch/milter-regex.html

in place, for just such 'emergencies', as well as longer-term header
match/action.

Although it's a bit long in the tooth, and not actively supported, it still
works well enough.

It's a clean, easy config & relatively lightweight.

Takes the burden off Postfix for header checking, and disposes of these
before any heavy post-queue processing (Amavis, SA, etc).

Re: Chinese Spam

2017-09-07 Thread Doug Hardie 
Thanks.  I went with:

IF /^Message-id:/
/@qq\.com/ Reject
ENDIF

It's not all that pretty, but it works fine.  I have been watching the logs and 
those messages are now being rejected.  Thanks for all the help.

-- Doug

> On 7 September 2017, at 15:50, pgndev  wrote:
> 
> ​I missed the "message id" ... 
> 
> You should be able to match/block any valid header name.
> 
> Add it to, or replace, what's in the match -- up to you.  Personally, I've 
> never received a valid email from 'anything' @qq.com.  YMMV.
> 
> If you're shutting down a flood, more extreme, blunt instrument measures @ 
> the firewall (e.g. GeoIP blocking) can be put in place.

Re: Chinese Spam

2017-09-07 Thread pgndev 
​I missed the "message id" ...

You should be able to match/block any valid header name.

Add it to, or replace, what's in the match -- up to you.  Personally, I've
never received a valid email from 'anything' @qq.com.  YMMV.

If you're shutting down a flood, more extreme, blunt instrument measures @
the firewall (e.g. GeoIP blocking) can be put in place.

Re: Chinese Spam

2017-09-07 Thread Doug Hardie 

> On 7 September 2017, at 15:28, pgndev  wrote:
> 
> It ain't pretty, or recommended for the long term, but something like this 
> should slow it down
> 
> /etc/postfix/main.cf
> header_checks = pcre:/etc/postfix/header_checks.pcre
> 
> /etc/postfix/header_checks.pcre
> IF /^(To|From|Cc|Reply-To|Sender|Return-Path): /
> /@qq\.com/i   REJECT
> ENDIF
> 
> ​(check the syntax!)​
> 

To block the message-id field shouldn't that be:

IF /(Message-id):/
/@qq\.com/i REJECT
ENDIF

The qq.com only appears in the message-id, never in any of the addresses.

Re: Chinese Spam

2017-09-07 Thread pgndev 
It ain't pretty, or recommended for the long term, but something like this
should slow it down

/etc/postfix/main.cf
header_checks = pcre:/etc/postfix/header_checks.pcre

/etc/postfix/header_checks.pcre
IF /^(To|From|Cc|Reply-To|Sender|Return-Path): /
/@qq\.com/i   REJECT
ENDIF

​(check the syntax!)​

Chinese Spam

2017-09-07 Thread Doug Hardie 
My server is being hit pretty hard by spam from China.  Every email is from a 
different IP address.  The only common item is the message id ends in @qq.com.  
Is there any way to block those with that ID?

-- Doug