Re: SV: SV: SV: SV: Blocking TLDs

[Marco]

less the country in question have special rules for SMTP traffic, which I
> find unlikely. SMTP is TCP/IP like website traffic, IRC traffic, Skype
> traffic, DNS traffic or whatever.
>
>
> -Ursprungligt meddelande-
> Från: owner-postfix-us...@postfix.org
> [mailto:owner-postfix-us...@postfix.org] För Robert Schetterer
> Skickat: den 20 februari 2016 13:49
> Till: postfix-users@postfix.org
> Ämne: Re: SV: SV: SV: Blocking TLDs
>
> Am 20.02.2016 um 12:01 schrieb Sebastian Nielsen:
>> Why are you people so negative against DISCARD, and wants to use 
>> REJECT
> Silent discard mail is not allowed in many EU countries, youre the postman
> you dont have to deliver bombs ( virus ), you may react on marketing letters
> (spam ) by sort them or simply reject at the start when you recieve it, and
> only if  your customer ordered you to do so but in general you are not
> allowed to burn otherones letters
>
>
> Best Regards
> MfG Robert Schetterer
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64
> Franziskanerstraße 15, 81669 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
>

SV: SV: SV: SV: Blocking TLDs

[Sebastian Nielsen]

I readed that on wikipedia, and readed the sources, and one thing I can say,
is that the source is heavily misinterpreted. They refer to physical mail,
and telecommunication, where a set of rules apply to physical mail, and some
other set apply to telecommunication.
Of course, you are not allowed to tamper with third-party communication, but
if you run a mail server, then you are "in the loop" and are permitted to do
whatever you want. Nobody forces you to accept whatever you don't want into
your network. If you want to toss all HTML mail destined for your company
into /dev/null, its up to you.
This provided that you didn't unauthorizedly insert yourself into the loop.
If a end user select to use you as mail service, they have to abide by your
rules, including that some mails might get tossed away. But if you force
somebody, which aren't using your network, to use your mail service, for
example via ARP spoofing or fake Wifi AP's, then its computer intrusion.

Also, the law does not make any difference on reject or discard, either you
are allowed to block, and then it will apply to both reject and discard, or
you are not allowed to block, and then it apply to both reject and discard.
Theres no difference in rejecting or discarding, its still considered
distruption, if you do it in the wrong situation.

If I receive a call from somebody asking me to forward information to person
D, even if I say "yes, I will do", its not illegal to ignore that and not
forward the phone call. Its my phone, if someone calls my phone, they have
to abide to my rules.

Note the wording "electronic communication", which also apply to website
traffic and such. The ruling is more aiming on hackers, for example
"distrupting communications between 2 parties" is meant to target DoS, not
someone blocking certain email traffic into their network.

What I have understand, E-mail does not have any special catering, not
either in german law or swedish law. Maybe some single EU country does pay
special attention to E-mails, but normally, E-mail is same as website
traffic is same as for example Skype, and is just TCP/IP packets over the
internet. And TCP/IP packets its up to you if you want to accept, reject, or
drop packets destined for your network.

Simple as this: The mail server you run for a company, or for some user or
whatever, can be seen as your post-box outside the house. Of course, even if
you receive physical mail for other people in same house, you are fully
permitted to regulate that mail and toss mail you don't want, even if its
adressed to someone else at that adress. Compare with for example a parent
that toss away porn magazines adressed for their child, without telling
either the magazine company or the child.


Of course, a ISP mailserver is bound by much more strict rules, and here it
might be regulation prohibiting when you are allowed to reject's/discard's,
but I suspect none on this mailing list are running a ISP mailserver. (An
ISP is defined as someone who runs a access network of a specific minimum
size, wired, wireless or cellular, that people can access for a fee, where
no prior internet access is required - so VPNs don't count. A hotel wifi
wont count, it must be something larger, and being a ISP requires a special
license from the government, like a bank, because being a ISP is a community
service and must meet some minimum quality standards)


So to put it short, if you block mail in the wrong situation, it don't
matter if its reject or discard. Either you may block, then reject=allowed,
discard=allowed, or you may not block, and then reject=prohibited,
discard=prohibited.
Unless the country in question have special rules for SMTP traffic, which I
find unlikely. SMTP is TCP/IP like website traffic, IRC traffic, Skype
traffic, DNS traffic or whatever.


-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] För Robert Schetterer
Skickat: den 20 februari 2016 13:49
Till: postfix-users@postfix.org
Ämne: Re: SV: SV: SV: Blocking TLDs

Am 20.02.2016 um 12:01 schrieb Sebastian Nielsen:
> Why are you people so negative against DISCARD, and wants to use 
> REJECT

Silent discard mail is not allowed in many EU countries, youre the postman
you dont have to deliver bombs ( virus ), you may react on marketing letters
(spam ) by sort them or simply reject at the start when you recieve it, and
only if  your customer ordered you to do so but in general you are not
allowed to burn otherones letters


Best Regards
MfG Robert Schetterer

--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein



smime.p7s
Description: S/MIME Cryptographic Signature

Re: SV: SV: SV: Blocking TLDs

[Robert Schetterer]

Am 20.02.2016 um 12:01 schrieb Sebastian Nielsen:
> Why are you people so negative against DISCARD, and wants to use REJECT

Silent discard mail is not allowed in many EU countries, youre the
postman you dont have to deliver bombs ( virus ), you may react on
marketing letters (spam ) by sort them or simply reject at the start
when you recieve it, and only if  your customer ordered you to do so
but in general you are not allowed to burn otherones letters


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

SV: SV: SV: Blocking TLDs

[Sebastian Nielsen]

What I meant with REJECT vs DISCARD, is that with REJECT, the spammers just
switch to a new domain. And new domain, and new domain.
Like they have some script or API that instantly purchases a new domain once
their current domain gets banned in spam filters. (And yes, they do really
have valid addresses because they often write in the payload like "Reply to
sign up" and so on), and the links inside spam goes to the domain listed
after @.
That’s the bad thing with registrars that allow domain purchasing via a API.

I have witnessed it in realtime, when I continually added banned domains to
my banfile and the spammer just, nearly instant on the second I reloaded
files, switched to some new domain that was similar to the banned. And in
the log file I saw the reject, so I understood the spammer was adapting to
the spam filter. After like 5-6 domains I got fed up, changed everything
into DISCARD, and once that, all the spam from that particular source have
vanished, while I can see in logfiles that the spammer still thinks they get
something through when they really don't. 

Either they are using some domain generator algoritm, or they are just
randoming domains up using some dictionary. They also seem to know when to
change TLD, like when they got rejected on like X different banned domains
without getting a single piece through.

If everyone would use DISCARD on all the static spam filters (where you are
sure not getting false positives), then spammers will never know if they get
their spam delivered, and will not be able to optimize when to
"instant-purchase a new domain and switch to that" to maximize effectiveness
of spam campaign.

But you make a valid point about the payload. Only way to completely get rid
of payload is to use greylisting on all senders, so the spammer can't find a
"valid" domain that aren't banned, eg every domain will result in a
temporary reject.
But greylisting also delays legitimate mail.

Why are you people so negative against DISCARD, and wants to use REJECT, if
we disregard that the payload goes through the wire? Because most spams are
pretty small to not trigger through scans, so its just a few kilobytes.


-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] För Benny Pedersen
Skickat: den 20 februari 2016 10:40
Till: postfix-users@postfix.org
Ämne: Re: SV: SV: Blocking TLDs

On 2016-02-20 00:52, Sebastian Nielsen wrote:
> 1: REJECT tells the spammer "Hey, your spam got stuck in the spam 
> filter. Wanna try again?".

if thay do, so what ?, its not possible for spammers to make remote
administoring on postfix this would be in vain anyway, and the point on
discard is accepting more payloads on recieved data, where reject stop the
payloads

> Better to DISCARD it so the spammer think they got the spam through, 
> then they won't switch to a new domain.

fair, but read above

> I don't think anyone ever will receive legitimate mail from any of 
> those spammy TLDs listed in the rules file I gave.

this  is another problem



smime.p7s
Description: S/MIME Cryptographic Signature

Re: SV: SV: Blocking TLDs

[Benny Pedersen]

On 2016-02-20 00:52, Sebastian Nielsen wrote:

1: REJECT tells the spammer "Hey, your spam got stuck in the spam
filter. Wanna try again?".


if thay do, so what ?, its not possible for spammers to make remote 
administoring on postfix this would be in vain anyway, and the point on 
discard is accepting more payloads on recieved data, where reject stop 
the payloads



Better to DISCARD it so the spammer think they got the spam through,
then they won't switch to a new domain.


fair, but read above


I don't think anyone ever will receive legitimate mail from any of
those spammy TLDs listed in the rules file I gave.


this  is another problem


2: Its just a habit, everytime some process complains of not able to
access a file, "666" is the universal solution.


what ?

are you sure root user is not enough for you then ?


Of course, this isn't
recommended in a web hosting setup, but if you're hosting for example
a mail server for a company, and only you as a sysadmin has shell
access to the server, its no danger 666'ing files that throw
permission errors. Then the file isn't really "world writable", since
only you have a account on the server anyways.


read access is bad in its own

Chmod the banned_tlds file to 666 to ensure the postfix process can 
read it.


two annotations:
  - I would not suggest DISCARD but REJECT
  - mode 666 (world writable) is generally not needed. 644 is enough


or mode 640
and chgrp postfix, and still owned by root

possible spammers reads world files ? :=)


banned_tlds:

/\.bid$/ DISCARD

/\.top$/ DISCARD


can be a single pcre line

Re: SV: SV: Blocking TLDs

[Michael Orlitzky]

On 02/19/2016 06:52 PM, Sebastian Nielsen wrote:
> 
> 2: Its just a habit, everytime some process complains of not able to
> access a file, "666" is the universal solution. Of course, this isn't
> recommended in a web hosting setup, but if you're hosting for example
> a mail server for a company, and only you as a sysadmin has shell
> access to the server, its no danger 666'ing files that throw
> permission errors. Then the file isn't really "world writable", since
> only you have a account on the server anyways.
> 

There are two problems with this. First, you are never the only user in
/etc/passwd. Those other accounts belong to services potentially acting
on behalf of other people, and now they can overwrite your files.

But more importantly: when you need to add a second shell account for an
intern five years from now, did you keep track of every single file that
you changed to mode 666? Whoops, your intern has root.

SV: SV: Blocking TLDs

[Sebastian Nielsen]

1: REJECT tells the spammer "Hey, your spam got stuck in the spam filter. Wanna 
try again?".
Better to DISCARD it so the spammer think they got the spam through, then they 
won't switch to a new domain.

I don't think anyone ever will receive legitimate mail from any of those spammy 
TLDs listed in the rules file I gave.

2: Its just a habit, everytime some process complains of not able to access a 
file, "666" is the universal solution. Of course, this isn't recommended in a 
web hosting setup, but if you're hosting for example a mail server for a 
company, and only you as a sysadmin has shell access to the server, its no 
danger 666'ing files that throw permission errors. Then the file isn't really 
"world writable", since only you have a account on the server anyways.

-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
För A. Schulze
Skickat: den 19 februari 2016 23:52
Till: postfix-users@postfix.org
Ämne: Re: SV: Blocking TLDs


Sebastian Nielsen:

> Then paste all the DISCARD lines into a new file called 
> /etc/postfix/banned_tlds (and also add some own TLDs there, its just 
> to copy paste one line and then change the TLD), and also remove lines 
> for TLDs you don’t want to block.
>
> Chmod the banned_tlds file to 666 to ensure the postfix process can read it.

two annotations:
  - I would not suggest DISCARD but REJECT
  - mode 666 (world writable) is generally not needed. 644 is enough

Andreas

>
>
>
>
> Then do “service postfix restart”
>
> Then you should be all set.
>
>
>
> Test the permission by sending a email using a spoofed address in your 
> email software, to yourself. The mail will always be successfully sent, but:
>
> If all goes well, you should see in the logs that “DISCARD” action was 
> triggered, which means the mail will be tossed in the dustbin without 
> delivering it to you.
>
> Remember to return your email client to non-spoofed state after that, 
> for obvious reasons.
>
>
>
> Från: Wolfe, Robert [mailto:robert.wo...@robertwolfe.org]
> Skickat: den 19 februari 2016 23:19
> Till: 'Sebastian Nielsen' ; 
> postfix-users@postfix.org
> Ämne: RE: Blocking TLDs
>
>
>
> Just copy and passed the DISCARD contents into banned_tlds?
>
>
>
> From: owner-postfix-us...@postfix.org
> 
> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Sebastian 
> Nielsen
> Sent: Friday, February 19, 2016 3:50 PM
> To: postfix-users@postfix.org 
> Subject: SV: Blocking TLDs
>
>
>
> smtpd_sender_restrictions = check_sender_access 
> pcre:/etc/postfix/banned_tlds
>
>
>
> banned_tlds:
>
> /\.bid$/ DISCARD
>
> /\.top$/ DISCARD
>
> /\.xyz$/ DISCARD
>
> /\.date$/ DISCARD
>
> /\.faith$/ DISCARD
>
> /\.download$/ DISCARD
>
>
>
>
>
> Problem solved.
>
>
>
>
>
> Från: owner-postfix-us...@postfix.org
> 
> [mailto:owner-postfix-us...@postfix.org] För Wolfe, Robert
> Skickat: den 19 februari 2016 22:36
> Till: postfix-users@postfix.org 
> Ämne: Blocking TLDs
>
>
>
> Greetings all!
>
>
>
> This is actually my first posting to the mailing list, but have 
> actually been following along on a regular basis and have learned 
> quite a bit of good things (and bad things *smiles*) about Postfix.  
> Unfortunately, I have one question that I am hoping someone here on the 
> mailing list can answer.
>
>
>
> I get a LOT of emails from domains that have *.download and *.xyz and 
> their TLDs and I was wondering if there was a way in Postfix that I 
> could block emails that are coming in from these (and other) TLDs at 
> the connection level?






smime.p7s
Description: S/MIME Cryptographic Signature