Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

2018-03-14 Thread Bill Cole 

On 14 Mar 2018, at 6:28 (-0400), L.P.H. van Belle wrote:


Or why not use and SPF like this in the dns.

your.domain.tld		 TXT “v=spf1 -exists:%{ir}.zen.spamhaus.org +mx 
-all exp:explain.your.domain.tld”
explain.your.domain.tld  TXT "SPF error %{i} is not one of %{d}’s 
designated mail servers.”


Now these never reaches your server, saving cpu cycles etc.


1. That only effects mail FROM your domain, which you can controlled 
much more directly for your own MTA in your own MTA.

2. It's redundant: '+mx -all' has the same operational meaning.
3. The syntax (trailing 'exp:' ) will pointlessly challenge SPF 
implementations, as it is rarely used and essentially useless.
4. It recommends to others that they use Zen in a manner that it is 
unfit for.

5. For many domains, "+mx -all" is unsuitable in both parts.

--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

RE: Spammer rejected, but resends every 10 minutes. Any way to prevent this

2018-03-14 Thread L . P . H . van Belle 
Or why not use and SPF like this in the dns. 

your.domain.tld  TXT “v=spf1 -exists:%{ir}.zen.spamhaus.org +mx -all 
exp:explain.your.domain.tld” 
explain.your.domain.tld  TXT "SPF error %{i} is not one of %{d}’s designated 
mail servers.”

Now these never reaches your server, saving cpu cycles etc. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: postfixlists-070...@billmail.scconsult.com 
> [mailto:owner-postfix-us...@postfix.org] Namens Bill Cole
> Verzonden: woensdag 14 maart 2018 4:46
> Aan: Postfix users
> Onderwerp: Re: Spammer rejected, but resends every 10 
> minutes. Any way to prevent this
> 
> On 13 Mar 2018, at 23:35 (-0400), Bill Cole wrote:
> 
> > OR: if you don't get any legitimate mail from Hunan, Chongqing, or 
> > Hong Kong you can probably safely block 113.240.0.0/12 from 
> talking at 
> > all to your SMTP port (or just the /13 to limit it to Hunan.)
> 
> OR: Use the Spamhaus ZEN DNSBL, which has the whole /12 
> listed via its 
> PBL component.
> 
> -- 
> Bill Cole
> b...@scconsult.com or billc...@apache.org
> (AKA @grumpybozo and many *@billmail.scconsult.com addresses)
> Currently Seeking Steady Work: https://linkedin.com/in/billcole
> 
>

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

2018-03-13 Thread li...@lazygranch.com 
On Tue, 13 Mar 2018 23:35:01 -0400
"Bill Cole"  wrote:

> On 13 Mar 2018, at 22:51 (-0400), li...@lazygranch.com wrote:
> 
> > I'm getting hit every 10 minutes from this spammer. As you can see
> > I am
> > rejecting the message. I wonder if the offending email server
> > doesn't know the message is being rejected?  
> 
> It's not being rejected, it's being deferred.
> 
> > Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
> > reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
> > rejected: cannot find your reverse hostname, [113.247.6.67];
> > from= to= proto=ESMTP
> > helo=  
> 
> A '450' response code is explicitly telling the client to try again 
> later.
> 
> If you are using reject_unknown_reverse_client_hostname, it is mostly 
> safe to set unknown_client_reject_code to '550' instead of the
> default '450' but if you are using reject_unknown_client_hostname
> (which is unsafe for most sites) you should not.
> 
> OR: if you don't get any legitimate mail from Hunan, Chongqing, or
> Hong Kong you can probably safely block 113.240.0.0/12 from talking
> at all to your SMTP port (or just the /13 to limit it to Hunan.)
> 

I knew it had to be something stupid I was doing since the spammers
behaved when blocked by the RBLs. I am using
reject_unknown_reverse_client_hostname, 
so I set the code to 550 as you indicated and will see how that works.

It also now occurs to me that the MX Tools website can be use to see
what annoying IP or host can be blocked by a particular RBL. I've
obviously used the MX Tools blacklist checker for my own domains and IP,
but not for other servers. The offending IP is on eight blocking lists.

Thanks all.

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

2018-03-13 Thread Bill Cole 

On 13 Mar 2018, at 23:35 (-0400), Bill Cole wrote:

OR: if you don't get any legitimate mail from Hunan, Chongqing, or 
Hong Kong you can probably safely block 113.240.0.0/12 from talking at 
all to your SMTP port (or just the /13 to limit it to Hunan.)


OR: Use the Spamhaus ZEN DNSBL, which has the whole /12 listed via its 
PBL component.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

2018-03-13 Thread Bill Cole 

On 13 Mar 2018, at 22:51 (-0400), li...@lazygranch.com wrote:

I'm getting hit every 10 minutes from this spammer. As you can see I 
am

rejecting the message. I wonder if the offending email server doesn't
know the message is being rejected?


It's not being rejected, it's being deferred.


Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
rejected: cannot find your reverse hostname, [113.247.6.67];
from= to= proto=ESMTP
helo=


A '450' response code is explicitly telling the client to try again 
later.


If you are using reject_unknown_reverse_client_hostname, it is mostly 
safe to set unknown_client_reject_code to '550' instead of the default 
'450' but if you are using reject_unknown_client_hostname (which is 
unsafe for most sites) you should not.


OR: if you don't get any legitimate mail from Hunan, Chongqing, or Hong 
Kong you can probably safely block 113.240.0.0/12 from talking at all to 
your SMTP port (or just the /13 to limit it to Hunan.)



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

2018-03-13 Thread Peter 
On 14/03/18 15:51, li...@lazygranch.com wrote:
> I'm getting hit every 10 minutes from this spammer. As you can see I am
> rejecting the message. I wonder if the offending email server doesn't
> know the message is being rejected? 
> 
> Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
> reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
> rejected: cannot find your reverse hostname, [113.247.6.67];
> from= to= proto=ESMTP
> helo=

That's not a reject, it's a defer (4xx) code which specifically means
that you're telling the remote server to try again.  Spam or not the
remote server is doing what you're telling it to do.


Peter

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

2018-03-13 Thread Benny Pedersen 

Kevin A. McGrail skrev den 2018-03-14 03:55:

On 3/13/2018 10:51 PM, li...@lazygranch.com wrote:
I'm getting hit every 10 minutes from this spammer. As you can see I 
am

rejecting the message. I wonder if the offending email server doesn't
know the message is being rejected?

Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
rejected: cannot find your reverse hostname, [113.247.6.67];
from= to= proto=ESMTP
helo=


Have you looked at something like fail2ban that can automate an 
iptables

block?


+1

but 450 is not reject, its soft rejecting, with means there is possible 
local dns fails


please dont post postconf -n now

Re: Spammer rejected, but resends every 10 minutes. Any way to prevent this

2018-03-13 Thread Kevin A. McGrail 
On 3/13/2018 10:51 PM, li...@lazygranch.com wrote:
> I'm getting hit every 10 minutes from this spammer. As you can see I am
> rejecting the message. I wonder if the offending email server doesn't
> know the message is being rejected? 
>
> Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
> reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
> rejected: cannot find your reverse hostname, [113.247.6.67];
> from= to= proto=ESMTP
> helo=

Have you looked at something like fail2ban that can automate an iptables
block?

Spammer rejected, but resends every 10 minutes. Any way to prevent this

2018-03-13 Thread li...@lazygranch.com 
I'm getting hit every 10 minutes from this spammer. As you can see I am
rejecting the message. I wonder if the offending email server doesn't
know the message is being rejected? 

Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
reject: RCPT from unknown[113.247.6.67]: 450 4.7.1 Client host
rejected: cannot find your reverse hostname, [113.247.6.67];
from= to= proto=ESMTP
helo=