throcki
Level 1 (8 points)
Servers Enterprise

Q: Help with postfix SPAM blocking

We have suddenly starting receiving a top of SPAM.  Spam assassin is not doing too bad of a job filtering it out but it is getting very annoying and about 98.8% of the SPAM is coming from one group.  If you click on their unsubscribe link it take you to a site that is xxxxxyyyy.top where xxxxx is the name of a country and yyyy is a color so something like sudanred.top.  For these idiots unsubscribing does nothing but probably validates they are sending to someone.  Also if you look at the mail headers they are supposedly coming from one of many .top servers.

 

Here are the mail headers of one of the hundreds of messages that got caught by spam assassin.  Note, I changed the username on my server to ddddd and the domain name of my server to yyyyy

Return-Path: <MAILER-DAEMON>

Delivered-To: spamchecker@yyyyy.net

Received: from localhost (localhost [127.0.0.1])

  by yyyyy.net (Postfix) with ESMTP id 0ACE51FE10D7

  for <spamchecker@yyyyy.net>; Thu, 28 Jul 2016 14:06:59 -0700 (PDT)

X-Envelope-From: <EyeGlasses@o0eiaes.timetzz.top>

X-Envelope-To: <dddddd@yyyyy.net>

X-Envelope-To-Blocked: <ddddd@yyyyy.net>

X-Quarantine-ID: <IGj9fM56Wt2I>

X-Spam-Flag: YES

X-Spam-Score: 104.092

X-Spam-Level: ****************************************************************

X-Spam-Status: Yes, score=104.092 tag=2 tag2=6 kill=6.9 tests=[BAYES_50=0.8,

  HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001,

  SPF_PASS=-0.001, URIBL_DBL_SPAM=2.5, USER_IN_BLACKLIST=100]

  autolearn=no autolearn_force=no

Received: from yyyyy.net ([127.0.0.1])

  by localhost (yyyyy.net [127.0.0.1]) (amavisd-new, port 10024)

  with ESMTP id IGj9fM56Wt2I for <ddddd@yyyyy.net>;

  Thu, 28 Jul 2016 14:06:58 -0700 (PDT)

Received: from o0eiaes.timetzz.top (unknown [66.11.121.49])

  by yyyyy.net (Postfix) with ESMTP id 389E01FE10C6

  for <ddddd@yyyyy.net>; Thu, 28 Jul 2016 14:06:58 -0700 (PDT)

Date: Thu, 28 Jul 2016 14:07:34 -0700

Mime-Version: 1.0

Message-ID: <5fd00cde13b3e87275043d711187df69.Fishnet.Deodorant.ddddd@yyyyy.net>

To: <ddddd@yyyyy.net>

Accountableness: 117178895fd00cde13b3e87275043d711187df69.10075480

Subject: Find Eyeglasses For You

From: Eye Glasses <EyeGlasses@o0eiaes.timetzz.top>

Content-Type: multipart/alternative; boundary="11717889_10075480_11717889"

 

I have been reading up on postfix and would like postfix to just reject the connections at this point.  I have tried various tweets to main.cf for postfix but have had no luck so far.  Here are what I believe are the pertinent parameters.


$ sudo cat main.cf | grep smtpd_ | grep _restrictions

# through Postfix.  See the smtpd_recipient_restrictions parameter

# relay mail to.  See the smtpd_recipient_restrictions description in

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject_non_fqdn_sender reject_unknown_sender_domain reject_rbl_client zen.spamhaus.org check_policy_service unix:private/policy permit

smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_rbl_client zen.spamhaus.org check_client_access hash:/Library/Server/Mail/Config/postfix/sender_blacklist permit

smtpd_end_of_data_restrictions =

smtpd_etrn_restrictions =

smtpd_sender_restrictions = 

smtpd_data_restrictions =

 

Here is what my sender_blacklist file has:

$ sudo postmap -s sender_blacklist

postmap: warning: /etc/postfix/main.cf, line 690: overriding earlier entry: config_directory=/etc/postfix

.top reject

 

Any help would be greatly appreciated!  I really want to reject email from these idiots.

Mac mini, OS X El Capitan (10.11.5), OS X Server 5.1.5

Posted on Jul 28, 2016 3:28 PM

Close
throcki

Q: Help with postfix SPAM blocking

  • All replies
  • Helpful answers

  • by Antonio Rocco,

    Antonio Rocco Antonio Rocco Jul 29, 2016 2:39 AM in response to throcki
    Level 6 (10,577 points)
    Servers Enterprise
    Jul 29, 2016 2:39 AM in response to throcki

    Good news is 66.11.121.49 is a blacklisted IP on Spamhaus' website (as well as other RBLs) so if you're not using the RBL option in the mail service settings I would do so just to see if it makes a difference. You can add as many RBLs as you like - SpamCannibal etc. I would also enable graylisting as well (assuming you've disabled it) as rDNS for that IP address does not resolve.


    Graylisting may see legitimate emails being delayed, but if the senders mail server is configured correctly it should be accepted on subsequent attempts to send email. For me graylisting is a good thing as it 'protects' your server from the many misconfigured mail servers out there. However it can stop legitimate emails coming through completely so how you deal with this is up to you.


    Perhaps Pterobyte (topicdesk.com) may see your post and help you with the postfix commands?

  • by pterobyte,

    pterobyte pterobyte Jul 29, 2016 9:55 AM in response to throcki
    Level 6 (11,101 points)
    Servers Enterprise
    Jul 29, 2016 9:55 AM in response to throcki

    Did this e-mail actually make it through to your inbox? According to the spam headers, it should have been discarded since the sender is blacklisted:

    X-Spam-Status: Yes, score=104.092 tag=2 tag2=6 kill=6.9 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_DBL_SPAM=2.5, USER_IN_BLACKLIST=100]

     

    That said, OS X Server reads the postfix settings from:

    /Library/Server/Mail/Config/postfix/

    so you need to make sure you modify:

    /Library/Server/Mail/Config/postfix/main.cf

    and not:

    /etc/main.cf

     

    So I suspect this is why your tweaks didn't work.

     

    Other than that, Antonio's suggestions are spot on (as always ;-)

     

    HTH,

    Alex

  • by throcki,

    throcki throcki Jul 29, 2016 11:08 AM in response to Antonio Rocco
    Level 1 (8 points)
    Servers Enterprise
    Jul 29, 2016 11:08 AM in response to Antonio Rocco

    Yes the RBL option is set in the Server Manager and you can see it in the excerpt of main.cf is posted 'reject_rbl_client zen.spamhaus.org' but postfix is still not rejecting them.  Spamassisin appears to be the one catching what it can of them and dumping them in the mailbox for SPAM but a good chunk are getting through to the user.

  • by throcki,

    throcki throcki Jul 29, 2016 11:14 AM in response to throcki
    Level 1 (8 points)
    Servers Enterprise
    Jul 29, 2016 11:14 AM in response to throcki

    The one I posted was caught by spamassissin and dumped into a mailbox where I have it put the messages that it catches but a number of messages are getting through to the user at least for a while until spamassassin learns that they are junk.

     

    As for the locations of the postfix config files etc, I am in the correct spot (/Library/Server/Mail/Config/postfix).  I am certain because a couple of tweeks I've tried actually made it so we could not send mail and I had to go back in and put the file back to the way it was before I changed in and then do the serveradmin stop mail, server admin start mail routine.

  • by throcki,

    throcki throcki Aug 10, 2016 10:07 AM in response to throcki
    Level 1 (8 points)
    Servers Enterprise
    Aug 10, 2016 10:07 AM in response to throcki

    Any help with this?  The amount of SPAM getting through is ridiculous.  It seems to me that postfix should be able to just reject the connection from these people instead of passing it along and having spamassassin catch a bunch but not all of it.  I've reviewed my main.cf settings in /Library/Server/Mail/Config a number of times (part of which is shown above) and just can't figure out what I'm missing.

  • by throcki,

    throcki throcki Aug 10, 2016 10:09 AM in response to throcki
    Level 1 (8 points)
    Servers Enterprise
    Aug 10, 2016 10:09 AM in response to throcki

    Oops, meant /Library/Server/Mail/Config/postfix