the_bat
2013-03-04 15:20:52 UTC
I have postfix / amavis / dovecot / vmails via postgresdb stack for office website
Sending/receiving emails works fine but
The problem: (domainname changed)
all the emails in the domain are affected by spam with modified header
I put the example header from the message delivered to ***@abc.com.pl which is an alias of real mailbox ***@abc.pl
other emails "used" in the header doesn't exists
The question:
Which recipient_rule I should use to block the spam sent like that?
is there easy way to detect header manipulation where from is set to my domain mailbox but return-path is some strange email ?
# actual postfix recipient rules
smtpd_recipient_restrictions =
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
permit_mynetworks,
permit_sasl_authenticated,
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rbl_client relays.ordb.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org,
permit
it has in header:
from: ***@abc.com.pl
Return-path: ***@yahoo.nl <<--- strange different emails there not only from yahoo.nl
// sample email header
Return-Path: <***@yahoo.nl>
Delivered-To: ***@abc.pl
Received: from localhost (localhost [127.0.0.1])
by mail.abc.pl (Postfix) with ESMTP id F0B1BC23F5
for <***@abc.com.pl>; Mon, 4 Mar 2013 14:53:20 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mail.beta.abc.pl
Received: from mail.abc.pl ([127.0.0.1])
by localhost (mail.beta.abc.pl [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id yr5z+PA+MpgL for <***@abc.com.pl>;
Mon, 4 Mar 2013 14:53:20 +0100 (CET)
Received: from host-091-097-103-119.ewe-ip-backbone.de (host-091-097-103-119.ewe-ip-backbone.de [91.97.103.119])
by mail.abc.pl (Postfix) with ESMTP id 3D862C2038
for <***@abc.com.pl>; Mon, 4 Mar 2013 14:53:11 +0100 (CET)
Received: from [134.101.167.119] (helo=wwwxckwnpivishf.sxcmbdnlrui.va)
by host-091-097-103-119.ewe-ip-backbone.de with esmtpa (Exim 4.69)
(envelope-from )
id 1MMXB8-0615ad-UV
for ***@abc.com.pl; Mon, 4 Mar 2013 14:52:23 +0100
Date: Mon, 4 Mar 2013 14:52:23 +0100
From: <***@abc.com.pl>,
<***@abc.com.pl>,
<***@abc.com.pl>,
<***@abc.com.pl>,
<***@abc.com.pl>
X-Mailer: The Bat! (v3.0.0.15) Educational
X-Priority: 3 (Normal)
Message-ID: <***@zvaqnzhiad.qyjosnrnjw.tv>
To: <***@abc.com.pl>,
<***@abc.com.pl>,
<***@abc.com.pl>,
<***@abc.com.pl>,
<***@abc.com.pl>
Subject: New offer
MIME-Version: 1.0
Content-Type: text/html;
charset=iso-8859-2
Content-Transfer-Encoding: 7bit
X-EsetId: C4D88C2843B77F37DBDE8C7A4BE7336C
// end of sample email header
Sending/receiving emails works fine but
The problem: (domainname changed)
all the emails in the domain are affected by spam with modified header
I put the example header from the message delivered to ***@abc.com.pl which is an alias of real mailbox ***@abc.pl
other emails "used" in the header doesn't exists
The question:
Which recipient_rule I should use to block the spam sent like that?
is there easy way to detect header manipulation where from is set to my domain mailbox but return-path is some strange email ?
# actual postfix recipient rules
smtpd_recipient_restrictions =
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
permit_mynetworks,
permit_sasl_authenticated,
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rbl_client relays.ordb.org,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client opm.blitzed.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org,
permit
it has in header:
from: ***@abc.com.pl
Return-path: ***@yahoo.nl <<--- strange different emails there not only from yahoo.nl
// sample email header
Return-Path: <***@yahoo.nl>
Delivered-To: ***@abc.pl
Received: from localhost (localhost [127.0.0.1])
by mail.abc.pl (Postfix) with ESMTP id F0B1BC23F5
for <***@abc.com.pl>; Mon, 4 Mar 2013 14:53:20 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mail.beta.abc.pl
Received: from mail.abc.pl ([127.0.0.1])
by localhost (mail.beta.abc.pl [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id yr5z+PA+MpgL for <***@abc.com.pl>;
Mon, 4 Mar 2013 14:53:20 +0100 (CET)
Received: from host-091-097-103-119.ewe-ip-backbone.de (host-091-097-103-119.ewe-ip-backbone.de [91.97.103.119])
by mail.abc.pl (Postfix) with ESMTP id 3D862C2038
for <***@abc.com.pl>; Mon, 4 Mar 2013 14:53:11 +0100 (CET)
Received: from [134.101.167.119] (helo=wwwxckwnpivishf.sxcmbdnlrui.va)
by host-091-097-103-119.ewe-ip-backbone.de with esmtpa (Exim 4.69)
(envelope-from )
id 1MMXB8-0615ad-UV
for ***@abc.com.pl; Mon, 4 Mar 2013 14:52:23 +0100
Date: Mon, 4 Mar 2013 14:52:23 +0100
From: <***@abc.com.pl>,
<***@abc.com.pl>,
<***@abc.com.pl>,
<***@abc.com.pl>,
<***@abc.com.pl>
X-Mailer: The Bat! (v3.0.0.15) Educational
X-Priority: 3 (Normal)
Message-ID: <***@zvaqnzhiad.qyjosnrnjw.tv>
To: <***@abc.com.pl>,
<***@abc.com.pl>,
<***@abc.com.pl>,
<***@abc.com.pl>,
<***@abc.com.pl>
Subject: New offer
MIME-Version: 1.0
Content-Type: text/html;
charset=iso-8859-2
Content-Transfer-Encoding: 7bit
X-EsetId: C4D88C2843B77F37DBDE8C7A4BE7336C
// end of sample email header