rejected emails

I have a unix/postfix environment and I am getting a bunch of emails
that are not on my rbl's,
I have spamhaus, spamcop, dynablock, dsbl, ordbl.
They pass domain, FQDN, host, MX, envelope checking checks.
They also pass spam assassin checks.

Hell, then how can I get rid of them?
Thanks

rogv24@yahoo.com wrote:
> I have a unix/postfix environment and I am getting a bunch of emails
> that are not on my rbl's,
> I have spamhaus, spamcop, dynablock, dsbl, ordbl.
> They pass domain, FQDN, host, MX, envelope checking checks.
> They also pass spam assassin checks.
>
> Hell, then how can I get rid of them?
> Thanks


It's been my experience that probably the last 5-8 percent of
the spam that gets through after all other automated means
are deployed, are the hardest to get rid of.

These spams usually have to be analyzed, and dealt with by
manual blocking tables, of which, there are many choices.

Depending on what sort of user base you have on your system,
you might even be able to block entire countries, or ISP subnets.

Just out of curiosity, have you analyzed your logfiles to see
what percentage of the total spams are being blocked, versus the
percentage of spams getting through?

--
Greg

hello Greg,

Thanks for the feedback. Of about 10 emails 3 emails get rejected. I
think its very high
considering the volume we are getting. We have an older version of
postfix 2.013
We plan on upgrading in the near future. I believe there is some thing
right now we
don't have in postfix that can capture these emails.

here is one spam that we got:

-----Original Message-----
Date: 10/26/2006 09:46 pm -0400 (Thursday)
From: "Jenny" <yqc6afa@supernet.com.bo>
To: "Administrators" <thomaslo@si.edu>
Subject: Plz. get back

Hey,

Refill is ready.
Plz. reconfirm City .

http://cf.geocities.com/Medina8_m120/

Regards,

Jenny

The mime log looks like this:
Return-path: <yqc6afa@supernet.com.bo>
Received: from si-av04.si.edu [160.111.252.25]
by simail1.si.edu; Thu, 26 Oct 2006 21:49:49 -0400
Received: from localhost (localhost [127.0.0.1])
by si-av04.si.edu (SI-Mailer) with ESMTP id 172BB2794
for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:49:49 -0400 (EDT)
Received: from si-av04.si.edu ([127.0.0.1])
by localhost (si-av04 [127.0.0.1]) (amavisd-new, port 10024) with
ESMTP
id 15352-01 for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:49:47 -0400
(EDT)
Received: from si-ems01.si.edu (si-ems01.si.edu [160.111.252.31])
by si-av04.si.edu (SI-Mailer) with ESMTP id A0873278E
for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:49:47 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
by si-ems01.si.edu (SI-Mailer) with ESMTP id 39F931C4E
for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:49:46 -0400 (EDT)
Received: from si-ems01.si.edu ([127.0.0.1])
by localhost (si-ems01 [127.0.0.1]) (amavisd-new, port 10024) with
ESMTP
id 26254-04 for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:49:46 -0400
(EDT)
Received: from mail2.supernet.com.bo (mail2.supernet.com.bo
[200.58.72.21])
by si-ems01.si.edu (SI-Mailer) with ESMTP id C3F8B1C11
for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:49:42 -0400 (EDT)
Received: from supernet.com.bo (host-200-58-90-65.supernet.com.bo
[200.58.90.65])
by mail2.supernet.com.bo (8.13.1/8.13.1) with ESMTP id k9QHrSFn028309
for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:54:17 +0400 (GMT)
Received: from unknown (HELO mail.gimmicc.net) (Thu, 26 Oct 2006
17:35:40 -0900)
by relay.2yahoo.com with ESMTP; Thu, 26 Oct 2006 17:35:40 -0900
Received: from unknown (27.52.184.67)
by group21.345mail.com with SMTP; Thu, 26 Oct 2006 17:16:52 -0900
Received: from mtu67.syds.piswix.net [56.207.144.130] by
rsmail.alkoholic.net with LOCAL; Thu, 26 Oct 2006 17:10:34 -0900
Received: from smtp18.yenddx.com ([146.84.10.118]) by
m1.gns.snv.thisdomainl.com with SMTP; Thu, 26 Oct 2006 16:51:40 -0900
Message-ID: <B920605A.F1E29D7@supernet.com.bo>
Date: Thu, 26 Oct 2006 16:46:48 -0900
From: "Jenny" <yqc6afa@supernet.com.bo>
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Administrators" <thomaslo@si.edu>
Subject: Plz. get back
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: SI-EMS border system (SI+SA)



> rogv24@yahoo.com wrote:
> > I have a unix/postfix environment and I am getting a bunch of emails
> > that are not on my rbl's,
> > I have spamhaus, spamcop, dynablock, dsbl, ordbl.
> > They pass domain, FQDN, host, MX, envelope checking checks.
> > They also pass spam assassin checks.
> >
> > Hell, then how can I get rid of them?
> > Thanks
>
>
> It's been my experience that probably the last 5-8 percent of
> the spam that gets through after all other automated means
> are deployed, are the hardest to get rid of.
>
> These spams usually have to be analyzed, and dealt with by
> manual blocking tables, of which, there are many choices.
>
> Depending on what sort of user base you have on your system,
> you might even be able to block entire countries, or ISP subnets.
>
> Just out of curiosity, have you analyzed your logfiles to see
> what percentage of the total spams are being blocked, versus the
> percentage of spams getting through?
>
> --
> Greg

I have one more question. How can I tell if an ISP domain is safe
enough to add to postfix.

rogv24@yahoo.com wrote:
> hello Greg,
>
> Thanks for the feedback. Of about 10 emails 3 emails get rejected. I
> think its very high
> considering the volume we are getting. We have an older version of
> postfix 2.013
> We plan on upgrading in the near future. I believe there is some thing
> right now we
> don't have in postfix that can capture these emails.
>
> here is one spam that we got:
>
> -----Original Message-----
> Date: 10/26/2006 09:46 pm -0400 (Thursday)
> From: "Jenny" <yqc6afa@supernet.com.bo>
> To: "Administrators" <thomaslo@si.edu>
> Subject: Plz. get back
>
> Hey,
>
> Refill is ready.
> Plz. reconfirm City .
>
> http://cf.geocities.com/Medina8_m120/
>
> Regards,
>
> Jenny
>
> The mime log looks like this:
> Return-path: <yqc6afa@supernet.com.bo>
> Received: from si-av04.si.edu [160.111.252.25]
> by simail1.si.edu; Thu, 26 Oct 2006 21:49:49 -0400
> Received: from localhost (localhost [127.0.0.1])
> by si-av04.si.edu (SI-Mailer) with ESMTP id 172BB2794
> for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:49:49 -0400 (EDT)
> Received: from si-av04.si.edu ([127.0.0.1])
> by localhost (si-av04 [127.0.0.1]) (amavisd-new, port 10024) with
> ESMTP
> id 15352-01 for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:49:47 -0400
> (EDT)
> Received: from si-ems01.si.edu (si-ems01.si.edu [160.111.252.31])
> by si-av04.si.edu (SI-Mailer) with ESMTP id A0873278E
> for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:49:47 -0400 (EDT)
> Received: from localhost (localhost [127.0.0.1])
> by si-ems01.si.edu (SI-Mailer) with ESMTP id 39F931C4E
> for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:49:46 -0400 (EDT)
> Received: from si-ems01.si.edu ([127.0.0.1])
> by localhost (si-ems01 [127.0.0.1]) (amavisd-new, port 10024) with
> ESMTP
> id 26254-04 for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:49:46 -0400
> (EDT)
> Received: from mail2.supernet.com.bo (mail2.supernet.com.bo
> [200.58.72.21])
> by si-ems01.si.edu (SI-Mailer) with ESMTP id C3F8B1C11
> for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:49:42 -0400 (EDT)
> Received: from supernet.com.bo (host-200-58-90-65.supernet.com.bo
> [200.58.90.65])
> by mail2.supernet.com.bo (8.13.1/8.13.1) with ESMTP id k9QHrSFn028309
> for <thomaslo@si.edu>; Thu, 26 Oct 2006 21:54:17 +0400 (GMT)
> Received: from unknown (HELO mail.gimmicc.net) (Thu, 26 Oct 2006
> 17:35:40 -0900)
> by relay.2yahoo.com with ESMTP; Thu, 26 Oct 2006 17:35:40 -0900
> Received: from unknown (27.52.184.67)
> by group21.345mail.com with SMTP; Thu, 26 Oct 2006 17:16:52 -0900
> Received: from mtu67.syds.piswix.net [56.207.144.130] by
> rsmail.alkoholic.net with LOCAL; Thu, 26 Oct 2006 17:10:34 -0900
> Received: from smtp18.yenddx.com ([146.84.10.118]) by
> m1.gns.snv.thisdomainl.com with SMTP; Thu, 26 Oct 2006 16:51:40 -0900
> Message-ID: <B920605A.F1E29D7@supernet.com.bo>
> Date: Thu, 26 Oct 2006 16:46:48 -0900
> From: "Jenny" <yqc6afa@supernet.com.bo>
> X-Accept-Language: en-us
> MIME-Version: 1.0
> To: "Administrators" <thomaslo@si.edu>
> Subject: Plz. get back
> Content-Type: text/plain;
> charset="us-ascii"
> Content-Transfer-Encoding: 8bit
> X-Virus-Scanned: SI-EMS border system (SI+SA)
>
>
>
> > rogv24@yahoo.com wrote:
> > > I have a unix/postfix environment and I am getting a bunch of emails
> > > that are not on my rbl's,
> > > I have spamhaus, spamcop, dynablock, dsbl, ordbl.
> > > They pass domain, FQDN, host, MX, envelope checking checks.
> > > They also pass spam assassin checks.
> > >
> > > Hell, then how can I get rid of them?
> > > Thanks
> >
> >
> > It's been my experience that probably the last 5-8 percent of
> > the spam that gets through after all other automated means
> > are deployed, are the hardest to get rid of.
> >
> > These spams usually have to be analyzed, and dealt with by
> > manual blocking tables, of which, there are many choices.
> >
> > Depending on what sort of user base you have on your system,
> > you might even be able to block entire countries, or ISP subnets.
> >
> > Just out of curiosity, have you analyzed your logfiles to see
> > what percentage of the total spams are being blocked, versus the
> > percentage of spams getting through?
> >
> > --
> > Greg

The most efficient way to block spam is by IP address,
or RCPT TO or MAIL FROM information, because Postfix blocks
those before the message body data is received. That's
why RBL lists are so valuable.

Secondarily, Postfix can scan the message body for headers
such as To:, From:, Subject:, message-content strings, etc.
These content scans can be configured to run as pre-queue,
or post-queue (the latter actually accepts the email, then
scans it).


rogv24@yahoo.com wrote:

> here is one spam that we got:

Your sample spam is of the type that's difficult to block
by IP address. It arrived via a legit ISP mail relay in
Bolivia, which isn't likely to get placed onto a RBL block list.
The originating site was one of the ISP's direct customers,
whose computer was probably hacked, and used temporarily
for spewing spam.

The only received: header that you can ever trust is the one
generated by your outermost mail relay:

> Received: from mail2.supernet.com.bo (mail2.supernet.com.bo
> [200.58.72.21])
> by si-ems01.si.edu (SI-Mailer) with ESMTP id C3F8B1C11


It indicates that the ISP's mail relay is at 200.58.72.21.
You could block that IP address, or the entire subnet for the ISP,
or on the name supernet.com.bo; but I'm guessing that you probably
don't want to do that, since your's is a global oriented .edu site.

You can't really trust any other headers that follow. Although it
does appear in this case that the next header is valid (and the
remainder are forged):

> Received: from supernet.com.bo (host-200-58-90-65.supernet.com.bo
> [200.58.90.65])
> by mail2.supernet.com.bo (8.13.1/8.13.1) with ESMTP id k9QHrSFn028309

That header shows the ISP customers IP address of 200.58.90.65. Again,
it's probably not a spammers site, but one that has been hacked.

Assuming that you wouldn't want to block all of Bolivia, nor the ISP's
mail relay, and assuming that the MAIL FROM's are randomly generated,
you are left with examining the message body:

> Date: 10/26/2006 09:46 pm -0400 (Thursday)
> From: "Jenny" <yqc6afa@supernet.com.bo>
> To: "Administrators" <thomaslo@si.edu>
> Subject: Plz. get back

You could use some header_checks, such as:

/^Subject:.*Plz\. get back/ REJECT
/^To:.*\"Administrators\"/ REJECT

> Hey,
>
> Refill is ready.
> Plz. reconfirm City .

You could use some body_checks such as:
body_checks_size_limit = 24576

/Refill is ready\./ REJECT
/Plz\..*reconfirm/ REJECT


> http://cf.geocities.com/Medina8_m120/

In body_checks, you can also build up a list of
spamvertised URLs, using an efficient if/endif statement:

if /http:/
/cf.geocities.com/ REJECT
/hardpornofilms.com/ REJECT
/bestloanz.net/ REJECT
endif

Also, spamassassin has a bayesian like statistical analysis
feature that predicts probabilities of a message being
spam or not, which can be trained for your particular
site by using the "sa-learn" command.

--
Greg

You helped me out on a previous issue that I had.
How is your new job?

I am seeing this in the log:

from=<>

also in the mime file below I saw this:

Received: from [58.20.200.126] (unknown [58.20.201.76])

can we set postfix to reject these?

I never knew about san-learn so I have to look into it.

Thanks


Greg Hackney wrote:
> The most efficient way to block spam is by IP address,
> or RCPT TO or MAIL FROM information, because Postfix blocks
> those before the message body data is received. That's
> why RBL lists are so valuable.
>
> Secondarily, Postfix can scan the message body for headers
> such as To:, From:, Subject:, message-content strings, etc.
> These content scans can be configured to run as pre-queue,
> or post-queue (the latter actually accepts the email, then
> scans it).
>
>
> rogv24@yahoo.com wrote:
>
> > here is one spam that we got:
>
> Your sample spam is of the type that's difficult to block
> by IP address. It arrived via a legit ISP mail relay in
> Bolivia, which isn't likely to get placed onto a RBL block list.
> The originating site was one of the ISP's direct customers,
> whose computer was probably hacked, and used temporarily
> for spewing spam.
>
> The only received: header that you can ever trust is the one
> generated by your outermost mail relay:
>
> > Received: from mail2.supernet.com.bo (mail2.supernet.com.bo
> > [200.58.72.21])
> > by si-ems01.si.edu (SI-Mailer) with ESMTP id C3F8B1C11
>
>
> It indicates that the ISP's mail relay is at 200.58.72.21.
> You could block that IP address, or the entire subnet for the ISP,
> or on the name supernet.com.bo; but I'm guessing that you probably
> don't want to do that, since your's is a global oriented .edu site.
>
> You can't really trust any other headers that follow. Although it
> does appear in this case that the next header is valid (and the
> remainder are forged):
>
> > Received: from supernet.com.bo (host-200-58-90-65.supernet.com.bo
> > [200.58.90.65])
> > by mail2.supernet.com.bo (8.13.1/8.13.1) with ESMTP id k9QHrSFn028309
>
> That header shows the ISP customers IP address of 200.58.90.65. Again,
> it's probably not a spammers site, but one that has been hacked.
>
> Assuming that you wouldn't want to block all of Bolivia, nor the ISP's
> mail relay, and assuming that the MAIL FROM's are randomly generated,
> you are left with examining the message body:
>
> > Date: 10/26/2006 09:46 pm -0400 (Thursday)
> > From: "Jenny" <yqc6afa@supernet.com.bo>
> > To: "Administrators" <thomaslo@si.edu>
> > Subject: Plz. get back
>
> You could use some header_checks, such as:
>
> /^Subject:.*Plz\. get back/ REJECT
> /^To:.*\"Administrators\"/ REJECT
>
> > Hey,
> >
> > Refill is ready.
> > Plz. reconfirm City .
>
> You could use some body_checks such as:
> body_checks_size_limit = 24576
>
> /Refill is ready\./ REJECT
> /Plz\..*reconfirm/ REJECT
>
>
> > http://cf.geocities.com/Medina8_m120/
>
> In body_checks, you can also build up a list of
> spamvertised URLs, using an efficient if/endif statement:
>
> if /http:/
> /cf.geocities.com/ REJECT
> /hardpornofilms.com/ REJECT
> /bestloanz.net/ REJECT
> endif
>
> Also, spamassassin has a bayesian like statistical analysis
> feature that predicts probabilities of a message being
> spam or not, which can be trained for your particular
> site by using the "sa-learn" command.
>
> --
> Greg

rogv24@yahoo.com wrote:

> How is your new job?

Still unemployed.


> I am seeing this in the log:
> from=<>

<> is symbolic for mailer-daemon.

Per the Postfix author: "MAIL FROM:<>" is required
for SMTP error notifications, so that they cannot go
into an infinite loop.


> also in the mime file below I saw this:
> Received: from [58.20.200.126] (unknown [58.20.201.76])

This means that the remote site used a HELO string of
"58.20.200.126". It's IP address is 58.20.201.76,
and is not resolvable in reverse DNS to a host name,
or "unknown".


> can we set postfix to reject these?

Yes. In one of your SMTP restriction settings
(usually done in smtpd_client_restrictions)
use reject_unknown_reverse_client_hostname if you
have Postfix 2.3.3 or later.

For versions earlier than 2.3.3, there is reject_unknown_client
which does the same thing, but it is stronger in that it
insures that both the IP->Name and the Name->IP DNS resolution
works (rather than just the IP->Name like the above).

> I never knew about san-learn so I have to look into it.

sa-learn

Me too. I've always used a stand-alone bayesian mail filter
program appropriately called "bmf". But it probably
makes more sense to use the Spamassassin version, since it's
already being used for other things anyway.

--
Greg

Its sad because we have postfix version 2.0.12. So we are upgrading
next month.
I did a postconf and i didn't even see reject_unknown_client. So I
guess I have to wait.
Is it best to reinstall Postfix with the new version or upgrade?

regards
Roger

Greg Hackney wrote:
> rogv24@yahoo.com wrote:
>
> > How is your new job?
>
> Still unemployed.
>
>
> > I am seeing this in the log:
> > from=<>
>
> <> is symbolic for mailer-daemon.
>
> Per the Postfix author: "MAIL FROM:<>" is required
> for SMTP error notifications, so that they cannot go
> into an infinite loop.
>
>
> > also in the mime file below I saw this:
> > Received: from [58.20.200.126] (unknown [58.20.201.76])
>
> This means that the remote site used a HELO string of
> "58.20.200.126". It's IP address is 58.20.201.76,
> and is not resolvable in reverse DNS to a host name,
> or "unknown".
>
>
> > can we set postfix to reject these?
>
> Yes. In one of your SMTP restriction settings
> (usually done in smtpd_client_restrictions)
> use reject_unknown_reverse_client_hostname if you
> have Postfix 2.3.3 or later.
>
> For versions earlier than 2.3.3, there is reject_unknown_client
> which does the same thing, but it is stronger in that it
> insures that both the IP->Name and the Name->IP DNS resolution
> works (rather than just the IP->Name like the above).
>
> > I never knew about san-learn so I have to look into it.
>
> sa-learn
>
> Me too. I've always used a stand-alone bayesian mail filter
> program appropriately called "bmf". But it probably
> makes more sense to use the Spamassassin version, since it's
> already being used for other things anyway.
>
> --
> Greg

rogv24@yahoo.com wrote:

> I did a postconf and i didn't even see reject_unknown_client.

You'll see it in "man 5 postconf".

It won't appear in the output of "postconf" until you actually
use it in the configuration. What you will be able to see with
postconf, is the heading that it usually goes under,
smtpd_client_restrictions


> So I guess I have to wait.

No waiting, it's there. It was there in Version 1.something.


> Is it best to reinstall Postfix with the new version or upgrade?

I've since forgotten what OS you are running, but with Linux it
doesn't matter whether you upgrade from an RPM or distribution
package, or do a "make install" from the source code, it won't
blow away your configs in /etc/postfix. But it's smart to
always back up those files anyway.

--
Greg

I checked in postconf the only thing that came up was:
unknown_client_reject_code = 450

regards
Roger


Greg Hackney wrote:
> rogv24@yahoo.com wrote:
>
> > I did a postconf and i didn't even see reject_unknown_client.
>
> You'll see it in "man 5 postconf".
>
> It won't appear in the output of "postconf" until you actually
> use it in the configuration. What you will be able to see with
> postconf, is the heading that it usually goes under,
> smtpd_client_restrictions
>
>
> > So I guess I have to wait.
>
> No waiting, it's there. It was there in Version 1.something.
>
>
> > Is it best to reinstall Postfix with the new version or upgrade?
>
> I've since forgotten what OS you are running, but with Linux it
> doesn't matter whether you upgrade from an RPM or distribution
> package, or do a "make install" from the source code, it won't
> blow away your configs in /etc/postfix. But it's smart to
> always back up those files anyway.
>
> --
> Greg