Re: Blocking a domain and user

From: Noel Jones (no email)
Date: Thu Mar 05 2009 - 12:17:21 EST

  • Next message: J.P. Trosclair: "Re: Postfix tarball uninstall"

    Jim McIver wrote:
    >
    > Here's a snippet from maillog, but not sure if it's what your looking for:

    Thanks, this is very helpful.

    > Mar 4 15:10:13 mail postfix/smtpd[56190]: warning: Illegal address
    > syntax from unknown[113.9.198.198] in MAIL co
    > mmand:

    The above client is listed in multiple RBLs, including
    zen.spamhaus.org, bl.spamcop.net, cbl.abuseat.org,
    b.barracudacentral.org, and dnsbl.sorbs.net.

    > Mar 4 15:10:15 mail postfix/smtpd[56172]: warning: 81.25.227.150:
    > address not listed for hostname mail.medterm.o
    > d.ua
    > Mar 4 15:10:15 mail postfix/smtpd[56172]: connect from
    > unknown[81.25.227.150]

    This client is also listed in multiple RBLs.

    > Mar 4 15:10:15 mail postfix/smtpd[56190]: NOQUEUE: reject_warning: RCPT
    > from unknown[113.9.198.198]: 450 Client
    > host rejected: cannot find your hostname, [113.9.198.198];
    > from=<> to=<>
    > proto=SMTP helo=<yahoo.co.jp>

    Clearly a forged HELO name. Grounds for rejecting any mail
    from this client.

    > Mar 4 15:10:15 mail postfix/smtpd[56190]: E35C331:
    > client=unknown[113.9.198.198]
    >
    > Mar 4 15:10:18 mail postfix/cleanup[56217]: E35C331:
    > message-id=<>
    > Mar 4 15:10:18 mail postfix/qmgr[56169]: E35C331:
    > from=<>, size=966, nrcpt=1 (queue active
    > )
    > Mar 4 15:10:18 mail postfix/smtp[56178]: E35C331:
    > to=<>, relay=127.0.0.1[127.0.0.1], delay=3,
    > status=bounced (host 127.0.0.1[127.0.0.1] said: 557 Invalid routing
    > request - domain in BLACK LIST. (in reply to
    > MAIL FROM command))

    What?? Some idiot content_filter at 127.0.0.1 is rejecting
    the mail after you've already accepted it.

    Don't do that. Reject mail when first comes from the
    internet. Once mail has been accepted, a content filter must
    not reject the message.

    > Mar 4 15:10:18 mail postfix/cleanup[56175]: 5ABF260:
    > message-id=<>
    > Mar 4 15:10:18 mail postfix/qmgr[56169]: 5ABF260: from=<>, size=2926,
    > nrcpt=1 (queue active)
    > Mar 4 15:10:18 mail postfix/qmgr[56169]: E35C331: removed
    > Mar 4 15:10:19 mail postfix/smtpd[56190]: disconnect from
    > unknown[113.9.198.198]
    > Mar 4 15:10:20 mail postfix/smtp[56178]: 5ABF260:
    > to=<>, relay=mx1.mail.yahoo.co.jp[124.83
    > .171.181], delay=2, status=bounced (host
    > mx1.mail.yahoo.co.jp[124.83.171.181] said: 553 VS10-RT Possible forgery
    > or deactivated due to abuse (#5.1.1) (in reply to
    > RCPT TO command))

    Yahoo didn't send this mail, and they don't want your
    backscatter bounce.

    Eventually they (and others) will blacklist you for
    backscatter - ie. returning mail they never sent.

    You must fix your content_filter to not reject mail. Choices
    may include tag+deliver, quarantine, or discard, depending on
    what your software supports. It may offer the choice of
    reject or bounce, don't do that.

    You can also greatly reduce the load on the content filter by
    using one or two good RBLs to reject mail before it ever gets
    to the content_filter. zen.spamhaus.org is safe and very
    effective.

       -- Noel Jones


  • Next message: J.P. Trosclair: "Re: Postfix tarball uninstall"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD