Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 13th April 2011, 15:08
carlosinfl carlosinfl is offline
Member
 
Join Date: Dec 2009
Location: Orlando, FL
Posts: 70
Thanks: 3
Thanked 4 Times in 4 Posts
Send a message via AIM to carlosinfl
Default Prevent Spam To Postmaster

I've noticed I've been receiving spam to my 'postmaster' email address on my Postfix mail server. The messages are being forged to show To: & From: <postmaster@iamghost.org> but when I view the headers, I can see the details:

Code:
Return-Path: <d3263n@ms2.hinet.net>
X-Original-To: postmaster@iamghost.org
Delivered-To: postmaster@iamghost.org
Received: from localhost (localhost.localdomain [127.0.0.1])
	by mail.iamghost.org (Postfix) with ESMTP id 3807E77884B
	for <postmaster@iamghost.org>; Wed, 13 Apr 2011 03:40:04 -0400 (EDT)
X-Virus-Scanned: amavisd-new at iamghost.org
X-Spam-Flag: NO
X-Spam-Score: 3.718
X-Spam-Level: ***
X-Spam-Status: No, score=3.718 tagged_above=-999 required=5
	tests=[BAYES_50=0.8, FH_HELO_ALMOST_IP=0.688, FREEMAIL_FROM=0.001,
	RCVD_IN_BRBL_LASTEXT=1.449, SPF_NEUTRAL=0.779,
	UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.iamghost.org ([127.0.0.1])
	by localhost (iamghost.org [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id j60-uZsGA79i for <postmaster@iamghost.org>;
	Wed, 13 Apr 2011 03:40:02 -0400 (EDT)
Received: from netacc-gpn-5-87-154.pool.telenor.hu (netacc-gpn-5-87-154.pool.telenor.hu [84.225.87.154])
	by mail.iamghost.org (Postfix) with ESMTP id 60E1777882F
	for <postmaster@iamghost.org>; Wed, 13 Apr 2011 03:40:02 -0400 (EDT)
Received: from  84.225.87.154 (account <postmaster@iamghost.org> HELO iamghost.org)
	by iamghost.org (CommuniGate Pro SMTP 5.2.3)
	with ESMTPA id 967182120 for <postmaster@iamghost.org>; Wed, 13 Apr 2011 08:38:29 +0100
From: <postmaster@iamghost.org>
To: <postmaster@iamghost.org>
Subject: Newsletter Wed, 13 Apr 2011 08:38:29 +0100
Date: Wed, 13 Apr 2011 08:38:29 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: hmjo.27
Message-ID: <4407170387.V5T77QZB365033@krnuuzfodm.axxqu.info>
Is there a way I can prevent this from happening? I'm guessing most people know that 'postmaster' is always a valid RTF account on most properly configured mail servers but I don't want people exploiting this.

How can I eliminate the spam being sent to my postmaster account?
Reply With Quote
The Following User Says Thank You to carlosinfl For This Useful Post:
Williamsl (26th July 2014)
Sponsored Links
  #2  
Old 14th April 2011, 17:13
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
Default

Do you use SpamAssassin?

In addition to that, you can also configure Postfix as follows: http://www.howtoforge.com/block_spam..._level_postfix
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 18th April 2011, 16:40
carlosinfl carlosinfl is offline
Member
 
Join Date: Dec 2009
Location: Orlando, FL
Posts: 70
Thanks: 3
Thanked 4 Times in 4 Posts
Send a message via AIM to carlosinfl
Default

I do use SpamAssassin / AMavisd-new on my Postfix server and it's scoring the messages but not enough to trigger anything:

Code:
X-Spam-Status: No, score=4.123 tagged_above=-999 required=5	tests=[BAYES_50=0.8, FH_FROMEML_NOTLD=1.082, FREEMAIL_FROM=0.001,	HK_RANDOM_ENVFROM=0.001, RCVD_IN_BRBL_LASTEXT=1.449,	SPF_NEUTRAL=0.779, T_TO_NO_BRKTS_FREEMAIL=0.01,	UNPARSEABLE_RELAY=0.001] autolearn=no
Lots of those rbl spam check clients look way dated and many don't even exist anymore. Just tried to verify a few and they mostly come back dead.

The only ones that appear to still work today are:

[...]
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client rabl.nuclearelephant.com,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dnsbl.sorbs.net,
permit
[...]
Reply With Quote
  #4  
Old 18th April 2011, 16:45
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,015
Thanks: 840
Thanked 5,652 Times in 4,461 Posts
Default

You should lower the score. I use a score of 3.501 instead of 5 on my servers and dont get any false positives.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
carlosinfl (18th April 2011)
  #5  
Old 18th April 2011, 16:55
carlosinfl carlosinfl is offline
Member
 
Join Date: Dec 2009
Location: Orlando, FL
Posts: 70
Thanks: 3
Thanked 4 Times in 4 Posts
Send a message via AIM to carlosinfl
Default

Quote:
Originally Posted by till View Post
You should lower the score. I use a score of 3.501 instead of 5 on my servers and dont get any false positives.
Questions...

My SpamAssassin is configured via Amavisd-new as so:

Code:
$sa_tag_level_deflt  = -999.0;  
$sa_tag2_level_deflt = 5.0;     
$sa_kill_level_deflt = 8.0;     
$sa_dsn_cutoff_level = 10;     
$sa_quarantine_cutoff_level = 12;
So even if I lower the score, that will only alter the headers to label it spam, correct? It still wont block / prevent spam messages from being delivered.

Could I not enter the range of IP 189.70.* into a 'client_access' file under /etc/postfix as follows:

Code:
189.70.*      REJECT
Is that not possible? I know if use the specific IP it will work but it seems like they have multiple servers that send from on that network.
Reply With Quote
  #6  
Old 19th April 2011, 15:26
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,751 Times in 2,581 Posts
 
Default

You should lower $sa_kill_level_deflt - that's the score that is responsible for blocking spam.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Spam Filtering - Postfix, Amavis, Spam Assassin Tekati Installation/Configuration 1 20th January 2011 01:50
Help Too much SPAM!! makensy13 Installation/Configuration 4 13th January 2011 18:55
Stops all spam regardless of settings? Nicke Installation/Configuration 11 10th February 2010 17:09
Spamfilter policy - question about spam actions prisfeo Installation/Configuration 4 2nd February 2010 17:17
Ubuntu 8.04 Spamsnake - all SA scores 0.00 Thomas_Powers HOWTO-Related Questions 23 24th June 2008 18:37


All times are GMT +2. The time now is 05:07.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.