Killing the "last" spam

Discussion in 'Server Operation' started by edge, Nov 27, 2006.

  1. edge

    edge Active Member Moderator

    Anyone here who might have a solution for the last bit of spam that I'm getting at the moment?

    Spamassassin is seeing the mail, but not marking it high enough as spam :/

    The spam always starts with some_name wrote: (in this case "Lora wrote:"), and I'm getting lot's of it!

    Looking at the /var/log/mail.info , the connection is always from "unknown" and the spammer is always using other "zombie PCs" IP's.

    (note: I have changed the hostname.net and domainname.tld in the shown files)

    /var/log/mail.info

    Code:
    Nov 27 10:44:58 host postfix/smtpd[1901]: connect from unknown[58.236.9.36]
    Nov 27 10:44:59 host postfix/smtpd[1901]: 746671250005: client=unknown[58.236.9.36]
    Nov 27 10:44:59 host postfix/cleanup[1903]: 746671250005: message-id=<[email protected]>
    Nov 27 10:44:59 host postfix/qmgr[23533]: 746671250005: from=<[email protected]>, size=2171, nrcpt=1 (queue active)
    Nov 27 10:44:59 host postfix/pickup[23532]: DEF9E125001D: uid=10075 from=<web42_marcella>
    Nov 27 10:44:59 host postfix/cleanup[1903]: DEF9E125001D: message-id=<[email protected]>
    Nov 27 10:44:59 host postfix/qmgr[23533]: DEF9E125001D: from=<[email protected]>, size=402, nrcpt=1 (queue active)
    Nov 27 10:44:59 host postfix/local[1925]: DEF9E125001D: to=<[email protected]>, relay=local, delay=0, status=sent (delivered to command: /usr/bin/procmail -f-)
    Nov 27 10:44:59 host postfix/qmgr[23533]: DEF9E125001D: removed
    Nov 27 10:45:00 host postfix/smtpd[1901]: disconnect from unknown[58.236.9.36]
    
    header of email

    Code:
    
    From [email protected]  Mon Nov 27 10:44:59 2006
    Return-Path: <[email protected]>
    X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on host.hostname.net
    X-Spam-Level: **
    X-Spam-Status: No, score=2.0 required=5.0 tests=DATE_IN_FUTURE_03_06 
    	autolearn=no version=3.1.7
    X-Original-To: [email protected]
    Delivered-To: [email protected]
    Received: from your-d008eaa2b4.hananet.net (unknown [58.236.9.36])
    	by mail.hostname.net (Postfix) with ESMTP id 746671250005
    	for <[email protected]>; Mon, 27 Nov 2006 10:44:59 +0100 (CET)
    Received: from 211.147.208.57 (HELO newmail-g1.xinnetdns.com)
         by domainname.tld with esmtp (UKV:8Q8DA8 T/'Z.)
         id FR(;:;-7P7<DF-/K
         for [email protected]; Mon, 27 Nov 2006 09:47:19 -0540
    From: "Lora Kyle" <[email protected]>
    To: <[email protected]>
    Subject: Lora wrote:
    Date: Mon, 27 Nov 2006 09:47:19 -0540
    Message-ID: <[email protected]>
    MIME-Version: 1.0
    Content-Type: text/plain;
    	charset="Windows-1252"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3 (Normal)
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Office Outlook, Build 11.0.5510
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1158
    Thread-Index: Aca6Q8LLV9M2B-4Y:2X-8AZ78X5V02==
    X-Virus-Status: No
    X-Virus-Checker-Version: clamassassin 1.2.3 with clamscan / ClamAV 0.88.6/2244/Mon Nov 27 08:33:13 2006
    
    I could make a rule in "outlook" to delete any message starting with wrote:, but this is not really the way to go I think..

    In the "new 2.3" postfix there is an option 'reject_non_fqdn_hostname', but as I'm using the postfix that came with the Debian Sarge install (2.1.5) it does not have that option.

    Anyone here who might have an easy sollution of stopping this %#^@#@* spammer sending me this "crap"? (blocking IP's, blocking senders e-mail address, or shutting down my server is no option :) )

    Or... Did anyone here (Debian OS) update his postfix that is setup in combination with ISPconfig?
     
    Last edited: Nov 27, 2006
  2. falko

    falko Super Moderator ISPConfig Developer

  3. edge

    edge Active Member Moderator

    Hmm why did I not find that thread falko!


    Anyway.. I had to remove the "reject_rbl_client proxies.relays.monkeys.com" part, as "proxies.relays.monkeys.com" is dead (sinds March 15th, 2004)

    I'm also getting a warning from "rblmap.tu-berlin.de"
    Code:
    warning: 169.92.249.66.rblmap.tu-berlin.de: RBL lookup error: Host or domain name not found.
    Name service error for name-168.92.249.66.rblmap.tu-berlin.de type=A Host not found, try again
    I have added the following to /etc/postfix/main.cf
    Code:
    smtpd_helo_required = yes
    disable_vrfy_command = yes
    invalid_hostname_reject_code = 554
    multi_recipient_bounce_reject_code = 554
    non_fqdn_reject_code = 554
    relay_domains_reject_code = 554
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    unknown_sender_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554
    unverified_recipient_reject_code = 554
    unverified_sender_reject_code = 554
    
    smtpd_recipient_restrictions =
                reject_invalid_hostname,
                reject_unknown_recipient_domain,
                reject_unauth_pipelining,
                permit_mynetworks,
                permit_sasl_authenticated,
                reject_unauth_destination,
                reject_rbl_client multi.uribl.com,
                reject_rbl_client dsn.rfc-ignorant.org,
                reject_rbl_client dul.dnsbl.sorbs.net,
                reject_rbl_client list.dsbl.org,
                reject_rbl_client sbl-xbl.spamhaus.org,
                reject_rbl_client bl.spamcop.net,
                reject_rbl_client rblmap.tu-berlin.de,
                reject_rbl_client relays.ordb.org,
                reject_rbl_client dnsbl.sorbs.net,
                reject_rbl_client opm.blitzed.org,
                reject_rbl_client blackholes.easynet.nl,
                reject_rbl_client cbl.abuseat.org,
                reject_rbl_client ix.dnsbl.manitu.net,
                permit
    
    Question!
    How good is this? I'm now a bit worried about "normal" email and if it will still arrive!
     
  4. edge

    edge Active Member Moderator

    Wow...

    After adding the above stuff to my /etc/postfix/main.cf file, and looking at the /var/log/mail.log file a lot of spam (as far as I can see) is being rejected!

    The extra stuff that I added to the main.cf does really work!

    Thank you again falko!
     
  5. HackerJL

    HackerJL New Member

    Did this get rid of your problem emails that you were filtering out with outlook?
     
  6. edge

    edge Active Member Moderator

    Some "some_name wrote:" are still going through, but it did stop all the "connect from unknown" emails.
     
  7. edge

    edge Active Member Moderator

    falko,

    Will this work with ISPconfig and the Debian Sarge setup?

    I've done a setup on a virtual system, and one thing that for sure does not work is the "/etc/init.d/amavis restart" (My setup does have amavis).
    Am I missing something here? (a.f.a.i.k the new ISPconfig does not use amavis anymore... or does it??)
     
  8. falko

    falko Super Moderator ISPConfig Developer

    The link should just give you the idea. ISPConfig doesn't use amavisd; however, the SpamAssassin tests are located in /home/admispconfig/ispconfig/tools/spamassassin/usr/share/spamassassin, so you could just download additional tests to that directory.
     

Share This Page