Prevent Spam To Postmaster

Discussion in 'Server Operation' started by carlosinfl, Apr 13, 2011.

  1. carlosinfl

    carlosinfl New Member

    I've noticed I've been receiving spam to my 'postmaster' email address on my Postfix mail server. The messages are being forged to show To: & From: <postmaster@iamghost.org> but when I view the headers, I can see the details:

    Code:
    Return-Path: <d3263n@ms2.hinet.net>
    X-Original-To: postmaster@iamghost.org
    Delivered-To: postmaster@iamghost.org
    Received: from localhost (localhost.localdomain [127.0.0.1])
    	by mail.iamghost.org (Postfix) with ESMTP id 3807E77884B
    	for <postmaster@iamghost.org>; Wed, 13 Apr 2011 03:40:04 -0400 (EDT)
    X-Virus-Scanned: amavisd-new at iamghost.org
    X-Spam-Flag: NO
    X-Spam-Score: 3.718
    X-Spam-Level: ***
    X-Spam-Status: No, score=3.718 tagged_above=-999 required=5
    	tests=[BAYES_50=0.8, FH_HELO_ALMOST_IP=0.688, FREEMAIL_FROM=0.001,
    	RCVD_IN_BRBL_LASTEXT=1.449, SPF_NEUTRAL=0.779,
    	UNPARSEABLE_RELAY=0.001] autolearn=no
    Received: from mail.iamghost.org ([127.0.0.1])
    	by localhost (iamghost.org [127.0.0.1]) (amavisd-new, port 10024)
    	with LMTP id j60-uZsGA79i for <postmaster@iamghost.org>;
    	Wed, 13 Apr 2011 03:40:02 -0400 (EDT)
    Received: from netacc-gpn-5-87-154.pool.telenor.hu (netacc-gpn-5-87-154.pool.telenor.hu [84.225.87.154])
    	by mail.iamghost.org (Postfix) with ESMTP id 60E1777882F
    	for <postmaster@iamghost.org>; Wed, 13 Apr 2011 03:40:02 -0400 (EDT)
    Received: from  84.225.87.154 (account <postmaster@iamghost.org> HELO iamghost.org)
    	by iamghost.org (CommuniGate Pro SMTP 5.2.3)
    	with ESMTPA id 967182120 for <postmaster@iamghost.org>; Wed, 13 Apr 2011 08:38:29 +0100
    From: <postmaster@iamghost.org>
    To: <postmaster@iamghost.org>
    Subject: Newsletter Wed, 13 Apr 2011 08:38:29 +0100
    Date: Wed, 13 Apr 2011 08:38:29 +0100
    MIME-Version: 1.0
    Content-Type: text/plain;
    	charset="us-ascii"
    Content-Transfer-Encoding: 7bit
    X-Mailer: hmjo.27
    Message-ID: <4407170387.V5T77QZB365033@krnuuzfodm.axxqu.info>
    Is there a way I can prevent this from happening? I'm guessing most people know that 'postmaster' is always a valid RTF account on most properly configured mail servers but I don't want people exploiting this.

    How can I eliminate the spam being sent to my postmaster account?
     
  2. falko

    falko Super Moderator

  3. carlosinfl

    carlosinfl New Member

    I do use SpamAssassin / AMavisd-new on my Postfix server and it's scoring the messages but not enough to trigger anything:

    Code:
    X-Spam-Status: No, score=4.123 tagged_above=-999 required=5	tests=[BAYES_50=0.8, FH_FROMEML_NOTLD=1.082, FREEMAIL_FROM=0.001,	HK_RANDOM_ENVFROM=0.001, RCVD_IN_BRBL_LASTEXT=1.449,	SPF_NEUTRAL=0.779, T_TO_NO_BRKTS_FREEMAIL=0.01,	UNPARSEABLE_RELAY=0.001] autolearn=no
    Lots of those rbl spam check clients look way dated and many don't even exist anymore. Just tried to verify a few and they mostly come back dead. :(

    The only ones that appear to still work today are:

    [...]
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client rabl.nuclearelephant.com,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client dnsbl.sorbs.net,
    permit
    [...]
     
  4. till

    till Super Moderator

    You should lower the score. I use a score of 3.501 instead of 5 on my servers and dont get any false positives.
     
  5. carlosinfl

    carlosinfl New Member

    Questions...

    My SpamAssassin is configured via Amavisd-new as so:

    Code:
    $sa_tag_level_deflt  = -999.0;  
    $sa_tag2_level_deflt = 5.0;     
    $sa_kill_level_deflt = 8.0;     
    $sa_dsn_cutoff_level = 10;     
    $sa_quarantine_cutoff_level = 12; 
    
    So even if I lower the score, that will only alter the headers to label it spam, correct? It still wont block / prevent spam messages from being delivered.

    Could I not enter the range of IP 189.70.* into a 'client_access' file under /etc/postfix as follows:

    Code:
    189.70.*      REJECT
    Is that not possible? I know if use the specific IP it will work but it seems like they have multiple servers that send from on that network.
     
  6. falko

    falko Super Moderator

    You should lower $sa_kill_level_deflt - that's the score that is responsible for blocking spam.
     

Share This Page