I've noticed I've been receiving spam to my 'postmaster' email address on my Postfix mail server. The messages are being forged to show To: & From: <[email protected]> but when I view the headers, I can see the details: Code: Return-Path: <[email protected]> X-Original-To: [email protected] Delivered-To: [email protected] Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.iamghost.org (Postfix) with ESMTP id 3807E77884B for <[email protected]>; Wed, 13 Apr 2011 03:40:04 -0400 (EDT) X-Virus-Scanned: amavisd-new at iamghost.org X-Spam-Flag: NO X-Spam-Score: 3.718 X-Spam-Level: *** X-Spam-Status: No, score=3.718 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FH_HELO_ALMOST_IP=0.688, FREEMAIL_FROM=0.001, RCVD_IN_BRBL_LASTEXT=1.449, SPF_NEUTRAL=0.779, UNPARSEABLE_RELAY=0.001] autolearn=no Received: from mail.iamghost.org ([127.0.0.1]) by localhost (iamghost.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id j60-uZsGA79i for <[email protected]>; Wed, 13 Apr 2011 03:40:02 -0400 (EDT) Received: from netacc-gpn-5-87-154.pool.telenor.hu (netacc-gpn-5-87-154.pool.telenor.hu [84.225.87.154]) by mail.iamghost.org (Postfix) with ESMTP id 60E1777882F for <[email protected]>; Wed, 13 Apr 2011 03:40:02 -0400 (EDT) Received: from 84.225.87.154 (account <[email protected]> HELO iamghost.org) by iamghost.org (CommuniGate Pro SMTP 5.2.3) with ESMTPA id 967182120 for <[email protected]>; Wed, 13 Apr 2011 08:38:29 +0100 From: <[email protected]> To: <[email protected]> Subject: Newsletter Wed, 13 Apr 2011 08:38:29 +0100 Date: Wed, 13 Apr 2011 08:38:29 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: hmjo.27 Message-ID: <[email protected]> Is there a way I can prevent this from happening? I'm guessing most people know that 'postmaster' is always a valid RTF account on most properly configured mail servers but I don't want people exploiting this. How can I eliminate the spam being sent to my postmaster account?
Do you use SpamAssassin? In addition to that, you can also configure Postfix as follows: http://www.howtoforge.com/block_spam_at_mta_level_postfix
I do use SpamAssassin / AMavisd-new on my Postfix server and it's scoring the messages but not enough to trigger anything: Code: X-Spam-Status: No, score=4.123 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FH_FROMEML_NOTLD=1.082, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, RCVD_IN_BRBL_LASTEXT=1.449, SPF_NEUTRAL=0.779, T_TO_NO_BRKTS_FREEMAIL=0.01, UNPARSEABLE_RELAY=0.001] autolearn=no Lots of those rbl spam check clients look way dated and many don't even exist anymore. Just tried to verify a few and they mostly come back dead. The only ones that appear to still work today are: [...] reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client rabl.nuclearelephant.com, reject_rbl_client cbl.abuseat.org, reject_rbl_client dnsbl.sorbs.net, permit [...]
You should lower the score. I use a score of 3.501 instead of 5 on my servers and dont get any false positives.
Questions... My SpamAssassin is configured via Amavisd-new as so: Code: $sa_tag_level_deflt = -999.0; $sa_tag2_level_deflt = 5.0; $sa_kill_level_deflt = 8.0; $sa_dsn_cutoff_level = 10; $sa_quarantine_cutoff_level = 12; So even if I lower the score, that will only alter the headers to label it spam, correct? It still wont block / prevent spam messages from being delivered. Could I not enter the range of IP 189.70.* into a 'client_access' file under /etc/postfix as follows: Code: 189.70.* REJECT Is that not possible? I know if use the specific IP it will work but it seems like they have multiple servers that send from on that network.
