Anyone here who might have a solution for the last bit of spam that I'm getting at the moment? Spamassassin is seeing the mail, but not marking it high enough as spam :/ The spam always starts with some_name wrote: (in this case "Lora wrote:"), and I'm getting lot's of it! Looking at the /var/log/mail.info , the connection is always from "unknown" and the spammer is always using other "zombie PCs" IP's. (note: I have changed the hostname.net and domainname.tld in the shown files) /var/log/mail.info Code: Nov 27 10:44:58 host postfix/smtpd[1901]: connect from unknown[58.236.9.36] Nov 27 10:44:59 host postfix/smtpd[1901]: 746671250005: client=unknown[58.236.9.36] Nov 27 10:44:59 host postfix/cleanup[1903]: 746671250005: message-id=<01c71209$07817a00$6c822ecf@deborahperque> Nov 27 10:44:59 host postfix/qmgr[23533]: 746671250005: from=<[email protected]>, size=2171, nrcpt=1 (queue active) Nov 27 10:44:59 host postfix/pickup[23532]: DEF9E125001D: uid=10075 from=<web42_marcella> Nov 27 10:44:59 host postfix/cleanup[1903]: DEF9E125001D: message-id=<[email protected]> Nov 27 10:44:59 host postfix/qmgr[23533]: DEF9E125001D: from=<[email protected]>, size=402, nrcpt=1 (queue active) Nov 27 10:44:59 host postfix/local[1925]: DEF9E125001D: to=<[email protected]>, relay=local, delay=0, status=sent (delivered to command: /usr/bin/procmail -f-) Nov 27 10:44:59 host postfix/qmgr[23533]: DEF9E125001D: removed Nov 27 10:45:00 host postfix/smtpd[1901]: disconnect from unknown[58.236.9.36] header of email Code: From [email protected] Mon Nov 27 10:44:59 2006 Return-Path: <[email protected]> X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on host.hostname.net X-Spam-Level: ** X-Spam-Status: No, score=2.0 required=5.0 tests=DATE_IN_FUTURE_03_06 autolearn=no version=3.1.7 X-Original-To: [email protected] Delivered-To: [email protected] Received: from your-d008eaa2b4.hananet.net (unknown [58.236.9.36]) by mail.hostname.net (Postfix) with ESMTP id 746671250005 for <[email protected]>; Mon, 27 Nov 2006 10:44:59 +0100 (CET) Received: from 211.147.208.57 (HELO newmail-g1.xinnetdns.com) by domainname.tld with esmtp (UKV:8Q8DA8 T/'Z.) id FR(;:;-7P7<DF-/K for [email protected]; Mon, 27 Nov 2006 09:47:19 -0540 From: "Lora Kyle" <[email protected]> To: <[email protected]> Subject: Lora wrote: Date: Mon, 27 Nov 2006 09:47:19 -0540 Message-ID: <01c71209$07817a00$6c822ecf@deborahperque> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1158 Thread-Index: Aca6Q8LLV9M2B-4Y:2X-8AZ78X5V02== X-Virus-Status: No X-Virus-Checker-Version: clamassassin 1.2.3 with clamscan / ClamAV 0.88.6/2244/Mon Nov 27 08:33:13 2006 I could make a rule in "outlook" to delete any message starting with wrote:, but this is not really the way to go I think.. In the "new 2.3" postfix there is an option 'reject_non_fqdn_hostname', but as I'm using the postfix that came with the Debian Sarge install (2.1.5) it does not have that option. Anyone here who might have an easy sollution of stopping this %#^@#@* spammer sending me this "crap"? (blocking IP's, blocking senders e-mail address, or shutting down my server is no option ) Or... Did anyone here (Debian OS) update his postfix that is setup in combination with ISPconfig?
You could download additional SpamAssassin rulesets (see http://www.howtoforge.com/virtual_postfix_mysql_quota_courier_p4 ). You could also reject a lot of spam before even entering your system: http://www.howtoforge.com/forums/showthread.php?t=7802&highlight=smtpd_recipient_restrictions
Hmm why did I not find that thread falko! Anyway.. I had to remove the "reject_rbl_client proxies.relays.monkeys.com" part, as "proxies.relays.monkeys.com" is dead (sinds March 15th, 2004) I'm also getting a warning from "rblmap.tu-berlin.de" Code: warning: 169.92.249.66.rblmap.tu-berlin.de: RBL lookup error: Host or domain name not found. Name service error for name-168.92.249.66.rblmap.tu-berlin.de type=A Host not found, try again I have added the following to /etc/postfix/main.cf Code: smtpd_helo_required = yes disable_vrfy_command = yes invalid_hostname_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_local_recipient_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_sender_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client multi.uribl.com, reject_rbl_client dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client rblmap.tu-berlin.de, reject_rbl_client relays.ordb.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client opm.blitzed.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client cbl.abuseat.org, reject_rbl_client ix.dnsbl.manitu.net, permit Question! How good is this? I'm now a bit worried about "normal" email and if it will still arrive!
Wow... After adding the above stuff to my /etc/postfix/main.cf file, and looking at the /var/log/mail.log file a lot of spam (as far as I can see) is being rejected! The extra stuff that I added to the main.cf does really work! Thank you again falko!
Some "some_name wrote:" are still going through, but it did stop all the "connect from unknown" emails.
falko, Will this work with ISPconfig and the Debian Sarge setup? I've done a setup on a virtual system, and one thing that for sure does not work is the "/etc/init.d/amavis restart" (My setup does have amavis). Am I missing something here? (a.f.a.i.k the new ISPconfig does not use amavis anymore... or does it??)
The link should just give you the idea. ISPConfig doesn't use amavisd; however, the SpamAssassin tests are located in /home/admispconfig/ispconfig/tools/spamassassin/usr/share/spamassassin, so you could just download additional tests to that directory.
