I've been playing around with my SPAM Policy parameters, and I've started getting a LOT of emails that look like the following: Code: Transcript of session follows. Out: 220 pluto.domain.tld ESMTP Postfix (Ubuntu) In: EHLO localhost Out: 250-pluto.domain.tld Out: 250-PIPELINING Out: 250-SIZE Out: 250-VRFY Out: 250-ETRN Out: 250-STARTTLS Out: 250-AUTH PLAIN LOGIN Out: 250-AUTH=PLAIN LOGIN Out: 250-ENHANCEDSTATUSCODES Out: 250-8BITMIME Out: 250 DSN In: MAIL FROM:<[EMAIL][email protected][/EMAIL]> BODY=8BITMIME Out: 250 2.1.0 Ok In: RCPT TO:<[EMAIL][email protected][/EMAIL]> ORCPT=rfc822;[email protected] Out: 250 2.1.5 Ok In: DATA Out: 354 End data with <CR><LF>.<CR><LF> Out: 250 2.0.0 Ok: queued as DD9402425EA In: MAIL FROM:<[EMAIL][email protected][/EMAIL]> BODY=8BITMIME Out: 250 2.1.0 Ok In: RCPT TO:<[EMAIL][email protected][/EMAIL]> ORCPT=rfc822;[email protected] Out: 250 2.1.5 Ok In: DATA Out: 354 End data with <CR><LF>.<CR><LF> Out: 250 2.0.0 Ok: queued as 3BB362425EB In: MAIL FROM:<[EMAIL][email protected][/EMAIL]> BODY=8BITMIME Out: 250 2.1.0 Ok In: RCPT TO:<[EMAIL][email protected][/EMAIL]> ORCPT=rfc822;[email protected] Out: 250 2.1.5 Ok In: DATA Out: 354 End data with <CR><LF>.<CR><LF> Out: 451 4.3.0 Error: queue file write error Session aborted, reason: lost connection For other details, see the local mail logfile I'm not quite sure what to make of them, but it looks like [email protected] is sending a lot of spam to many users. Anyone have any advice or comments? Cheers, Nap
sjau, thnx. Your rank: 'Local Meanie' suites you!! Please tell more about the filter. My mail & syslogs are huge as a result. But I'm wondering if I'm blocking the sender and they know I'm blocking them (because the connection is cut-off). I'm prepared to bear the pain if in the end these clowns go away. I added a Postfix Blacklist entry for that email address, and even after restarting Postfix, I'm still queuing messages for this clown. Cheers, Nap
if you login as admin to ISPC, then go to Email, on the bottom you have blacklist and content filter. So, you could add a new content filter rule like this: Filter: Header Filter Regexp. Pattern: /^(To|From|Cc|Reply-To|Subject|Received):.*.HMRC\.gov\.uk/ Data: ---> just add a notice that appears in the logs... and also the sending server receives this... usually I put in: Spam not tolerated here - hmrc.gov.uk In case I get a false positive, I know what has triggered it Action: REJECT From the Regexp Pattern you could of course remove some of the checks or add others.... e.g. if you don't mind sending email to that domain, then you'd remove the "To" part..... Here's one I use:
THANKS sjau. Can I ask a question about the regex statement? Why are the two periods, before and after the *, not escaped but the ones after the domain name are? (My understanding is that periods match and single character.) Also, I only need to block one address '[email protected]', so would I make that part of the regex: :.Aplicant\@HMRC\.gov\.uk Cheers, Nap
a period in a regex is a special character. However if you want to match a literal "." then you have to escape it in regex. Hence it's \.gov\.au The @ doesn't need to be escaped as it has no special meaning in regex. This ":.*.xxxxxx" mean the following: Header entries have a name like "To" and once that header name is finished it is followed with a column ":" . So that part means that after a Header name entry, match any character for any length until you hit "xxxxxx". If there is "xxxxxx" it's a match.
Thanks sjau!!! It's worked! I was getting around a hundred emails every 10 seconds. My queue was filled up when I started addressing the problem.