|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Howto get Postfix ... (really, how to block compromised-webserver spam)
From: Adam Jacob Muller (lists-postfix
adam.gs)
Date: Thu Dec 14 2006 - 23:37:51 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I had rules such as this in place, until mails from my bank stopped
coming in.
They were using nobodywwwXX.bank.com as the envelope sender.
Point being, not only stupid web forms use nobody, sometimes
otherwise clueful programmers/companies don't understand why this is
a Bad Thing(TM).
-Adam
On Dec 14, 2006, at 6:29 PM, Sheldon T. Hall wrote:
> Harvey Smith says ...
>> On Thu, Dec 14, 2006 at 10:00:55AM -0800, Sheldon T. Hall wrote:
>>>
>>> smtpd_recipient_restrictions = permit_mynetworks
>>> ...
>>> check_sender_access regexp:/etc/postfix/tables/sender_checks
>>>
>>> Then in /etc/postfix/tables/sender_checks, have stuff like ...
>>>
>>> #
>>> # Addresses no one should use
>>> #
>>> /^nobody/ REJECT Use your real name
>>> /^anonymous/ REJECT Use your real name
>>> /^apache/ REJECT Use your real name
>>> /^httpd.*/ REJECT Use your real name
>>> /^proxy/ REJECT Use your real name
>>> /^webmail/ REJECT Use your real name
>>> /^wwwrun/ REJECT Use your real name
>>> /^www-data/ REJECT Use your real name
>>>
>>
>> Well sure, except now your users wont get the information they're
>> expecting from non-compromised web-forms. Better just to subject
>> these
>> to extra scrutiny. If everyone blocked these webmasters would simply
>> change the names.
>
> You may well be correct. I should have mentioned that you might
> have to
> whitelist some exceptions to those rules. However, I've had most
> of those
> rules in place for 2 years without any other drama, and they block
> a lot of
> spam.
>
> Another thing I should have mentioned is that using WARN or DEFER
> rather
> than REJECT is a prudent course of action on new rules with the
> potential
> for undesired side-effects. Ditto for a thorough analysis of one's
> logs, to
> see, given the example above, whether "nobody" is a legit source
> of mail
> for any of your users. Ideally, one would analyse the logs,
> implement the
> rule with a WARN or DEFER action, wait a while, and analyse the
> logs again
> to see if the rules have the intended effect.
>
> Thanks for the nudge.
>
> -Shel
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]