OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re:

From: mouss (moussnetoyen.net)
Date: Thu Apr 24 2008 - 10:19:34 CDT

Johnson, S wrote:
> After months of doing a great job, I started to get spam back into my
> system again.
>
>
>
> Apr 23 16:26:06 mail sqlgrey: grey: new: 82.67.64.191(82.67.64.191),
> fetamemoryplus.org -> sjohnsonmydomain.com
>
> Apr 23 16:26:06 mail postfix/smtpd[23130]: NOQUEUE: reject: RCPT from
> mut38-1-82-67-64-191.fbx.proxad.net[82.67.64.191]: 450 4.7.1
> <fetamemoryplus.org>: Sender address rejected: Greylisted for 5
> minutes; from=<fetamemoryplus.org> to=<sjohnsonmydomain.com>
> proto=SMTP helo=<wzbkw.proxad.net>
>
>
>
> (waited exactly 5 minutes to retry connection)
>
>
>
> Apr 23 16:31:10 mail sqlgrey: grey: reconnect ok:
> 82.67.64.191(82.67.64.191), fetamemoryplus.org -> sjohnsonmydomain.com
> (00:05:04)
>
> Apr 23 16:31:10 mail sqlgrey: grey: from awl: 82.67.64.191,
> fetamemoryplus.org added
>
> Apr 23 16:31:11 mail postfix/cleanup[22561]: 9A56FC3804F: hold: header
> Received: from wzbkw.proxad.net (mut38-1-82-67-64-191.fbx.proxad.net
> [82.67.64.191])??by mydomain.com (Postfix) with SMTP id 9A56FC3804F??for
> <sjohnsonmydomain.com>; Wed, 23 Apr 2008 16:31:10 - from
> mut38-1-82-67-64-191.fbx.proxad.net[82.67.64.191];
> from=<fetamemoryplus.org> to=<sjohnsonmydomain.com> proto=SMTP
> helo=<wzbkw.proxad.net>
>
> Apr 23 16:31:15 mail amavis[22991]: (22991-13) ESMTP::10024
> /var/spool/amavisd/tmp/amavis-20080423T162212-22991:
> <fetamemoryplus.org> -> <sjohnsonmydomain.com> SIZE=3295 Received:
> from mydomain.com ([127.0.0.1]) by localhost (mail.mydomain.com
> [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for
> <sjohnsonmydomain.com>; Wed, 23 Apr 2008 16:31:15 -0500 (CDT)
>
> Apr 23 16:31:15 mail amavis[22991]: (22991-13) Checking: 71NV2CxrKvcf
> [82.67.64.191] <fetamemoryplus.org> -> sjohnsonmydomain.com
> <mailto:sjohnsonedina.k12.mn.us>
>
> Apr 23 16:31:16 mail amavis[22991]: (22991-13) FWD via SMTP:
> <fetamemoryplus.org> -> <sjohnsonmydomain.com>, BODY=8BITMIME 250
> 2.6.0 Ok, id=22991-13, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued
> as 61909C3804AApr 23 16:31:16 mail amavis[22991]: (22991-13) Passed
> CLEAN, [82.67.64.191] [82.67.64.191] <fetamemoryplus.org> ->
> <sjohnsonmydomain.com>, Message-ID:
> <9149664024.20080423221319rutasnc.it>, mail_id: 71NV2CxrKvcf, Hits:
> 2.701, queued_as: 61909C3804A, 1312 ms
>
>
>
> It sucks that they are now starting to re-queue their stupid spam; why
> don't they GET A CLUE that we don't want their crp.
>
>
>
> Anyone have an idea on how I can help shore this up?
>

you could use check_client_access with a pcre:
/\d+([-\.]\d+){3}/ 554 5.7.1 Generic hostname. Please use your ISP
relay or fix you rDNS

>
>
> In my main.cf I've got:
>
>
>
> reject_invalid_hostname,
>
> reject_non_fqdn_sender,
>
> reject_non_fqdn_recipient,
>
> reject_unknown_recipient_domain,
>
> reject_unauth_pipelining,
>
> permit_mynetworks,
>
> reject_unauth_destination,
>
> reject_rbl_client combined.njabl.org,
>
> reject_rbl_client list.dsbl.org,
>
> reject_rbl_client bl.spamcop.net,
>
> reject_rbl_client sbl-xbl.spamhaus.org,
>

use
    zen.spamhaus.org instead of just sbl-xbl. please read their policy
and decide for yourself.
> reject_rbl_client list.dsbl.org,
>
> reject_rbl_client all.rbl.jp,
>
> reject_rbl_client rbl-plus.mail-abuse.org,
>
> check_policy_service inet:127.0.0.1:2501,
>
> permit
>
>
>
> Shouldn't that prohibit the postfix from allowing a connection with a
> server using: "wzbkw.proxad.net (mut38-1-82-67-64-191.fbx.proxad.net
> [82.67.64.191])" as a hostname?
>

the helo hostname is wzbkw.proxad.net (the part between parens is the
rDNS and the IP). the helo name doesn't exist, but
reject_unknown_hostname will reject legitimate mail so is not recommended.

I personally block .fbx.proxad.net.