Use Postfix to block sender with certain text

Questions and answers about how to do stuff
Post Reply
AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Use Postfix to block sender with certain text

Post by AITCS » 05 May 2018 01:46

Hi all,

I have an interesting issue... someone out there really enjoys sending mail to our server from numerous compromised servers, IPs are all over the place, but they are targeting one specific user in our system. The only common thing I can find in all of the mail is that there is a certain string which never changes in the "From" field (not the one in the headers section of Mailscanner).
I've added these to custom_rule.cf which bumps the score so high the user never gets the email, but I'd really love to do a REJECT at the Postfix stage.
Does anyone know how I might achieve this?

Here are some example "From" addresses all arriving in the space of 20 minutes:

meaxdsro-cvzxysifne-m6556o-tfdgcvkvypuirlcztj.tfd.rl@pnddmc.meganslostside.win
onxfmcsoh-cvzxysifne-o8264h-tfdgcvkvypuirlcztj.tfd.rl@irumop.keiraswideright.win
dhbeyvf-cvzxysifne-d8477f-tfdgcvkvypuirlcztj.tfd.rl@ovihip.meganslostside.win
utelbzvefc-cvzxysifne-u9544c-tfdgcvkvypuirlcztj.tfd.rl@sarlgm.eviesfreshfather.win
wcpaudexece-cvzxysifne-w1906e-tfdgcvkvypuirlcztj.tfd.rl@jjhzua.jocelynssecretperson.win

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: Use Postfix to block sender with certain text

Post by pdwalker » 05 May 2018 07:36

Interesting question!

Since this is a postfix problem, we do a quick search for rejecting mail based on content in postfix and we find this link describing how to do it. It looks simple enough.

First, I check my /etc/postfix/main.cf for header_checks to see if it's already configured

Code: Select all

[root@efa postfix]# grep ^header_checks /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
and yes, we are.

Next we add our string to /etc/postfix/header_checks; specifically I append this to the file:

Code: Select all

/blockthisstring/ REJECT mail blocking testing
and restart postfix

Code: Select all

service restart postfix
Next, I send a message from an email address that contains my "blockthisstring" and watch the postfix /etc/mail/maillog when I get the following:
May 5 15:21:02 efa postfix/cleanup[8329]: DB35C180BA5: reject: header Return-Path: <user@blockthisstring.com> from mail6.bemta12.messagelabs.com[216.82.250.247]; from=<user@blockthisstring.com> to=<user@myefadomain.com> proto=ESMTP helo=<mail6.bemta12.messagelabs.com>: 5.7.1 mail blocking testing
Great! It works, so let's make a change. Should we notify the spammer that we are blocking him? Nah, otherwise he'll change things and we'll end up playing whack-a-spammer. Let's change our action to pretend to accept the mail, but just silently drop it instead. So I'll change the action from REJECT to DISCARD in the header_checks file and restart postfix and send a new message
May 5 15:33:28 efa postfix/cleanup[11819]: F057F180C2D: discard: header Return-Path: <user@blockthisstring.com> from mail6.bemta12.messagelabs.com[216.82.250.247]; from=<user@blockthisstring.com> to=<user@myefadomain.com> proto=ESMTP helo=<mail6.bemta12.messagelabs.com>: mail blocking testing
And we're done. Postfix will reject the mail based on that that incoming string and EFA will never have to spamcheck the message saving us CPU time, disk space, electron depletion and our piece of mind. Wonderful!

Give it a try and let us know how you get along.

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Use Postfix to block sender with certain text

Post by AITCS » 05 May 2018 07:44

Very detailed answer, thank you very much for your efforts.
I'll give it a try in the morning as it's approaching close of business on this side of the world.
Will report back after we've implemented and tested.

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Use Postfix to block sender with certain text

Post by AITCS » 05 May 2018 08:46

Curiousity got the better of me...

Unfortunately no luck with your solution. It still lets the emails straight through to MailScanner.
Do we need to postmap the header_checks file for it to work or not?
There is a header_checks.db file in /etc/postfix. I have renamed it temporarily as I think we've attempted this in the past but never got it working back then either.

What other information can I provide to try diagnose this?

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: Use Postfix to block sender with certain text

Post by pdwalker » 05 May 2018 15:56

You can post the actual string you put in the file.

As long as your postfix main.cf matches mine, then adding the expression and restarting postfix is all you need to do. No postmap necessary.

It worked for me first time.

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Use Postfix to block sender with certain text

Post by AITCS » 06 May 2018 00:01

Deleted post. Useless content.
Last edited by AITCS on 06 May 2018 01:15, edited 1 time in total.

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Use Postfix to block sender with certain text

Post by AITCS » 06 May 2018 01:15

Okay, I realise where the problem is occurring...

The spammy from address is only sent during the "mail from:" part of the SMTP conversation, which is not tested by header_checks.
I did manage to resolve the issue, and will post here for future reference.

Let's make a new sender restriction based on regular expressions:

Code: Select all

nano /etc/postfix/sender_access_regexp
and add a new entry with the correct regex

Code: Select all

/cvzxysifne/ DISCARD
Now we need to get Postfix to parse this new file. Modify the following entry in /etc/postfix/main.cf to include the following. Keep the current sender restrictions and just add the new one to the end of the same line.

Code: Select all

smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/sender_access_regexp
Restart Postfix and now everything works!

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: Use Postfix to block sender with certain text

Post by pdwalker » 07 May 2018 07:40

magic! :dance:

User avatar
BruceLeeRoy
Posts: 44
Joined: 01 May 2015 13:27

Re: Use Postfix to block sender with certain text

Post by BruceLeeRoy » 20 Jan 2020 17:00

Sorry to revive an old thread but I'm working on a similar issue. I'm trying to use header_checks to block specific messages.

Here's the situation: Some scammer creates generic Gmail/yahoo accounts using our CEO's real name, then Emails the entire company with "I need you to discretely do a task for me. please respond ASAP". The End user sees an Email from "CEO Realname" and responds ignoring the actual from address. Yes I know, I've re-educated them several times but someone keeps falling for it.

So I was able to block incoming messages using

Code: Select all

/^From:.*CEO Realname  / PREPEND From: [LIKELY SCAMMER]
But then realized EFA is scanning incoming AND outgoing messages so I need to allow messages out from our CEO. Additionally I should allow messages from his Gmail account.
I've tried variations of the below entries with no luck

Code: Select all

/^From:.*CEO Realname" +(ceo@realdomain.com) / PASS
/^From:.*CEO Realname +(realaltaccount@gmail.com / PASS
/^From:.*CEO Realname +(.*@) / PREPEND From: [LIKELY SCAMMER]
I've seen PASS and OK listed on several man pages but the man pages in my installation do not show those "actions". Postfix reports it is ver 3.1.3

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: Use Postfix to block sender with certain text

Post by pdwalker » 03 Feb 2020 04:03

Nothing wrong with opening up old threads if they are still relevant.

I've not looked in detail at your problem, but if your header_check rules are not working, then I would check your regex and make sure that it is working correctly first.

Whenever I've had an issue with the checks not working as expected, it's always come down to an incorrect regex.

For example - your regex specifies that you need a space at the end of the From line. Is that what you want? Look closely at the first line. I've marked the space you've left in for you in the second line.

Code: Select all

/^From:.*CEO Realname" +(ceo@realdomain.com) / PASS
/^From:.*CEO Realname" +(ceo@realdomain.com)<SPACE HERE>/ PASS
Maybe you can give me a real header to work from (or slightly modified to keep it confidential) and then we can compare it against the regex you are using.

Here is another tip: I like the PREPEND function as I can use it for testing without disrupting mail flow. For example, I might use this rule:

Code: Select all

/^From:.*CEO Realname" +(ceo@realdomain.com)/ PREPEND X-RuleTest: Rule 1
/^From:.*CEO Realname +(realaltaccount@gmail.com/ PREPEND X-RuleTest: Rule 2
And then I will check the mail headers to see which rule was hit (if any) by looking at the X-RuleTest header from EFA.

Let me know how you get on.

Post Reply