Use Postfix to block sender with certain text

Questions and answers about how to do stuff
Post Reply
AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Use Postfix to block sender with certain text

Post by AITCS » 05 May 2018 01:46

Hi all,

I have an interesting issue... someone out there really enjoys sending mail to our server from numerous compromised servers, IPs are all over the place, but they are targeting one specific user in our system. The only common thing I can find in all of the mail is that there is a certain string which never changes in the "From" field (not the one in the headers section of Mailscanner).
I've added these to custom_rule.cf which bumps the score so high the user never gets the email, but I'd really love to do a REJECT at the Postfix stage.
Does anyone know how I might achieve this?

Here are some example "From" addresses all arriving in the space of 20 minutes:

meaxdsro-cvzxysifne-m6556o-tfdgcvkvypuirlcztj.tfd.rl@pnddmc.meganslostside.win
onxfmcsoh-cvzxysifne-o8264h-tfdgcvkvypuirlcztj.tfd.rl@irumop.keiraswideright.win
dhbeyvf-cvzxysifne-d8477f-tfdgcvkvypuirlcztj.tfd.rl@ovihip.meganslostside.win
utelbzvefc-cvzxysifne-u9544c-tfdgcvkvypuirlcztj.tfd.rl@sarlgm.eviesfreshfather.win
wcpaudexece-cvzxysifne-w1906e-tfdgcvkvypuirlcztj.tfd.rl@jjhzua.jocelynssecretperson.win

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: Use Postfix to block sender with certain text

Post by pdwalker » 05 May 2018 07:36

Interesting question!

Since this is a postfix problem, we do a quick search for rejecting mail based on content in postfix and we find this link describing how to do it. It looks simple enough.

First, I check my /etc/postfix/main.cf for header_checks to see if it's already configured

Code: Select all

[root@efa postfix]# grep ^header_checks /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
and yes, we are.

Next we add our string to /etc/postfix/header_checks; specifically I append this to the file:

Code: Select all

/blockthisstring/ REJECT mail blocking testing
and restart postfix

Code: Select all

service restart postfix
Next, I send a message from an email address that contains my "blockthisstring" and watch the postfix /etc/mail/maillog when I get the following:
May 5 15:21:02 efa postfix/cleanup[8329]: DB35C180BA5: reject: header Return-Path: <user@blockthisstring.com> from mail6.bemta12.messagelabs.com[216.82.250.247]; from=<user@blockthisstring.com> to=<user@myefadomain.com> proto=ESMTP helo=<mail6.bemta12.messagelabs.com>: 5.7.1 mail blocking testing
Great! It works, so let's make a change. Should we notify the spammer that we are blocking him? Nah, otherwise he'll change things and we'll end up playing whack-a-spammer. Let's change our action to pretend to accept the mail, but just silently drop it instead. So I'll change the action from REJECT to DISCARD in the header_checks file and restart postfix and send a new message
May 5 15:33:28 efa postfix/cleanup[11819]: F057F180C2D: discard: header Return-Path: <user@blockthisstring.com> from mail6.bemta12.messagelabs.com[216.82.250.247]; from=<user@blockthisstring.com> to=<user@myefadomain.com> proto=ESMTP helo=<mail6.bemta12.messagelabs.com>: mail blocking testing
And we're done. Postfix will reject the mail based on that that incoming string and EFA will never have to spamcheck the message saving us CPU time, disk space, electron depletion and our piece of mind. Wonderful!

Give it a try and let us know how you get along.

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Use Postfix to block sender with certain text

Post by AITCS » 05 May 2018 07:44

Very detailed answer, thank you very much for your efforts.
I'll give it a try in the morning as it's approaching close of business on this side of the world.
Will report back after we've implemented and tested.

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Use Postfix to block sender with certain text

Post by AITCS » 05 May 2018 08:46

Curiousity got the better of me...

Unfortunately no luck with your solution. It still lets the emails straight through to MailScanner.
Do we need to postmap the header_checks file for it to work or not?
There is a header_checks.db file in /etc/postfix. I have renamed it temporarily as I think we've attempted this in the past but never got it working back then either.

What other information can I provide to try diagnose this?

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: Use Postfix to block sender with certain text

Post by pdwalker » 05 May 2018 15:56

You can post the actual string you put in the file.

As long as your postfix main.cf matches mine, then adding the expression and restarting postfix is all you need to do. No postmap necessary.

It worked for me first time.

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Use Postfix to block sender with certain text

Post by AITCS » 06 May 2018 00:01

Deleted post. Useless content.
Last edited by AITCS on 06 May 2018 01:15, edited 1 time in total.

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Use Postfix to block sender with certain text

Post by AITCS » 06 May 2018 01:15

Okay, I realise where the problem is occurring...

The spammy from address is only sent during the "mail from:" part of the SMTP conversation, which is not tested by header_checks.
I did manage to resolve the issue, and will post here for future reference.

Let's make a new sender restriction based on regular expressions:

Code: Select all

nano /etc/postfix/sender_access_regexp
and add a new entry with the correct regex

Code: Select all

/cvzxysifne/ DISCARD
Now we need to get Postfix to parse this new file. Modify the following entry in /etc/postfix/main.cf to include the following. Keep the current sender restrictions and just add the new one to the end of the same line.

Code: Select all

smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/sender_access_regexp
Restart Postfix and now everything works!

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: Use Postfix to block sender with certain text

Post by pdwalker » 07 May 2018 07:40

magic! :dance:

Post Reply