Use Postfix to block sender with certain text
Use Postfix to block sender with certain text
Hi all,
I have an interesting issue... someone out there really enjoys sending mail to our server from numerous compromised servers, IPs are all over the place, but they are targeting one specific user in our system. The only common thing I can find in all of the mail is that there is a certain string which never changes in the "From" field (not the one in the headers section of Mailscanner).
I've added these to custom_rule.cf which bumps the score so high the user never gets the email, but I'd really love to do a REJECT at the Postfix stage.
Does anyone know how I might achieve this?
Here are some example "From" addresses all arriving in the space of 20 minutes:
meaxdsro-cvzxysifne-m6556o-tfdgcvkvypuirlcztj.tfd.rl@pnddmc.meganslostside.win
onxfmcsoh-cvzxysifne-o8264h-tfdgcvkvypuirlcztj.tfd.rl@irumop.keiraswideright.win
dhbeyvf-cvzxysifne-d8477f-tfdgcvkvypuirlcztj.tfd.rl@ovihip.meganslostside.win
utelbzvefc-cvzxysifne-u9544c-tfdgcvkvypuirlcztj.tfd.rl@sarlgm.eviesfreshfather.win
wcpaudexece-cvzxysifne-w1906e-tfdgcvkvypuirlcztj.tfd.rl@jjhzua.jocelynssecretperson.win
I have an interesting issue... someone out there really enjoys sending mail to our server from numerous compromised servers, IPs are all over the place, but they are targeting one specific user in our system. The only common thing I can find in all of the mail is that there is a certain string which never changes in the "From" field (not the one in the headers section of Mailscanner).
I've added these to custom_rule.cf which bumps the score so high the user never gets the email, but I'd really love to do a REJECT at the Postfix stage.
Does anyone know how I might achieve this?
Here are some example "From" addresses all arriving in the space of 20 minutes:
meaxdsro-cvzxysifne-m6556o-tfdgcvkvypuirlcztj.tfd.rl@pnddmc.meganslostside.win
onxfmcsoh-cvzxysifne-o8264h-tfdgcvkvypuirlcztj.tfd.rl@irumop.keiraswideright.win
dhbeyvf-cvzxysifne-d8477f-tfdgcvkvypuirlcztj.tfd.rl@ovihip.meganslostside.win
utelbzvefc-cvzxysifne-u9544c-tfdgcvkvypuirlcztj.tfd.rl@sarlgm.eviesfreshfather.win
wcpaudexece-cvzxysifne-w1906e-tfdgcvkvypuirlcztj.tfd.rl@jjhzua.jocelynssecretperson.win
Re: Use Postfix to block sender with certain text
Interesting question!
Since this is a postfix problem, we do a quick search for rejecting mail based on content in postfix and we find this link describing how to do it. It looks simple enough.
First, I check my /etc/postfix/main.cf for header_checks to see if it's already configured
and yes, we are.
Next we add our string to /etc/postfix/header_checks; specifically I append this to the file:
and restart postfix
Next, I send a message from an email address that contains my "blockthisstring" and watch the postfix /etc/mail/maillog when I get the following:
Give it a try and let us know how you get along.
Since this is a postfix problem, we do a quick search for rejecting mail based on content in postfix and we find this link describing how to do it. It looks simple enough.
First, I check my /etc/postfix/main.cf for header_checks to see if it's already configured
Code: Select all
[root@efa postfix]# grep ^header_checks /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
Next we add our string to /etc/postfix/header_checks; specifically I append this to the file:
Code: Select all
/blockthisstring/ REJECT mail blocking testing
Code: Select all
service restart postfix
Great! It works, so let's make a change. Should we notify the spammer that we are blocking him? Nah, otherwise he'll change things and we'll end up playing whack-a-spammer. Let's change our action to pretend to accept the mail, but just silently drop it instead. So I'll change the action from REJECT to DISCARD in the header_checks file and restart postfix and send a new messageMay 5 15:21:02 efa postfix/cleanup[8329]: DB35C180BA5: reject: header Return-Path: <user@blockthisstring.com> from mail6.bemta12.messagelabs.com[216.82.250.247]; from=<user@blockthisstring.com> to=<user@myefadomain.com> proto=ESMTP helo=<mail6.bemta12.messagelabs.com>: 5.7.1 mail blocking testing
And we're done. Postfix will reject the mail based on that that incoming string and EFA will never have to spamcheck the message saving us CPU time, disk space, electron depletion and our piece of mind. Wonderful!May 5 15:33:28 efa postfix/cleanup[11819]: F057F180C2D: discard: header Return-Path: <user@blockthisstring.com> from mail6.bemta12.messagelabs.com[216.82.250.247]; from=<user@blockthisstring.com> to=<user@myefadomain.com> proto=ESMTP helo=<mail6.bemta12.messagelabs.com>: mail blocking testing
Give it a try and let us know how you get along.
Re: Use Postfix to block sender with certain text
Very detailed answer, thank you very much for your efforts.
I'll give it a try in the morning as it's approaching close of business on this side of the world.
Will report back after we've implemented and tested.
I'll give it a try in the morning as it's approaching close of business on this side of the world.
Will report back after we've implemented and tested.
Re: Use Postfix to block sender with certain text
Curiousity got the better of me...
Unfortunately no luck with your solution. It still lets the emails straight through to MailScanner.
Do we need to postmap the header_checks file for it to work or not?
There is a header_checks.db file in /etc/postfix. I have renamed it temporarily as I think we've attempted this in the past but never got it working back then either.
What other information can I provide to try diagnose this?
Unfortunately no luck with your solution. It still lets the emails straight through to MailScanner.
Do we need to postmap the header_checks file for it to work or not?
There is a header_checks.db file in /etc/postfix. I have renamed it temporarily as I think we've attempted this in the past but never got it working back then either.
What other information can I provide to try diagnose this?
Re: Use Postfix to block sender with certain text
You can post the actual string you put in the file.
As long as your postfix main.cf matches mine, then adding the expression and restarting postfix is all you need to do. No postmap necessary.
It worked for me first time.
As long as your postfix main.cf matches mine, then adding the expression and restarting postfix is all you need to do. No postmap necessary.
It worked for me first time.
Re: Use Postfix to block sender with certain text
Deleted post. Useless content.
Last edited by AITCS on 06 May 2018 01:15, edited 1 time in total.
Re: Use Postfix to block sender with certain text
Okay, I realise where the problem is occurring...
The spammy from address is only sent during the "mail from:" part of the SMTP conversation, which is not tested by header_checks.
I did manage to resolve the issue, and will post here for future reference.
Let's make a new sender restriction based on regular expressions:
and add a new entry with the correct regex
Now we need to get Postfix to parse this new file. Modify the following entry in /etc/postfix/main.cf to include the following. Keep the current sender restrictions and just add the new one to the end of the same line.
Restart Postfix and now everything works!
The spammy from address is only sent during the "mail from:" part of the SMTP conversation, which is not tested by header_checks.
I did manage to resolve the issue, and will post here for future reference.
Let's make a new sender restriction based on regular expressions:
Code: Select all
nano /etc/postfix/sender_access_regexp
Code: Select all
/cvzxysifne/ DISCARD
Code: Select all
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/sender_access_regexp
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Use Postfix to block sender with certain text
Sorry to revive an old thread but I'm working on a similar issue. I'm trying to use header_checks to block specific messages.
Here's the situation: Some scammer creates generic Gmail/yahoo accounts using our CEO's real name, then Emails the entire company with "I need you to discretely do a task for me. please respond ASAP". The End user sees an Email from "CEO Realname" and responds ignoring the actual from address. Yes I know, I've re-educated them several times but someone keeps falling for it.
So I was able to block incoming messages using
But then realized EFA is scanning incoming AND outgoing messages so I need to allow messages out from our CEO. Additionally I should allow messages from his Gmail account.
I've tried variations of the below entries with no luck
I've seen PASS and OK listed on several man pages but the man pages in my installation do not show those "actions". Postfix reports it is ver 3.1.3
Here's the situation: Some scammer creates generic Gmail/yahoo accounts using our CEO's real name, then Emails the entire company with "I need you to discretely do a task for me. please respond ASAP". The End user sees an Email from "CEO Realname" and responds ignoring the actual from address. Yes I know, I've re-educated them several times but someone keeps falling for it.
So I was able to block incoming messages using
Code: Select all
/^From:.*CEO Realname / PREPEND From: [LIKELY SCAMMER]
I've tried variations of the below entries with no luck
Code: Select all
/^From:.*CEO Realname" +(ceo@realdomain.com) / PASS
/^From:.*CEO Realname +(realaltaccount@gmail.com / PASS
/^From:.*CEO Realname +(.*@) / PREPEND From: [LIKELY SCAMMER]
Re: Use Postfix to block sender with certain text
Nothing wrong with opening up old threads if they are still relevant.
I've not looked in detail at your problem, but if your header_check rules are not working, then I would check your regex and make sure that it is working correctly first.
Whenever I've had an issue with the checks not working as expected, it's always come down to an incorrect regex.
For example - your regex specifies that you need a space at the end of the From line. Is that what you want? Look closely at the first line. I've marked the space you've left in for you in the second line.
Maybe you can give me a real header to work from (or slightly modified to keep it confidential) and then we can compare it against the regex you are using.
Here is another tip: I like the PREPEND function as I can use it for testing without disrupting mail flow. For example, I might use this rule:
And then I will check the mail headers to see which rule was hit (if any) by looking at the X-RuleTest header from EFA.
Let me know how you get on.
I've not looked in detail at your problem, but if your header_check rules are not working, then I would check your regex and make sure that it is working correctly first.
Whenever I've had an issue with the checks not working as expected, it's always come down to an incorrect regex.
For example - your regex specifies that you need a space at the end of the From line. Is that what you want? Look closely at the first line. I've marked the space you've left in for you in the second line.
Code: Select all
/^From:.*CEO Realname" +(ceo@realdomain.com) / PASS
/^From:.*CEO Realname" +(ceo@realdomain.com)<SPACE HERE>/ PASS
Here is another tip: I like the PREPEND function as I can use it for testing without disrupting mail flow. For example, I might use this rule:
Code: Select all
/^From:.*CEO Realname" +(ceo@realdomain.com)/ PREPEND X-RuleTest: Rule 1
/^From:.*CEO Realname +(realaltaccount@gmail.com/ PREPEND X-RuleTest: Rule 2
Let me know how you get on.
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Use Postfix to block sender with certain text
Thanks for your suggestions, you're right, I did not intend for there to be a space, so I tried modifying it while removing the space, still did not work. I am not all that good with writing Regex. That being said, I can't find the log entries I am trying to match because neither maillog nor messages shows the real name in an entry. Are the headers logged somewhere else? I know that it is matching the real name somewhere because I've been testing entries in /etc/postfix/header_checks
with an entry
And when I send a message with the CEO Name I receive it with the from field showing:
Here is the corresponding log entry from maillog:
the only place it shows "CEO Name" is in the prepended From field after it has identified a match.
with an entry
Code: Select all
/^From:.*CEO Name/ PREPEND From: [SCAMMER]
Code: Select all
"[SCAMMER]"@mydomain.com
Code: Select all
Mar 11 14:16:44 efa postfix/cleanup[542]: 9EA362007E: hold: header Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(No client certificate requested)??by efa.mydom from mail-ed1-f46.google.com[209.85.208.46]; from=<testaccount@gmail.com> to=<myaccount@mydomain.com> proto=ESMTP helo=<mail-ed1-f46.google.com>
Mar 11 14:16:44 efa postfix/cleanup[542]: 9EA362007E: prepend: header From: CEO Name <testaccount@gmail.com> from mail-ed1-f46.google.com[209.85.208.46]; from=<testaccount@gmail.com> to=<myaccount@mydomain.com> proto=ESMTP helo=<mail-ed1-f46.google.com>: From: [SCAMMER]
Re: Use Postfix to block sender with certain text
You're trying to achieve something different - you are trying to rewrite an existing header, rather than add a new header.
For that, you'll have to do something different.
1/ This: https://serverfault.com/questions/15690 ... il-subject
or 2/, configure and use the MCP portion of EFA to look for this pattern and edit your subject, or block it entirely.
In fact, why don't you use this header check to drop the message entirely? If it's a scammer, why does anyone have to see it?
If you want to keep it, set up a custom spamassassin rule to score this as +100 and then you can find these messages in the message interface.
For that, you'll have to do something different.
1/ This: https://serverfault.com/questions/15690 ... il-subject
or 2/, configure and use the MCP portion of EFA to look for this pattern and edit your subject, or block it entirely.
In fact, why don't you use this header check to drop the message entirely? If it's a scammer, why does anyone have to see it?
If you want to keep it, set up a custom spamassassin rule to score this as +100 and then you can find these messages in the message interface.
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Use Postfix to block sender with certain text
Actually I was able to get it working with header_checks by just whitelisting the valid Email addresses first then black listing the CEO's realname. Prepending the From line prevents it from actually getting to the user because now EFA sees a malformed header and marks it as spam.