Getting spam from domains without DNS records

General eFa discussion
Post Reply
booola
Posts: 12
Joined: 12 Oct 2017 13:52

Getting spam from domains without DNS records

Post by booola » 10 Oct 2019 08:59

Dear Sirs,
I would like to ask you why some of emails from "automaticaly generated" email addresses are not filtered (for example zojaaxzhfdxsebesta@helpmmo.com, bohumilrmegazf@pythoanywhere.co, etc. - both domains do not exist)?


I set up postfix

Restrictions on sends in HELO commands:
check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname, reject_unknown_hostname, reject_invalid_hostname

Restrictions on sender addresses:
permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_hostname

Restrictions on recipient addresses:
check_client_access hash:/etc/postfix/rbl_override, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unknown_client_hostname, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_recipient


Is there something missing in /etc/postfix/main.cf?
Thank you, I appreciate your work.

User avatar
pdwalker
Posts: 1185
Joined: 18 Mar 2015 09:16

Re: Getting spam from domains without DNS records

Post by pdwalker » 21 Oct 2019 03:12

Is there anything helpful in your /var/log/maillog?

For example, I see the following entries that tells me it is working as expected:
Oct 20 04:20:45 efa postfix/smtpd[12399]: NOQUEUE: reject: RCPT from unknown[193.32.160.154]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [193.32.160.154]; from=<q3i5jrwg4mdcd@zazadorali.cl> to=<info@example.com> proto=ESMTP helo=<[193.32.160.146]>
and
Oct 20 05:17:08 efa postfix/smtpd[26596]: NOQUEUE: reject: RCPT from mail6.bemta24.messagelabs.com[67.219.250.152]: 450 4.1.8 <zqn@judywppkb.com>: Sender address rejected: Domain not found; from=<zqn@judywppkb.com> to=<aef@example.com> proto=ESMTP helo=<mail6.bemta24.messagelabs.com>

booola
Posts: 12
Joined: 12 Oct 2017 13:52

Re: Getting spam from domains without DNS records

Post by booola » 21 Oct 2019 06:16

Thank you pdwalker for response, it looks like it doesn't filter domains/addresses at all
Oct 21 06:06:59 km postfix/cleanup[25729]: 0ECD61013A3: hold: header Received: from unstrung.tsharbach.co (unstrung.swingthelamp.com [69.94.158.71])??by our.email.com (Postfix) with ESMTP id 0ECD61013A3??for <our@email>; Mon, 21 Oct 2019 06:06:58 +0200 (CE from unstrung.swingthelamp.com[69.94.158.71]; from=<vladimirwhscdte@tsharbach.co> to=<our@email> proto=ESMTP helo=<unstrung.tsharbach.co>
Oct 21 06:07:04 km MailScanner[24386]: <A> tag found in message 0ECD61013A3.A1781 from vladimirwhscdte@tsharbach.co
Oct 21 06:07:04 km MailScanner[24386]: HTML Img tag found in message 0ECD61013A3.A1781 from vladimirwhscdte@tsharbach.co
Oct 21 06:07:05 km postfix/qmgr[1137]: 389CE101B08: from=<vladimirwhscdte@tsharbach.co>, size=4122, nrcpt=1 (queue active)
Oct 21 06:06:59 km postfix/smtpd[21211]: 0ECD61013A3: client=unstrung.swingthelamp.com[69.94.158.71]
Oct 21 06:06:59 km postfix/cleanup[25729]: 0ECD61013A3: hold: header Received: from unstrung.tsharbach.co (unstrung.swingthelamp.com [69.94.158.71])??by our.email.com (Postfix) with ESMTP id 0ECD61013A3??for <our@email>; Mon, 21 Oct 2019 06:06:58 +0200 (CE from unstrung.swingthelamp.com[69.94.158.71]; from=<vladimirwhscdte@tsharbach.co> to=<our.email.com> proto=ESMTP helo=<unstrung.tsharbach.co>
Oct 21 06:06:59 km postfix/cleanup[25729]: 0ECD61013A3: message-id=<yxmxsrriju4th-emrd1wc@r.tsharbach.co>
Oct 21 06:07:04 km MailScanner[24386]: <A> tag found in message 0ECD61013A3.A1781 from vladimirwhscdte@tsharbach.co
Oct 21 06:07:04 km MailScanner[24386]: HTML Img tag found in message 0ECD61013A3.A1781 from vladimirwhscdte@tsharbach.co
Oct 21 06:07:05 km MailScanner[24386]: Requeue: 0ECD61013A3.A1781 to 389CE101B08
Oct 21 06:07:05 km MailScanner[24386]: MailWatch: Logging message 0ECD61013A3.A1781 to SQL
Oct 21 06:07:05 km MailScanner[24390]: MailWatch: 0ECD61013A3.A1781: Logged to MailWatch SQL

User avatar
pdwalker
Posts: 1185
Joined: 18 Mar 2015 09:16

Re: Getting spam from domains without DNS records

Post by pdwalker » 21 Oct 2019 07:29

smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain

smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_invalid_helo_hostname

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501
What are the current values of these three postfix variables in your /etc/postfix/main.cf file?

booola
Posts: 12
Joined: 12 Oct 2017 13:52

Re: Getting spam from domains without DNS records

Post by booola » 21 Oct 2019 16:23

Here it is, I added some rules:
smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_hostname, reject_invalid_hostname

smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname, reject_unknown_hostname

smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/rbl_override, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unknown_client_hostname, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_recipient
Thank you.

User avatar
pdwalker
Posts: 1185
Joined: 18 Mar 2015 09:16

Re: Getting spam from domains without DNS records

Post by pdwalker » 23 Oct 2019 04:30

So your configuration seems correct and it should work.

The only think I can think of is if it a problem with your DNS? Is postfix able to successfully do the DNS lookups necessary for the checks? Maybe you'll have to run postfix in debug mode to check what happens when one of these connections comes in.

What are the contents of your /etc/resolv.conf?

booola
Posts: 12
Joined: 12 Oct 2017 13:52

Re: Getting spam from domains without DNS records

Post by booola » 23 Oct 2019 13:48

resolv.conf should be good. There is just IP addr. of local name server (based on SBS 2011), nothing else.
If I do nslookup for domain mail addresses like @sdfhsu.co, @binaloodagri.co, etc. almost all of this crap is translated to 80.249.161.171. I've tested it also in some online tools and it is the same translation.

User avatar
pdwalker
Posts: 1185
Joined: 18 Mar 2015 09:16

Re: Getting spam from domains without DNS records

Post by pdwalker » 26 Oct 2019 05:09

What happens when you try to resolve the address of the non existent domains using that domain server?

booola
Posts: 12
Joined: 12 Oct 2017 13:52

Re: Getting spam from domains without DNS records

Post by booola » 29 Oct 2019 14:51

The same result everywhere (work domain and also at home - different dns servers)

nslookup bulurx.com

Server: server.net.local
Address: 10.0.0.253

Non-authoritative answer:
Name: bulurx.com
Address: 80.249.161.171

User avatar
pdwalker
Posts: 1185
Joined: 18 Mar 2015 09:16

Re: Getting spam from domains without DNS records

Post by pdwalker » 31 Oct 2019 11:05

huh?

That domain exists, so therefor it will past the initial postfix checks.

This is what you should be seeing:

Code: Select all

[pdwalker@pdwmac:~/Documents/VirtualMachines] {517}
$ nslookup thisdoesnotexistasadomain.com
Server:		10.10.1.1
Address:	10.10.1.1#53

** server can't find thisdoesnotexistasadomain.com: NXDOMAIN

booola
Posts: 12
Joined: 12 Oct 2017 13:52

Re: Getting spam from domains without DNS records

Post by booola » 31 Oct 2019 19:35

Thank you so much for your support!

Post Reply