Page 1 of 1

Getting spam from domains without DNS records

Posted: 10 Oct 2019 08:59
by booola
Dear Sirs,
I would like to ask you why some of emails from "automaticaly generated" email addresses are not filtered (for example zojaaxzhfdxsebesta@helpmmo.com, bohumilrmegazf@pythoanywhere.co, etc. - both domains do not exist)?


I set up postfix

Restrictions on sends in HELO commands:
check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname, reject_unknown_hostname, reject_invalid_hostname

Restrictions on sender addresses:
permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_hostname

Restrictions on recipient addresses:
check_client_access hash:/etc/postfix/rbl_override, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unknown_client_hostname, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_recipient


Is there something missing in /etc/postfix/main.cf?
Thank you, I appreciate your work.

Re: Getting spam from domains without DNS records

Posted: 21 Oct 2019 03:12
by pdwalker
Is there anything helpful in your /var/log/maillog?

For example, I see the following entries that tells me it is working as expected:
Oct 20 04:20:45 efa postfix/smtpd[12399]: NOQUEUE: reject: RCPT from unknown[193.32.160.154]: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [193.32.160.154]; from=<q3i5jrwg4mdcd@zazadorali.cl> to=<info@example.com> proto=ESMTP helo=<[193.32.160.146]>
and
Oct 20 05:17:08 efa postfix/smtpd[26596]: NOQUEUE: reject: RCPT from mail6.bemta24.messagelabs.com[67.219.250.152]: 450 4.1.8 <zqn@judywppkb.com>: Sender address rejected: Domain not found; from=<zqn@judywppkb.com> to=<aef@example.com> proto=ESMTP helo=<mail6.bemta24.messagelabs.com>

Re: Getting spam from domains without DNS records

Posted: 21 Oct 2019 06:16
by booola
Thank you pdwalker for response, it looks like it doesn't filter domains/addresses at all
Oct 21 06:06:59 km postfix/cleanup[25729]: 0ECD61013A3: hold: header Received: from unstrung.tsharbach.co (unstrung.swingthelamp.com [69.94.158.71])??by our.email.com (Postfix) with ESMTP id 0ECD61013A3??for <our@email>; Mon, 21 Oct 2019 06:06:58 +0200 (CE from unstrung.swingthelamp.com[69.94.158.71]; from=<vladimirwhscdte@tsharbach.co> to=<our@email> proto=ESMTP helo=<unstrung.tsharbach.co>
Oct 21 06:07:04 km MailScanner[24386]: <A> tag found in message 0ECD61013A3.A1781 from vladimirwhscdte@tsharbach.co
Oct 21 06:07:04 km MailScanner[24386]: HTML Img tag found in message 0ECD61013A3.A1781 from vladimirwhscdte@tsharbach.co
Oct 21 06:07:05 km postfix/qmgr[1137]: 389CE101B08: from=<vladimirwhscdte@tsharbach.co>, size=4122, nrcpt=1 (queue active)
Oct 21 06:06:59 km postfix/smtpd[21211]: 0ECD61013A3: client=unstrung.swingthelamp.com[69.94.158.71]
Oct 21 06:06:59 km postfix/cleanup[25729]: 0ECD61013A3: hold: header Received: from unstrung.tsharbach.co (unstrung.swingthelamp.com [69.94.158.71])??by our.email.com (Postfix) with ESMTP id 0ECD61013A3??for <our@email>; Mon, 21 Oct 2019 06:06:58 +0200 (CE from unstrung.swingthelamp.com[69.94.158.71]; from=<vladimirwhscdte@tsharbach.co> to=<our.email.com> proto=ESMTP helo=<unstrung.tsharbach.co>
Oct 21 06:06:59 km postfix/cleanup[25729]: 0ECD61013A3: message-id=<yxmxsrriju4th-emrd1wc@r.tsharbach.co>
Oct 21 06:07:04 km MailScanner[24386]: <A> tag found in message 0ECD61013A3.A1781 from vladimirwhscdte@tsharbach.co
Oct 21 06:07:04 km MailScanner[24386]: HTML Img tag found in message 0ECD61013A3.A1781 from vladimirwhscdte@tsharbach.co
Oct 21 06:07:05 km MailScanner[24386]: Requeue: 0ECD61013A3.A1781 to 389CE101B08
Oct 21 06:07:05 km MailScanner[24386]: MailWatch: Logging message 0ECD61013A3.A1781 to SQL
Oct 21 06:07:05 km MailScanner[24390]: MailWatch: 0ECD61013A3.A1781: Logged to MailWatch SQL

Re: Getting spam from domains without DNS records

Posted: 21 Oct 2019 07:29
by pdwalker
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain

smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_invalid_helo_hostname

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501
What are the current values of these three postfix variables in your /etc/postfix/main.cf file?

Re: Getting spam from domains without DNS records

Posted: 21 Oct 2019 16:23
by booola
Here it is, I added some rules:
smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_reverse_client_hostname, reject_unknown_hostname, reject_invalid_hostname

smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname, reject_unknown_hostname

smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/rbl_override, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unknown_client_hostname, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_invalid_hostname, reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_recipient
Thank you.

Re: Getting spam from domains without DNS records

Posted: 23 Oct 2019 04:30
by pdwalker
So your configuration seems correct and it should work.

The only think I can think of is if it a problem with your DNS? Is postfix able to successfully do the DNS lookups necessary for the checks? Maybe you'll have to run postfix in debug mode to check what happens when one of these connections comes in.

What are the contents of your /etc/resolv.conf?

Re: Getting spam from domains without DNS records

Posted: 23 Oct 2019 13:48
by booola
resolv.conf should be good. There is just IP addr. of local name server (based on SBS 2011), nothing else.
If I do nslookup for domain mail addresses like @sdfhsu.co, @binaloodagri.co, etc. almost all of this crap is translated to 80.249.161.171. I've tested it also in some online tools and it is the same translation.

Re: Getting spam from domains without DNS records

Posted: 26 Oct 2019 05:09
by pdwalker
What happens when you try to resolve the address of the non existent domains using that domain server?

Re: Getting spam from domains without DNS records

Posted: 29 Oct 2019 14:51
by booola
The same result everywhere (work domain and also at home - different dns servers)

nslookup bulurx.com

Server: server.net.local
Address: 10.0.0.253

Non-authoritative answer:
Name: bulurx.com
Address: 80.249.161.171

Re: Getting spam from domains without DNS records

Posted: 31 Oct 2019 11:05
by pdwalker
huh?

That domain exists, so therefor it will past the initial postfix checks.

This is what you should be seeing:

Code: Select all

[pdwalker@pdwmac:~/Documents/VirtualMachines] {517}
$ nslookup thisdoesnotexistasadomain.com
Server:		10.10.1.1
Address:	10.10.1.1#53

** server can't find thisdoesnotexistasadomain.com: NXDOMAIN

Re: Getting spam from domains without DNS records

Posted: 31 Oct 2019 19:35
by booola
Thank you so much for your support!