Use Postfix to block sender with certain text

Questions and answers about how to do stuff
Post Reply
AITCS
Posts: 45
Joined: 13 Mar 2017 11:12

Use Postfix to block sender with certain text

Post by AITCS »

Hi all,

I have an interesting issue... someone out there really enjoys sending mail to our server from numerous compromised servers, IPs are all over the place, but they are targeting one specific user in our system. The only common thing I can find in all of the mail is that there is a certain string which never changes in the "From" field (not the one in the headers section of Mailscanner).
I've added these to custom_rule.cf which bumps the score so high the user never gets the email, but I'd really love to do a REJECT at the Postfix stage.
Does anyone know how I might achieve this?

Here are some example "From" addresses all arriving in the space of 20 minutes:

meaxdsro-cvzxysifne-m6556o-tfdgcvkvypuirlcztj.tfd.rl@pnddmc.meganslostside.win
onxfmcsoh-cvzxysifne-o8264h-tfdgcvkvypuirlcztj.tfd.rl@irumop.keiraswideright.win
dhbeyvf-cvzxysifne-d8477f-tfdgcvkvypuirlcztj.tfd.rl@ovihip.meganslostside.win
utelbzvefc-cvzxysifne-u9544c-tfdgcvkvypuirlcztj.tfd.rl@sarlgm.eviesfreshfather.win
wcpaudexece-cvzxysifne-w1906e-tfdgcvkvypuirlcztj.tfd.rl@jjhzua.jocelynssecretperson.win
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Use Postfix to block sender with certain text

Post by pdwalker »

Interesting question!

Since this is a postfix problem, we do a quick search for rejecting mail based on content in postfix and we find this link describing how to do it. It looks simple enough.

First, I check my /etc/postfix/main.cf for header_checks to see if it's already configured

Code: Select all

[root@efa postfix]# grep ^header_checks /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks
and yes, we are.

Next we add our string to /etc/postfix/header_checks; specifically I append this to the file:

Code: Select all

/blockthisstring/ REJECT mail blocking testing
and restart postfix

Code: Select all

service restart postfix
Next, I send a message from an email address that contains my "blockthisstring" and watch the postfix /etc/mail/maillog when I get the following:
May 5 15:21:02 efa postfix/cleanup[8329]: DB35C180BA5: reject: header Return-Path: <user@blockthisstring.com> from mail6.bemta12.messagelabs.com[216.82.250.247]; from=<user@blockthisstring.com> to=<user@myefadomain.com> proto=ESMTP helo=<mail6.bemta12.messagelabs.com>: 5.7.1 mail blocking testing
Great! It works, so let's make a change. Should we notify the spammer that we are blocking him? Nah, otherwise he'll change things and we'll end up playing whack-a-spammer. Let's change our action to pretend to accept the mail, but just silently drop it instead. So I'll change the action from REJECT to DISCARD in the header_checks file and restart postfix and send a new message
May 5 15:33:28 efa postfix/cleanup[11819]: F057F180C2D: discard: header Return-Path: <user@blockthisstring.com> from mail6.bemta12.messagelabs.com[216.82.250.247]; from=<user@blockthisstring.com> to=<user@myefadomain.com> proto=ESMTP helo=<mail6.bemta12.messagelabs.com>: mail blocking testing
And we're done. Postfix will reject the mail based on that that incoming string and EFA will never have to spamcheck the message saving us CPU time, disk space, electron depletion and our piece of mind. Wonderful!

Give it a try and let us know how you get along.
AITCS
Posts: 45
Joined: 13 Mar 2017 11:12

Re: Use Postfix to block sender with certain text

Post by AITCS »

Very detailed answer, thank you very much for your efforts.
I'll give it a try in the morning as it's approaching close of business on this side of the world.
Will report back after we've implemented and tested.
AITCS
Posts: 45
Joined: 13 Mar 2017 11:12

Re: Use Postfix to block sender with certain text

Post by AITCS »

Curiousity got the better of me...

Unfortunately no luck with your solution. It still lets the emails straight through to MailScanner.
Do we need to postmap the header_checks file for it to work or not?
There is a header_checks.db file in /etc/postfix. I have renamed it temporarily as I think we've attempted this in the past but never got it working back then either.

What other information can I provide to try diagnose this?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Use Postfix to block sender with certain text

Post by pdwalker »

You can post the actual string you put in the file.

As long as your postfix main.cf matches mine, then adding the expression and restarting postfix is all you need to do. No postmap necessary.

It worked for me first time.
AITCS
Posts: 45
Joined: 13 Mar 2017 11:12

Re: Use Postfix to block sender with certain text

Post by AITCS »

Deleted post. Useless content.
Last edited by AITCS on 06 May 2018 01:15, edited 1 time in total.
AITCS
Posts: 45
Joined: 13 Mar 2017 11:12

Re: Use Postfix to block sender with certain text

Post by AITCS »

Okay, I realise where the problem is occurring...

The spammy from address is only sent during the "mail from:" part of the SMTP conversation, which is not tested by header_checks.
I did manage to resolve the issue, and will post here for future reference.

Let's make a new sender restriction based on regular expressions:

Code: Select all

nano /etc/postfix/sender_access_regexp
and add a new entry with the correct regex

Code: Select all

/cvzxysifne/ DISCARD
Now we need to get Postfix to parse this new file. Modify the following entry in /etc/postfix/main.cf to include the following. Keep the current sender restrictions and just add the new one to the end of the same line.

Code: Select all

smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/sender_access_regexp
Restart Postfix and now everything works!
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Use Postfix to block sender with certain text

Post by pdwalker »

magic! :dance:
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Use Postfix to block sender with certain text

Post by BruceLeeRoy »

Sorry to revive an old thread but I'm working on a similar issue. I'm trying to use header_checks to block specific messages.

Here's the situation: Some scammer creates generic Gmail/yahoo accounts using our CEO's real name, then Emails the entire company with "I need you to discretely do a task for me. please respond ASAP". The End user sees an Email from "CEO Realname" and responds ignoring the actual from address. Yes I know, I've re-educated them several times but someone keeps falling for it.

So I was able to block incoming messages using

Code: Select all

/^From:.*CEO Realname  / PREPEND From: [LIKELY SCAMMER]
But then realized EFA is scanning incoming AND outgoing messages so I need to allow messages out from our CEO. Additionally I should allow messages from his Gmail account.
I've tried variations of the below entries with no luck

Code: Select all

/^From:.*CEO Realname" +(ceo@realdomain.com) / PASS
/^From:.*CEO Realname +(realaltaccount@gmail.com / PASS
/^From:.*CEO Realname +(.*@) / PREPEND From: [LIKELY SCAMMER]
I've seen PASS and OK listed on several man pages but the man pages in my installation do not show those "actions". Postfix reports it is ver 3.1.3
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Use Postfix to block sender with certain text

Post by pdwalker »

Nothing wrong with opening up old threads if they are still relevant.

I've not looked in detail at your problem, but if your header_check rules are not working, then I would check your regex and make sure that it is working correctly first.

Whenever I've had an issue with the checks not working as expected, it's always come down to an incorrect regex.

For example - your regex specifies that you need a space at the end of the From line. Is that what you want? Look closely at the first line. I've marked the space you've left in for you in the second line.

Code: Select all

/^From:.*CEO Realname" +(ceo@realdomain.com) / PASS
/^From:.*CEO Realname" +(ceo@realdomain.com)<SPACE HERE>/ PASS
Maybe you can give me a real header to work from (or slightly modified to keep it confidential) and then we can compare it against the regex you are using.

Here is another tip: I like the PREPEND function as I can use it for testing without disrupting mail flow. For example, I might use this rule:

Code: Select all

/^From:.*CEO Realname" +(ceo@realdomain.com)/ PREPEND X-RuleTest: Rule 1
/^From:.*CEO Realname +(realaltaccount@gmail.com/ PREPEND X-RuleTest: Rule 2
And then I will check the mail headers to see which rule was hit (if any) by looking at the X-RuleTest header from EFA.

Let me know how you get on.
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Use Postfix to block sender with certain text

Post by BruceLeeRoy »

Thanks for your suggestions, you're right, I did not intend for there to be a space, so I tried modifying it while removing the space, still did not work. I am not all that good with writing Regex. That being said, I can't find the log entries I am trying to match because neither maillog nor messages shows the real name in an entry. Are the headers logged somewhere else? I know that it is matching the real name somewhere because I've been testing entries in /etc/postfix/header_checks
with an entry

Code: Select all

/^From:.*CEO Name/ PREPEND From: [SCAMMER]
And when I send a message with the CEO Name I receive it with the from field showing:

Code: Select all

"[SCAMMER]"@mydomain.com
Here is the corresponding log entry from maillog:

Code: Select all

Mar 11 14:16:44 efa postfix/cleanup[542]: 9EA362007E: hold: header Received: from mail-ed1-f46.google.com (mail-ed1-f46.google.com [209.85.208.46])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))??(No client certificate requested)??by efa.mydom from mail-ed1-f46.google.com[209.85.208.46]; from=<testaccount@gmail.com> to=<myaccount@mydomain.com> proto=ESMTP helo=<mail-ed1-f46.google.com>
Mar 11 14:16:44 efa postfix/cleanup[542]: 9EA362007E: prepend: header From: CEO Name <testaccount@gmail.com> from mail-ed1-f46.google.com[209.85.208.46]; from=<testaccount@gmail.com> to=<myaccount@mydomain.com> proto=ESMTP helo=<mail-ed1-f46.google.com>: From: [SCAMMER]
the only place it shows "CEO Name" is in the prepended From field after it has identified a match.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Use Postfix to block sender with certain text

Post by pdwalker »

You're trying to achieve something different - you are trying to rewrite an existing header, rather than add a new header.

For that, you'll have to do something different.

1/ This: https://serverfault.com/questions/15690 ... il-subject

or 2/, configure and use the MCP portion of EFA to look for this pattern and edit your subject, or block it entirely.

In fact, why don't you use this header check to drop the message entirely? If it's a scammer, why does anyone have to see it?

If you want to keep it, set up a custom spamassassin rule to score this as +100 and then you can find these messages in the message interface.
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Use Postfix to block sender with certain text

Post by BruceLeeRoy »

Actually I was able to get it working with header_checks by just whitelisting the valid Email addresses first then black listing the CEO's realname. Prepending the From line prevents it from actually getting to the user because now EFA sees a malformed header and marks it as spam.
Post Reply