Jump to content

HapplessUser

Members
  • Content Count

    4
  • Joined

  • Last visited

Community Reputation

0 Neutral

About HapplessUser

  • Rank
    Newbie
  1. I've already got it set to reject domains that don't exist, but apparently not validating rDNS. I will look into both. Thanks!
  2. I was looking through my mail logs this morning and got the not so bright idea to maybe start blocking connections from servers that are logging a lot of "user unknown" connections. I quickly realized that this was probably going to be a waste of time because most of the connections were unique with only a few repeat offenders. I also noticed a bunch of connections with helo=lloydstsb.co.uk, but all the connections were from different IP addresses. Any idea what the story might be there? I could just block that domain, but what if one of our users actually communicates with that company? Here are the lines from our log file: Feb 9 02:50:02 from eaton6404.pndsl.co.uk[84.92.52.114]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 02:50:46 from 24-178-98-254.static.stbr.ga.charter.com[24.178.98.254]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.u> Feb 9 02:56:41 from 173-162-111-25-miami.hfc.comcastbusiness.net[173.162.111.25]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=lloydstsb.co.uk> Feb 9 02:57:06 from unknown[86.188.155.194]: 554 5.7.1 Service unavailable; Client host [86.188.155.194] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=86.188.155.194; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:03:14 from pa.sa.net.ua[194.6.231.209]: 554 5.7.1 Service unavailable; Client host [194.6.231.209] blocked using hostkarma.junkemailfilter.com; Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=194.6.231.209; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:04:48 from host198-232-static.15-188-b.business.telecomitalia.it[188.15.232.198]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:04:57 from unknown[116.12.202.73]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:05:01 from unknown[112.196.41.58]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:06:07 from mail.dauvister.com[213.177.69.114]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:08:47 from unknown[195.171.105.130]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:08:55 from unknown[212.156.146.22]: 554 5.7.1 Service unavailable; Client host [212.156.146.22] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=212.156.146.22; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:10:12 from unknown[187.210.33.90]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:10:15 from 2.182.0.109.rev.sfr.net[109.0.182.2]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:11:10 from unknown[96.88.1.69]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:11:41 from unknown[118.102.226.227]: 554 5.7.1 Service unavailable; Client host [118.102.226.227] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=118.102.226.227; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:13:38 from unknown[151.237.217.130]: 554 5.7.1 Service unavailable; Client host [151.237.217.130] blocked using hostkarma.junkemailfilter.com; Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=151.237.217.130; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:13:39 from unknown[74.5.197.214]: 554 5.7.1 Service unavailable; Client host [74.5.197.214] blocked using hostkarma.junkemailfilter.com; Black listed at hostkarma http://ipadmin.junkemailfilter.com/remove.php?ip=74.5.197.214; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:14:11 from unknown[64.18.65.2]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:15:01 from unknown[2.122.127.114]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:19:01 from 7.81.114.89.rev.vodafone.pt[89.114.81.7]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 03:20:11 from 149-96-241-84.static.cable.fcom.ch[84.241.96.149]: 550 5.1.1 <some-user[at]mydomain.com>: Recipient address rejected: User unknown; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk> Feb 9 04:34:12 from mail.degem.com[212.143.222.99]: 554 5.7.1 Service unavailable; Client host [212.143.222.99] blocked using psbl.surriel.com; Listed in PSBL, see http://psbl.org/listing?ip=212.143.222.99; from=<some-user[at]mydomain.com> helo=<lloydstsb.co.uk>
  3. HapplessUser

    Small time sysadmin could use some help blocking spam

    Actually never mind the last question. Apparently regardless of whether a header_checks or body_checks rule is matched "[bODY]" seems to show up in the failure message.
  4. I'm using Ubuntu 12.04 LTS with postfix and amavis and have had so much spam over the past year that I've taken to blocking many many ip addresses manually. I've got several RBLs in play as well, but my smtpd_client_restrictions / check_client_access file is currently ~4500 lines and growing. Whenever I get snowshoe spam from the same hosting co a few times, I end up blocking their whole range of ip addresses. I'm also using header_checks and body_checks to feed my ip address list before certain spam gets through. What I'm wondering is...am I the only one who feels like this is becoming a part time job? We've got fewere than 20 users and I easily spend an hour or more every day dealing with reporting spam that gets through the rbls and my ip blacklist. Is there a tutorial anywhere for tuning amavis, spamassassin and postfix to do a better job in a more automated way? Also, a postfix question: When one of my header_checks or body_checks rules is matched, the mail is rejected, but upon testing I've discovered that the sender receives a clue as to what triggered the rejection: After the text following the "REJECT" is displayed in the bounce, on a new line, "[bODY]" is displayed if the rule matched was a body_check or "[HEADER]" if the rule was a header_check. Anyone know if there's a way to turn that off? I don't want to give the spammers any info about how we're blocking their never ending flood.
×