Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I am successfully using web-cyradm+postfix+cyrus-imap+SASL+Mysql on a
variety of Linux boxes, mostly running Ubuntu 6.06LTS. This system works well
for me and I have not upgraded past web-cyradm version 0.54 yet. I generally have ten or more virtual domains receiving mail on a server. I also posted more or less this same question to the web-cyradm list, but I have not got the info that I think I want.
Recently I have started to be mail-bombed in this way; some fool out there is
sending spam with return addresses in this form
triyant*******@mydomain.com
The emails bounce to my server, which rejects them. However the volume is large
and I would prefer to simply /dev/null all email with a recipient that begins
with the letters 'triyant'.
Postfix 2.2.10 allows you to use regexp in the alias table, but I don't know how
to do it. I tried creating an alias 'triyant^' (without the quotes) but that
does not work. If I alias a specific address, like 'triyantooopl' to /dev/null,
it works fine, but since there are billions of variants (all beginning with
'triyant') a regexp is obviously the way to go.
I would really be grateful for any help. What I want is probably really simple.
(maybe instead of 'triyant^' I should say 'regexp:triyant^' ?)
Thanks in advance.
Note: I use Webmin 1.3.0 to administer this server - Webmin's Postfix page has a list of predefined aliases that redirect to different destinations, for instance 'marketing' goes to 'postmaster', etc.. When I say that I have aliased a specific 'triyant****' address, what I mean is that I have added that specific address to the /etc/postfix/aliases file using the Webmin tool.
I would recommend to use spamassassin. It allows you to easily create a blacklist of email addresses that you don't want to accept messages from and then it drops the message. Another thing you can do is specify not to accept email from the server that is sending these messages through /etc/hosts.deny.
I don't want to run another piece of software for this problem - and the incoming mail is coming from hundreds of different servers (remember, it is caused because someone is forging fake usernames in a real domain, and the actual spam victims are receiving the spam from him, and replying to me.)
The simplest thing is exactly what I asked for above - how can I alias everything beginning with 'triyant' and direct it with no further processing to /dev/null ?
Anybody? This can't be that hard to do, but I can't figure out the syntax in the alias file.
I do not recommend that you have postfix do the mail filtering. Especially if you have a busy server. It postfix does the body checks it will slow down a lot especially when it is busy. It is better to have postfix accept all mail then to have spamassassin process it in the background. Afterward you should monitor the number of messages comming from that spammer so you can reject the connection all together using hosts.deny.
If you still want to use SMTP body checks through postfix then here's what you do:
Create the file /etc/postfix/body_checks as follows:
/^From: triyant*******@mydomain.com/ REJECT
Run 'postmap /etc/postfix/body_checks' then make sure it has the correct file permissions.
Add the following to /etc/postfix/main.cf:
body_checks = regexp:/etc/postfix/body_checks
Reload postfix with command:
/etc/init.d/postfix reload
You may want to create a test mail account with a free service such as yahoo or hotmail and then try testing with it first in case of interruptions. Drop me an Email if you need more help. Good Luck.
Thanks. I will probably email you - I am wondering why body_checks needs to be involved instead of /etc/postfix/aliases - I do not want to read the emails, all the information is available in the 'to:' field, and as I say, I am successfully /dev/null-ing (is that a word?) specific aliases - all of which are located only in the aliases file, and not in body_checks!
It sounds like if I could use exactly your syntax except in the aliases file and not in body_checks, that is what I am looking for.
If I want to do that in the aliases databases, and the present entry for 'Alias databases used by the local delivery agent' is 'hash:/etc/postfix/aliases', and a specific entry in that table looks like this:
triyantaoizen: /dev/null
then how would a regexp: equivalent be constructed?
--------
Again, just so you understand - there is not a single source of these emails - I am not receiving mail from a specific 'spammer', and of course I am already using spamhaus, etc - all the usual RBL lists. I am receiving mail from thousands of victims of the original spammer, who has used 'triyant^@mydomain.com' as his return address. I can't fix this by blocking a single IP or sender - this is a different sort of problem.
I just realized that it is header_checks instead of body_checks. Use the following instead. This will check the header of every message and if it finds triyant@mydomain.com in the header then it will reject the message:
In main.cf:
header_checks = hash:/etc/postfix/header_checks
/etc/postfix/header_checks:
/^from: *triyant@mydomain\.com$/ REJECT
Run 'postmap /etc/postfix/header_checks && /etc/init.d/postfix reload'.
I have header_checks set to the proper file. When I try this
/^from: triyant*************@mydomain\.com/
Postfix (via Webmin 1.330 interface) responds
Error while saving a mapping : Invalid regular expression - must be like /something/
I want to reject all mail with a from address beginning with the seven characters 'triyant'. At this point (since I have no users with that name) I don't care if I reject them from one or all of the domains I serve.
Very close, not quite. At this point it is my ignorance of regexp that is doing the damage.
My last post will work. Go through it thoroughly and try it. Also you should not use a regex (regular expression) table; use a hash table instead, it is processed much faster by postfix, especially if the table is long.
This is mainly for ramram, but thanks to all your assistance on the regexp question.
ramram's last post seems incorrect. I don't want to /dev/null the literal string 'triyant@mydomain.com' - that would be too easy. I want to get rid of everything *beginning* 'triyant' - for example,
etc. - Note that the string before the '@' sign could be just the seven characters 'triyant', or anything, even thirty characters long, but with the first seven characters always 'triyant'.
Doesn't what you suggest in the fragment below
----
In main.cf:
header_checks = hash:/etc/postfix/header_checks
/etc/postfix/header_checks:
/^from: *triyant@mydomain\.com$/ REJECT
----
just match the literal string 'triyant@mydomain.com'?
That should reject anything starting with triyant. You may want to review the postfix UCE rules, to see what is the best solution for wildcards using header_checks; it should work. I've had it work for me a while ago.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.