LinuxQuestions.org - Postfix - blocking spammer domains

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - Postfix - blocking spammer domains (https://www.linuxquestions.org/questions/linux-server-73/postfix-blocking-spammer-domains-4175625843/)

Postfix - blocking spammer domains

hello,
on a small server, I use Postfix version 2.11 (debian) and want to reject some spam domains which for example dbl[dot]spamhaus[dot]org doesn't seem to recognize.
her a part of my configuration:

Code:

smtpd_sender_restrictions =

  permit_mynetworks,

  permit_sasl_authenticated,

  reject_unknown_sender_domain,

  reject_non_fqdn_sender,

  check_sender_access pcre:/etc/postfix/spam_sender_addr_pcre

  permit





smtpd_recipient_restrictions =

  permit_mynetworks,

  permit_sasl_authenticated,

  reject_unauth_destination,

  reject_invalid_hostname,

  reject_non_fqdn_sender,

  reject_non_fqdn_recipient,

  reject_unknown_sender_domain,

  reject_unknown_recipient_domain,

  check_client_access hash:/etc/postfix/rbl_whitelist,

    reject_rbl_client  ...

    reject_rhsbl_client dbl[dot]spamhaus[dot]org,

    check_recipient_access pcre:/etc/postfix/spam_rec_addr_pcre,

  check_policy_service inet:127.0.0.1:10031

  permit

When I try one of the spam domain that I receive lately "...@es2[dot]trmaildat[dot]com"

Code:

postmap -q es2[dot]trmaildat[dot]com pcre:/etc/postfix/spam_sender_addr_pcre

I get the expected REJECT

here the one line of spam_sender_addr_pcre:

Code:

/.*es2.trmaildat.com/i REJECT

but still I receive emails from ...@es2[dot]trmaildat[dot]com.

what is wrong with this configuration ?
before using pcre, I tried a hash file, but it didn't work either.
thank you for some hints!

Are you sure that address is the envelope sender?

Please post the portion of /var/log/maillog which shows the reception.

here

Quote:

Mar 19 17:03:55 miranda postfix/cleanup[1407]: 912172F911F: message-id=<20180319160132.8425A2461BC@es2.trmaildat.com>
Mar 19 17:03:55 miranda postfix/qmgr[12306]: 912172F911F: from=<052454857a4-8-314@globe-yellow-pages.com>, size=56112, nrcpt=1 (queue active)
Mar 19 17:03:55 miranda postfix/smtpd[1414]: disconnect from localhost[127.0.0.1]
Mar 19 17:03:55 miranda amavis[955]: (00955-15) Passed SPAM {RelayedTaggedInbound,Quarantined}, [127.0.0.1] [185.111.183.36] <052454857a4-8-314@globe-yellow-pages.com> -> <xyz@gottsdorf.de>, quarantine: U/spam-UN6HU2RREwdg.gz, Message-ID: <20180319160132.8425A2461BC@es2.trmaildat.com>, mail_id: UN6HU2RREwdg, Hits: 6.589, size: 55011, queued_as: 912172F911F, 6771 ms
Mar 19 17:03:55 miranda postfix/smtp[1408]: 8793F2F80BD: to=<xyz@gottsdorf.de>, relay=127.0.0.1[127.0.0.1]:10024, delay=33, delays=26/0/0/6.8, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 912172F911F)
Mar 19 17:03:55 miranda postfix/qmgr[12306]: 8793F2F80BD: removed

ok, it seems the sender address is globe-yellow-pages.com... right ?

from=<052454857a4-8-314@globe-yellow-pages.com>,

host globe-yellow-pages.com
globe-yellow-pages.com has address 192.64.119.78
globe-yellow-pages.com mail is handled by 10 mail.globe-yellow-pages.com.
host mail.globe-yellow-pages.com
mail.globe-yellow-pages.com has address 80.211.229.185

but this is from 185.111.183.36 so it seems to be lying.

jwhois 185.111.183.36
netname: Biz-catalogs

Says network 185.111.183.0 - 185.111.183.255 is a good candidate for the block list.

Quote:

Originally Posted by smallpond (Post 5834040)

Says network 185.111.183.0 - 185.111.183.255 is a good candidate for the block list.

Agreed. At least none of my customers need to receive email from Lithuania.

I don't know how to do it in postfix, but spam blocking by domain name is pretty hit-and-miss, because of forgeries; but an MTA always knows the IP of the server delivering the email, so blocking by IP address/range is very effective.

[PS: Note that "by IP" is how SORBS, spamcop, and SBL-XBL do their RBL (Real-time Block List) blocking, not by domain name]