« previous next »
Pages: [1]

Author Topic: Postfix, SpamAssassin, or something else  (Read 89 times)

0 Members and 1 Guest are viewing this topic.

Offline
Thorth
*
Postfix, SpamAssassin, or something else
« on: June 24, 2025, 10:29:17 AM »
Hi.

Centos Web Panel is installed on AlmaLinux release 8.10, everything is on green and running (apache, nginx, mysql etc) even the email server is working properly (sending, receiving emails).

I got a strange problem with the email server, in some mailbox i'm receiving some email (spam email), and the destination of that spam email is not even an email address from my server.
I config postfix to reject emails but i don't understand why i still get this emails

I'll post the a header with that email, and i replace the actual email with EMAIL@MYDOMAIN and the server hostname with SERVERHOSTNAME

Quote
Return-Path: <yrjalmr@topuk.in.rs>
Delivered-To: EMAIL@MYDOMAIN
Received: from SERVERHOSTNAME
    by SERVERHOSTNAME with LMTP
    id s9yHLwDCWWgD3xkAl/FcBg
    (envelope-from <yrjalmr@topuk.in.rs>)
    for <EMAIL@MYDOMAIN>; Tue, 24 Jun 2025 00:07:12 +0300
Received: SERVERHOSTNAME (Postfix, from userid 65534)
    id BB672400009E; Tue, 24 Jun 2025 00:07:12 +0300 (EEST)
Received: from mail.twoking.or.mg (mail.toceda.pro [86.104.194.44])
    by SERVERHOSTNAME(Postfix) with ESMTP id 98D0F4011421
    for <EMAIL@MYDOMAIN>; Tue, 24 Jun 2025 00:07:04 +0300 (EEST)
Received: from mail.twoking.or.mg (t81.tugara.bond [62.76.188.81])
    by mail.twoking.or.mg (Postfix) with ESMTPA id 2F2C17D5F;
    Mon, 23 Jun 2025 18:34:54 +0300 (EEST)
Message-ID: <245740155528033167732388743203865821521082333551@topuk.in.rs>
From: Keto Diet <yrjalmr@topuk.in.rs>
To: <birou@centrulminerva.ro>

i'll post my postfix config file

Quote
smtpd_client_restrictions = reject_unknown_client
smtpd_helo_restrictions =
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_whitelist, check_sender_access hash:/etc/postfix/sender_blacklist
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_unauth_destination, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org,reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net

Any idea why the postfix is not rejecting this emails, or what should i do so this type of e-mails won't get in my mailbox ?
« Last Edit: June 24, 2025, 10:36:10 AM by Thorth »
Logged
Offline
overseer
*****
Re: Postfix, SpamAssassin, or something else
« Reply #1 on: June 24, 2025, 10:55:36 AM »
Do you need to support mail from Serbia? Do you need to support Romanian e-mail traffic? Madagascar? You can block any/all of these at the CSF level, or by an RBL within Postfix's config:
Code: [Select]
reject_rbl_client rs.country.spameatingmonkey.net,
reject_rbl_client mg.country.spameatingmonkey.net,You can also block full TLDs if you so choose (/ etc /postfix/reject_domains):
Code: [Select]
# Rejecting whole TLDs
/\.pro$/        REJECT
/\.cam$/        REJECT
/\.top$/        REJECT
/\.work$/ REJECT
/\.click$/ REJECT
/\.link$/ REJECT
/\.diet$/ REJECT
/\.party$/ REJECT
/\.zip$/        REJECT
/\.date$/ REJECT
/\.club$/ REJECT
/\.rest$/ REJECT
/\.casa$/ REJECT
/\.bar$/        REJECT
/\.sbs$/        REJECT
/\.xyz$/        REJECT
/\.bio$/        REJECT
/\.best$/ REJECT
Logged
Offline
anandmys
**
Re: Postfix, SpamAssassin, or something else
« Reply #2 on: June 24, 2025, 11:14:52 AM »
Had similar issue. Emails were bouncing and sitting in postfix que (in 100s)

On checking the arrival info of one these emails, I could see that sender was an user in my system.

I changed the password and informed that user.

Problem stopped.
Logged
Offline
Thorth
*
Re: Postfix, SpamAssassin, or something else
« Reply #3 on: June 24, 2025, 12:12:06 PM »
Quote from: overseer on June 24, 2025, 10:55:36 AM
Do you need to support mail from Serbia? Do you need to support Romanian e-mail traffic? Madagascar? You can block any/all of these at the CSF level, or by an RBL within Postfix's config:
Code: [Select]
reject_rbl_client rs.country.spameatingmonkey.net,
reject_rbl_client mg.country.spameatingmonkey.net,You can also block full TLDs if you so choose (/ etc /postfix/reject_domains):
Code: [Select]
# Rejecting whole TLDs
/\.pro$/        REJECT
/\.cam$/        REJECT
/\.top$/        REJECT
/\.work$/ REJECT
/\.click$/ REJECT
/\.link$/ REJECT
/\.diet$/ REJECT
/\.party$/ REJECT
/\.zip$/        REJECT
/\.date$/ REJECT
/\.club$/ REJECT
/\.rest$/ REJECT
/\.casa$/ REJECT
/\.bar$/        REJECT
/\.sbs$/        REJECT
/\.xyz$/        REJECT
/\.bio$/        REJECT
/\.best$/ REJECT


thanks for the idea, i already made the change in postfix, i will see tomorrow, hope tomorrow i will not see this type of emails. I'll be back tomorrow with some details 
Logged
Offline
Thorth
*
Re: Postfix, SpamAssassin, or something else
« Reply #4 on: June 24, 2025, 04:07:45 PM »
ok, i just check now some mailbox and i still get this type of emails ...

Quote
Return-Path: <yvcaztn@firengerme.de>
Delivered-To: EMAIL@MYDOMAIN
Received: from SERVERHOSTNAME
    by SERVERHOSTNAME with LMTP
    id P95LExbJWmhsTB0Al/FcBg
    (envelope-from <yvcaztn@firengerme.de>)
    for <EMAIL@MYDOMAIN>; Tue, 24 Jun 2025 18:49:42 +0300
Received: by SERVERHOSTNAME (Postfix, from userid 65534)
    id 48272400009F; Tue, 24 Jun 2025 18:49:42 +0300 (EEST)
Received: from xn--80aua.xn--80ag7c.xn--p1acf (xn--80aua.xn--80ag7c.xn--p1acf [37.48.78.112])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
    key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
    (No client certificate requested)
    by SERVERHOSTNAME (Postfix) with ESMTPS id 2754A400009B
    for <EMAIL@MYDOMAIN>; Tue, 24 Jun 2025 18:48:42 +0300 (EEST)
Message-ID: <751441785208504837733045162177506451115316284233@firengerme.de>
From: "KetoProbiotix" <yvcaztn@firengerme.de>
To: <proiecte@centrade.ro>
Subject: =?utf-8?B?U2NhcMSDIGRlIGdyxINzaW1lYSBkZSBwZSBhYmRvbWVuIMiZaSDImW9sZHVyaSBmxINyxIMgaW50ZXJ2ZW7Im2llIGNoaXJ1cmdpY2FsxIMgw65uIDIxIGRlIHppbGUh?=
Date: Tue, 24 Jun 2025 17:51:04 +0300




Return-Path: <ofnulzn@wolkingers.mielec.pl>
Delivered-To: EMAIL@MYDOMAIN
Received: from SERVERHOSTNAME
    by SERVERHOSTNAME with LMTP
    id lI76DQ7IWmi+Sh0Al/FcBg
    (envelope-from <ofnulzn@wolkingers.mielec.pl>)
    for <EMAIL@MYDOMAIN>; Tue, 24 Jun 2025 18:45:18 +0300
Received: by SERVERHOSTNAME (Postfix, from userid 65534)
    id 3340C400009F; Tue, 24 Jun 2025 18:45:18 +0300 (EEST)
Received: from 561.028.xn--p1acf (561.028.xn--p1acf [178.162.131.126])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
    key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
    (No client certificate requested)
    by SERVERHOSTNAME (Postfix) with ESMTPS id 3CEED400009B
    for <EMAIL@MYDOMAIN>; Tue, 24 Jun 2025 18:45:05 +0300 (EEST)
Message-ID: <14722032L62414078X20446240M74502862O@idofnulzn>
From: "Best Pillow" <ofnulzn@wolkingers.mielec.pl>
To: <comenzi@centromodaitalia.ro>
Subject: =?utf-8?B?UGVybmEgRGVyaWxhICMxIMOubiBSb23Dom5pYQ==?=
Date: Tue, 24 Jun 2025 17:54:34 +0300


Return-Path: <oqvuqzq@ivelonse.my>
Delivered-To: EMAIL@MYDOMAIN
Received: from SERVERHOSTNAME
    by SERVERHOSTNAME with LMTP
    id BvOUJyfFWmiFRR0Al/FcBg
    (envelope-from <oqvuqzq@ivelonse.my>)
    for <EMAIL@MYDOMAIN>; Tue, 24 Jun 2025 18:32:55 +0300
Received: by SERVERHOSTNAME (Postfix, from userid 65534)
    id 9B5DF400009F; Tue, 24 Jun 2025 18:32:55 +0300 (EEST)
Received: from s7.xn--80aicbs3aneck.xn--j1aef.xn--p1acf (s7.xn--80aicbs3aneck.xn--j1aef.xn--p1acf [83.149.99.122])
    (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
    key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
    (No client certificate requested)
    by SERVERHOSTNAME (Postfix) with ESMTPS id 3C969400009B
    for <EMAIL@MYDOMAIN>; Tue, 24 Jun 2025 18:31:57 +0300 (EEST)
Message-ID: <052438376325105471635151361047512226616053884874@ivelonse.my>
From: "Alkotox" <oqvuqzq@ivelonse.my>
To: <international@ceccaro.ro>
Subject: =?utf-8?B?QWxrb3RveCAtIHNwdW5lIMKrbnXCuyBkZXBlbmRlbsibZWkgZGUgYWxjb29sIQ==?=
Date: Tue, 24 Jun 2025 17:49:09 +0300
Logged
Offline
overseer
*****
Re: Postfix, SpamAssassin, or something else
« Reply #5 on: June 24, 2025, 05:25:07 PM »
All 3 from LeaseWeb in the Netherlands. Consider reporting to their abuse@ address with the full headers. Also block those offending IPs, but it's 3 for 3 different messages, so likely there is a larger pool of source addresses used in this campaign.
Logged
Offline
anandmys
**
Re: Postfix, SpamAssassin, or something else
« Reply #6 on: Today at 05:31:55 AM »
Quote from: overseer on June 24, 2025, 05:25:07 PM
All 3 from LeaseWeb in the Netherlands. Consider reporting to their abuse@ address with the full headers. Also block those offending IPs, but it's 3 for 3 different messages, so likely there is a larger pool of source addresses used in this campaign.

Both from and to doesnt belong to this server.

Quote
From: "KetoProbiotix" <yvcaztn@firengerme.de>
To: <proiecte@centrade.ro>

Why is this email landing to this server?
Logged
Offline
overseer
*****
Re: Postfix, SpamAssassin, or something else
« Reply #7 on: Today at 01:16:15 PM »
Forgeries. You should lock down Postfix more to prevent this kind of backscatter. And block Malaysia if you have no need for traffic from there.
https://www.awsmonster.com/how-to-secure-postfixdovecot-on-cwp

If you wanted to block ALL of LeaseWeb, you could add their netblocks to your blocklists, but you might block legitimate traffic:
https://ipinfo.io/AS7203
Logged
Pages: [1]
« previous next »