Prev: Question about bounce related spam
Next: Wanting incoming and outgoing e-mail montiroed for spam andvirii
From: Alex on 18 Apr 2010 12:28
Hi,

I'm wondering about some messages with Received headers such as this:

Received: from zaphod.chipchaps.com (unknown [65.182.186.13])

It says 'unknown', but 65.182.186.13 does resolve, to chipchaps.com (a
spam site), which resolves back to 65.182.186.12. Is this where the
problem is?

I'm not sure if I'm having a DNS problem with my resolver not being
able to find the answer in time (or at all), or I'm possibly not
understanding how to do this properly. I'd like to determine if I can
add additional restrictions in postfix to limit connections from hosts
that don't resolve properly, but before I can do that I need to make
sure my DNS is working properly. Maybe I'm able to resolve it now but
wasn't able to when the email arrived? Maybe the DNS info has changed
since the email was received?

What are the risks or implications of denying messages of this type?

Thanks,
Alex

From: Wietse Venema on 18 Apr 2010 12:44
Alex:
> Hi,
>
> I'm wondering about some messages with Received headers such as this:
>
> Received: from zaphod.chipchaps.com (unknown [65.182.186.13])
>
> It says 'unknown', but 65.182.186.13 does resolve, to chipchaps.com (a
> spam site), which resolves back to 65.182.186.12. Is this where the
> problem is?

The definition of an "unknown" client hostname is given in
http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
which, as the name suggests, rejects mail from a client with a hostname
that Postfix considers "unknown".

Wietse

> I'm not sure if I'm having a DNS problem with my resolver not being
> able to find the answer in time (or at all), or I'm possibly not
> understanding how to do this properly. I'd like to determine if I can
> add additional restrictions in postfix to limit connections from hosts
> that don't resolve properly, but before I can do that I need to make
> sure my DNS is working properly. Maybe I'm able to resolve it now but
> wasn't able to when the email arrived? Maybe the DNS info has changed
> since the email was received?
>
> What are the risks or implications of denying messages of this type?
>
> Thanks,
> Alex
>
>

From: Alex on 18 Apr 2010 14:19
Hi,

>>     Received: from zaphod.chipchaps.com (unknown [65.182.186.13])
>>
>> It says 'unknown', but 65.182.186.13 does resolve, to chipchaps.com (a
>> spam site), which resolves back to 65.182.186.12. Is this where the
>> problem is?
>
> The definition of an "unknown" client hostname is given in
> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
> which, as the name suggests, rejects mail from a client with a hostname
> that Postfix considers "unknown".

Is it common practice to have that restriction in a production environment?

It appears to be the third case here, that the name->address mapping
does not match the client IP address. Could this be from a legitimate
cause, or typically intentionally to be evasive?

Could it be found in a legitimate dynamic environment, such as at an ISP?

Is there a way to log these specific failures so I can get a better
idea of under what circumstances they occur in my environment?

I'm currently rejecting the following, in this order:

reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_unauth_destination,
reject_maps_rbl,

Thanks,
Alex

From: Wietse Venema on 18 Apr 2010 15:11
Alex:
> Hi,
>
> >> ? ? Received: from zaphod.chipchaps.com (unknown [65.182.186.13])
> >>
> >> It says 'unknown', but 65.182.186.13 does resolve, to chipchaps.com (a
> >> spam site), which resolves back to 65.182.186.12. Is this where the
> >> problem is?
> >
> > The definition of an "unknown" client hostname is given in
> > http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
> > which, as the name suggests, rejects mail from a client with a hostname
> > that Postfix considers "unknown".
>
> Is it common practice to have that restriction in a production environment?

Yes, if the tolerance for spam is worse than the tolerance for
mail not received.

[speculation deleted]

> Is there a way to log these specific failures so I can get a better
> idea of under what circumstances they occur in my environment?

Postfix logs a warning when the reverse name does not resolve, or
when the reverse name resolves to the wrong address:

warning: 1.2.3.4: hostname example.com verification failed:
Host not found, try again
warning: 1.2.3.4: address not listed for hostname example.com

When you report a problem, it is a good idea to look at the
warning messages in the Postfix logfile.

Wietse

From: mouss on 18 Apr 2010 16:13
Alex a �crit :
> Hi,
>
>>> Received: from zaphod.chipchaps.com (unknown [65.182.186.13])
>>>
>>> It says 'unknown', but 65.182.186.13 does resolve, to chipchaps.com (a
>>> spam site), which resolves back to 65.182.186.12. Is this where the
>>> problem is?
>> The definition of an "unknown" client hostname is given in
>> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
>> which, as the name suggests, rejects mail from a client with a hostname
>> that Postfix considers "unknown".
>
> Is it common practice to have that restriction in a production environment?
>
> It appears to be the third case here, that the name->address mapping
> does not match the client IP address. Could this be from a legitimate
> cause, or typically intentionally to be evasive?
>

since they put their domain name in their HELO (zaphod.chipchaps.com),
they're not trying to evade anything.

you could try

check_client_access hash:/etc/postfix/access_unknown


smtpd_restriction_classes =
...
policy_strong

policy_strong =
reject_rbl_client bb.barracudacentral.org
...

== access_unknown
unknown policy_strong

as usual, use at your own risk! you can try it with warn_if_reject for
some time if that makes you feel more confident
(and no, I don't use such a check).

> Could it be found in a legitimate dynamic environment, such as at an ISP?

no, these are spammers (illegal "work from home"). the domain probably
belongs to "Global Innovative Marketing" as you can find by visiting
their web page (www.chipchaps...) then clicking on the link at the
bottom, which leads you to a privacy page, and if you scroll down, you
get brian(a)myvemmaoffice.com. whois of the latter gives "Global
Innovative Marketing" (both chipchaps and bvconsulting.org have hidden
whois).

anyway,
- www.chipchaps... sis enough to convince you they are spammers.
- they have two IPs (.12 and .13) inside a range of IPs with generic
names belonging to pugmarks.com, who provide hosting...

Also look at Senderbase:
http://www.senderbase.org/senderbase_queries/detailip?search_string=65.182.186.0%2F24

you can probably block the whole range...


>
> Is there a way to log these specific failures so I can get a better
> idea of under what circumstances they occur in my environment?
>
> I'm currently rejecting the following, in this order:
>
> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_pipelining,
> reject_invalid_hostname,
> reject_non_fqdn_hostname,
> reject_unauth_destination,
> reject_maps_rbl,
>
> Thanks,
> Alex

 |  Next  |  Last
Pages: 1 2 3 4 5 6
Prev: Question about bounce related spam
Next: Wanting incoming and outgoing e-mail montiroed for spam andvirii