need help with forged To and From

Prev: Thanks to wietse and the distribution list a new web consoleis born
Next: cheap ghd straighteners

From: donovan jeffrey j on 8 Aug 2010 13:48

---

greetings

this weekend I have been hit with a ton of forged spam messages.
here is a sample header


From: realuser(a)beth.k12.pa.us
Subject: realuser(a)beth.k12.pa.us 62% OFF on Pfizer!
Date: August 8, 2010 9:41:57 AM EDT
To: realuser(a)beth.k12.pa.us
Return-Path: <realuser(a)beth.k12.pa.us>
Received: from murder ([unix socket]) by bragg.beth.k12.pa.us (Cyrus v2.2.12-OS X 10.4.8) with LMTPA; Sun, 08 Aug 2010 09:43:46 -0400
Received: from smtp3.beth.k12.pa.us (smtp3.beth.k12.pa.us [10.135.1.13]) by bragg.beth.k12.pa.us (Postfix) with ESMTP id A327A3D8EE95 for <basdarchive(a)beth.k12.pa.us>; Sun, 8 Aug 2010 09:43:46 -0400 (EDT)
Received: from localhost (mx2.beth.k12.pa.us [10.135.1.23]) by smtp3.beth.k12.pa.us (Postfix) with ESMTP id 2D14229B0822 for <realuser(a)beth.k12.pa.us>; Sun, 8 Aug 2010 09:41:49 -0400 (EDT)
Received: from mx2.beth.k12.pa.us ([127.0.0.1]) by localhost (mx2.beth.k12.pa.us [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k3Z44V0jwgqW for <realuser(a)beth.k12.pa.us>; Sun, 8 Aug 2010 09:41:48 -0400 (EDT)
Received: from mail2.beth.k12.pa.us (mail2.beth.k12.pa.us [192.227.0.10]) by mx2.beth.k12.pa.us (Postfix) with ESMTP id AB7AD1F60ED for <realuser(a)beth.k12.pa.us>; Sun, 8 Aug 2010 09:41:48 -0400 (EDT)
Received: from 21-182-134-95.pool.ukrtel.net (21-182-134-95.pool.ukrtel.net [95.134.182.21]) by mail2.beth.k12.pa.us (Postfix) with ESMTP id BFDF110E19A4 for <realuser(a)beth.k12.pa.us>; Sun, 8 Aug 2010 09:41:57 -0400 (EDT)
X-Sieve: CMU Sieve 2.2
X-Virus-Scanned: amavisd-new at beth.k12.pa.us
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <20100808134157.BFDF110E19A4(a)mail2.beth.k12.pa.us>


it seems that each of my users has received on of these. I have so many restrictions in place that I'm not sure where to look at this point.

here are my restrictions on my mx;
smtpd_client_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access, hash:/etc/postfix/smtpdreject reject_rbl_client zen.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client bl.spamcop.net permit
smtpd_data_restrictions = check_sender_access hash:/etc/postfix/backscatter
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_hostname, reject_invalid_hostname
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_access check_sender_mx_access cidr:/etc/postfix/reject_private_mx.cidr warn_if_reject reject_unknown_client, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unlisted_sender, permit_mynetworks, reject_non_fqdn_recipient, reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, reject_unauth_pipelining,
reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org, permit
smtpd_restriction_classes = reject_ndn
smtpd_sasl_auth_enable = yes
smtpd_sender_restrictions = reject_non_fqdn_sender,reject_unknown_sender_domain, check_recipient_access hash:/etc/postfix/backscatter_recipient


I do have header checks that should thwart this I thought;

# HEADER_CHECKS(5)
/^Received:.*by beth.k12.pa.us/ REJECT Forged hostname in Received header
if /^Received:/
/^Received: +from +(beth\.k12\.pa\.us) +/ reject forged client name in Received: header: $1
/^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo +)(beth\.k12\.pa\.us)\)/ reject forged client name in Received: header: $1
/^Received:.* +by +(beth\.k12\.pa\.us)[[:>:]]/ reject forged mail server name in Received: header: $1
endif

did I miss something ?
-j

From: JunkYardMail1 on 8 Aug 2010 14:16

---

http://www.openspf.org/

--------------------------------------------------
From: "donovan jeffrey j" <donovan(a)beth.k12.pa.us>
Sent: Sunday, August 08, 2010 10:48 AM
To: "Postfix users" <postfix-users(a)postfix.org>
Subject: need help with forged To and From

> greetings
>
> this weekend I have been hit with a ton of forged spam messages.
> here is a sample header
>
>
> From: realuser(a)beth.k12.pa.us
> Subject: realuser(a)beth.k12.pa.us 62% OFF on Pfizer!
> Date: August 8, 2010 9:41:57 AM EDT
> To: realuser(a)beth.k12.pa.us
> Return-Path: <realuser(a)beth.k12.pa.us>
> Received: from murder ([unix socket]) by bragg.beth.k12.pa.us (Cyrus
> v2.2.12-OS X 10.4.8) with LMTPA; Sun, 08 Aug 2010 09:43:46 -0400
> Received: from smtp3.beth.k12.pa.us (smtp3.beth.k12.pa.us [10.135.1.13])
> by bragg.beth.k12.pa.us (Postfix) with ESMTP id A327A3D8EE95 for
> <basdarchive(a)beth.k12.pa.us>; Sun, 8 Aug 2010 09:43:46 -0400 (EDT)
> Received: from localhost (mx2.beth.k12.pa.us [10.135.1.23]) by
> smtp3.beth.k12.pa.us (Postfix) with ESMTP id 2D14229B0822 for
> <realuser(a)beth.k12.pa.us>; Sun, 8 Aug 2010 09:41:49 -0400 (EDT)
> Received: from mx2.beth.k12.pa.us ([127.0.0.1]) by localhost
> (mx2.beth.k12.pa.us [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id
> k3Z44V0jwgqW for <realuser(a)beth.k12.pa.us>; Sun, 8 Aug 2010
> 09:41:48 -0400 (EDT)
> Received: from mail2.beth.k12.pa.us (mail2.beth.k12.pa.us [192.227.0.10])
> by mx2.beth.k12.pa.us (Postfix) with ESMTP id AB7AD1F60ED for
> <realuser(a)beth.k12.pa.us>; Sun, 8 Aug 2010 09:41:48 -0400 (EDT)
> Received: from 21-182-134-95.pool.ukrtel.net
> (21-182-134-95.pool.ukrtel.net [95.134.182.21]) by mail2.beth.k12.pa.us
> (Postfix) with ESMTP id BFDF110E19A4 for <realuser(a)beth.k12.pa.us>; Sun,
> 8 Aug 2010 09:41:57 -0400 (EDT)
> X-Sieve: CMU Sieve 2.2
> X-Virus-Scanned: amavisd-new at beth.k12.pa.us
> Mime-Version: 1.0
> Content-Type: text/plain; charset="ISO-8859-1"
> Content-Transfer-Encoding: 7bit
> Message-Id: <20100808134157.BFDF110E19A4(a)mail2.beth.k12.pa.us>
>
>
> it seems that each of my users has received on of these. I have so many
> restrictions in place that I'm not sure where to look at this point.
>
> here are my restrictions on my mx;
> smtpd_client_restrictions = permit_mynetworks, check_client_access
> hash:/etc/postfix/access, hash:/etc/postfix/smtpdreject reject_rbl_client
> zen.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client
> bl.spamcop.net permit
> smtpd_data_restrictions = check_sender_access
> hash:/etc/postfix/backscatter
> smtpd_delay_reject = yes
> smtpd_enforce_tls = no
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks, check_helo_access
> hash:/etc/postfix/helo_access, reject_non_fqdn_hostname,
> reject_invalid_hostname
> smtpd_recipient_restrictions = check_recipient_access
> hash:/etc/postfix/recipient_access check_sender_mx_access
> cidr:/etc/postfix/reject_private_mx.cidr warn_if_reject
> reject_unknown_client, reject_non_fqdn_sender,
> reject_unknown_sender_domain, reject_unlisted_sender, permit_mynetworks,
> reject_non_fqdn_recipient, reject_invalid_hostname,
> reject_unknown_recipient_domain, reject_unauth_destination,
> reject_unlisted_recipient, reject_unauth_pipelining,
> reject_rbl_client cbl.abuseat.org, reject_rbl_client zen.spamhaus.org,
> permit
> smtpd_restriction_classes = reject_ndn
> smtpd_sasl_auth_enable = yes
> smtpd_sender_restrictions =
> reject_non_fqdn_sender,reject_unknown_sender_domain,
> check_recipient_access hash:/etc/postfix/backscatter_recipient
>
>
> I do have header checks that should thwart this I thought;
>
> # HEADER_CHECKS(5)
> /^Received:.*by beth.k12.pa.us/ REJECT Forged hostname in Received header
> if /^Received:/
> /^Received: +from +(beth\.k12\.pa\.us) +/ reject forged client name in
> Received: header: $1
> /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo
> +)(beth\.k12\.pa\.us)\)/ reject forged client name in Received: header: $1
> /^Received:.* +by +(beth\.k12\.pa\.us)[[:>:]]/ reject forged mail server
> name in Received: header: $1
> endif
>
> did I miss something ?
> -j
>

From: LuKreme on 8 Aug 2010 14:20

---

On 8-Aug-2010, at 12:16, <JunkYardMail1(a)Verizon.net> wrote:

> http://www.openspf.org/

Please learn to quote and reply properly.


--
Badges? We ain't got no badges. We don't need no badges. I don't have to
show you any stinking badges.

From: donovan jeffrey j on 8 Aug 2010 16:00

---

On Aug 8, 2010, at 2:16 PM, <JunkYardMail1(a)Verizon.net> <JunkYardMail1(a)Verizon.net> wrote:

> http://www.openspf.org/
>

thanks for the reply,
since this is not postfix related. I have to go off list. but before I go

i get a little confused when reading the SPF docs. It seems to easy.
from what i understand I can add a TXT line in my dns config,
@ IN TXT "v=spf1 a:example.com -all"

or

example.com. 10800 IN TXT "v=spf1 a:host.example.com -all"


do i apply this for the whole domain or just what hosts I authorize to send mail.
Do i need to apply a record for my MX server ?

The only systems that should be sending mail with my domain are two SMTP relays.; smtp1 and smtp2 respectively.
-j

From: Scott Kitterman on 8 Aug 2010 16:19

---

"donovan jeffrey j" <donovan(a)beth.k12.pa.us> wrote:

>
>On Aug 8, 2010, at 2:16 PM, <JunkYardMail1(a)Verizon.net> <JunkYardMail1(a)Verizon.net> wrote:
>
>> http://www.openspf.org/
>>
>
>thanks for the reply,
>since this is not postfix related. I have to go off list. but before I go
>
>i get a little confused when reading the SPF docs. It seems to easy.
>from what i understand I can add a TXT line in my dns config,
>@ IN TXT "v=spf1 a:example.com -all"
>
>or
>
>example.com. 10800 IN TXT "v=spf1 a:host.example.com -all"
>
>
>do i apply this for the whole domain or just what hosts I authorize to send mail.
>Do i need to apply a record for my MX server ?
>
>The only systems that should be sending mail with my domain are two SMTP relays.; smtp1 and smtp2 respectively.
>-j

See http://www.openspf.org/Forums for information on how to subscribe to the spf-help mailing list. The question is on topic there.

Scott K

 |  Next  |  Last
Pages: 1 2
Prev: Thanks to wietse and the distribution list a new web consoleis born
Next: cheap ghd straighteners