[Postfix-br] Problemas com spam recebidos

Claudio Junior csjunior em gmail.com
Terça Abril 29 22:30:02 BRT 2014 

Ola pessoal

Depois de um tempo estudando o postfix para melhorar os problemas que estou
tendo com spans, eu implementei a seguinte solução relacionadas a
restrições:

smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions =
smtpd_etrn_restrictions =
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks
 permit_sasl_authenticated       permit_mynetworks
permit_sasl_authenticated       reject_unauth_destination
reject_non_fqdn_sender  reject_non_fqdn_recipient
reject_unknown_sender_domain    reject_unknown_recipient_domain
reject_rbl_client bl.spamcop.net        reject_rbl_client
zen.spamhaus.org     reject_rbl_client
dnsbl.sorbs.net       check_sender_access mysql:/etc/postfix/
mysql_virtual_mysenders_maps.cf  check_sender_access
cidr:/etc/postfix/cidr_koreia_china_nets    check_policy_service inet:
127.0.0.1:60000      check_policy_service unix:private/policy-spf
smtpd_sender_restrictions =


A consulta em mysql_virtual_mysendes_maps retorna os meus dominios servidos
pelo mysql com a opção de reject. A ideia é bloquear o envio de emails a
partir do meu domínio para usuários não autenticados. O resto vejam por vcs
mesmo. Estou usando também algumas rbls.

O que vs acham disto?

Podem passar maiores sugestões para melhorar?

Att.


--
Claudio da Silva Junior
csjunior at gmail.com


Em 8 de abril de 2014 17:58, Carlos <carlos at greco.com.br> escreveu:

> Estou com mesmo problema, mas reparei que nos dois emails temos,
> Received-SPF: None (no SPF record), poderia recusar o e-mail?
> uso zimbra
>
> Greco
>
> ------------------------------
> *De: *"Marcelo Padovan" <marcelinho04 at gmail.com>
> *Para: *"Lista de administradores de servidores Postfix do Brasil" <
> postfix-br at listas.softwarelivre.org>
> *Enviadas: *Terça-feira, 8 de abril de 2014 16:47:56
> *Assunto: *Re: [Postfix-br] Problemas com spam recebidos
>
>
> Olá pessoal,
>
> Também sofro um pouco com spoofing, mas pela depuração que pude fazer o
> problema não é com o FROM e sim com o Return Path.
> Todas as mensagens" spoofadas" com meu dominio tinha um return path
> apontando para o dominio de origem da mensagem.
>
> Não sou profundo conhecedor da RFC4408, alguém sabe se o return path tem
> preferência sobre o FROM na checagem do SPF.
>
> Achei alguma coisa no google sobre isso, caso obtenham sucesso, por favor
> comentem.
>
> Links:
>
>
> http://www.zimbra.com/forums/administrators/37498-spamassassin-check-return-path-against-address.html
>
>
> http://www.zimbra.com/forums/administrators/37072-spam-sourced-virtual-domain-user-same-user.html
>
>
> Abraços
>
>
> Atenciosamente.
>
> Marcelo Padovan
> (16) 99703-4939
>
> Skype: marpadovan / marpadovan at hotmail.com
> Gtalk: marcelinho04 at gmail.com
>
>
>
> On Wed, Apr 2, 2014 at 6:53 PM, Claudio Junior <csjunior at gmail.com> wrote:
>
>> a questão do SPF já tenho ativo.. Não sei se o nivel de bloqueio esta ok,
>> mas não é este o problema.
>>
>>
>> --
>> Claudio da Silva Junior
>> csjunior at gmail.com
>>
>>
>> 2014-04-02 18:07 GMT-03:00 Guilherme Rezende <postfix at guilherme.eti.br>:
>>
>> Eu não conseguir resolver esse problema até hoje....
>>>
>>>
>>> Em 02/04/2014 16:23, vic escreveu:
>>>
>>>  Em 2014-04-01 12:20, Claudio Junior escreveu:
>>>>
>>>>> Ola pessoal
>>>>>
>>>>> Estou tendo problemas com spam recebidos no qual no cliente do
>>>>> usuário aparece que o email de origem é o mesmo email do usuário,
>>>>> isto é, o email de origem é igual ao email de destino.
>>>>>
>>>>> Hoje tenho no meu postfix as seguintes regras no main.conf:
>>>>>
>>>>> smtpd_client_restrictions =
>>>>> smtpd_helo_restrictions =
>>>>>
>>>>> smtpd_sender_restrictions =
>>>>>         permit_mynetworks,
>>>>>         permit_sasl_authenticated,
>>>>>         check_sender_access hash:/etc/postfix/access,
>>>>>         check_sender_access
>>>>> cidr:/etc/postfix/cidr_koreia_china_nets
>>>>>         reject_non_fqdn_sender,
>>>>>         reject_unknown_sender_domain,
>>>>> #       warn_if_reject reject_unverified_sender,
>>>>>         permit
>>>>>
>>>>> smtpd_recipient_restrictions =
>>>>>    permit_mynetworks
>>>>> #   permit_sasl_authenticated
>>>>>    reject_unauth_destination
>>>>>    check_policy_service inet:127.0.0.1:60000 [1]
>>>>>    check_policy_service unix:private/policy-spf
>>>>>    reject_non_fqdn_sender
>>>>>    reject_non_fqdn_recipient
>>>>>    reject_unknown_recipient_domain
>>>>>    reject_rbl_client bl.spamcop.net [2]
>>>>>    reject_rbl_client zen.spamhaus.org [3]
>>>>>    reject_rbl_client dnsbl.sorbs.net [4]
>>>>>
>>>>> No arquivo /etc/postfix/access tenho duas linhas com o um REJECT no
>>>>> meu dominio (ou dominios).
>>>>>
>>>>> O header do email que estou recebendo é:
>>>>>
>>>>> Return-Path: <"www-data at mmnishida"@ig.com.br [5]>
>>>>> Delivered-To: wellington at xxxxxxxx.coop.br
>>>>> Received: from localhost (localhost [127.0.0.1])
>>>>>     by srv03xxxxxxxx.xxxxxxxx.com [6] (Postfix) with ESMTP id
>>>>> F256C7FCA6
>>>>>     for <wellington at xxxxxxxx.com>; Mon, 31 Mar 2014 01:50:10 -0300
>>>>> (BRT)
>>>>> X-Virus-Scanned: Debian amavisd-new at srv03xxxxxxxx.xxxxxxxx.coop.br
>>>>> [7]
>>>>> X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char F3
>>>>> hex):
>>>>>      Subject: (URGENTE) Comprovante de Dep363sito (66703)
>>>>> Received: from mail.xxxxxxxx.coop.br [8] ([127.0.0.1])
>>>>>     by localhost (srv03xxxxxxxx.xxxxxxxx.coop.br [7] [127.0.0.1])
>>>>> (amavisd-new, port 10024)
>>>>>     with ESMTP id y6R8q59HOfXP for <wellington at xxxxxxxx.com>;
>>>>>     Mon, 31 Mar 2014 01:50:05 -0300 (BRT)
>>>>> X-Greylist: delayed 596 seconds by postgrey-1.32 at srv03xxxxxxxx;
>>>>> Mon, 31 Mar 2014 01:50:02 BRT
>>>>> Received-SPF: None (no SPF record) identity=mailfrom;
>>>>> client-ip=138.91.20.116; helo=npx11.npx11.m5.internal.cloudapp.net
>>>>> [9]; envelope-from=www-data at mmnishida@ig.com.br [5];
>>>>> receiver=wellington at xxxxxxxx.com
>>>>> Received: from npx11.npx11.m5.internal.cloudapp.net [9] (unknown
>>>>> [138.91.20.116])
>>>>>     by srv03xxxxxxxx.xxxxxxxx.com [6] (Postfix) with ESMTP id
>>>>> 813A97FCA4
>>>>>     for <wellington at xxxxxxxx.com>; Mon, 31 Mar 2014 01:50:02 -0300
>>>>> (BRT)
>>>>> Received: by npx11.npx11.m5.internal.cloudapp.net [9] (Postfix, from
>>>>> userid 33)
>>>>>     id C990B21B38; Mon, 31 Mar 2014 04:38:28 +0000 (UTC)
>>>>> To: wellington at xxxxxxxx.com
>>>>> Subject: (URGENTE) Comprovante de Depsito (66703)
>>>>> X-PHP-Originating-Script: 0:wwew.php
>>>>> MIME-Version: 1.0
>>>>> Content-type: text/html; charset=iso-8859-1
>>>>> X-Mailer: Microsoft Office Outlook, Build 17.551210
>>>>> Content-Transfer-encoding: 8bit
>>>>> From: wellington at xxxxxxxx.com
>>>>> Reply-To: wellington at xxxxxxxx.com
>>>>> X-Mailer: iGMail [www.ig.com.br [10]]
>>>>> X-Originating-Email: wellington at xxxxxxxx.com
>>>>> X-Sender: wellington at xxxxxxxx.com
>>>>> X-iGspam-global: Unsure, spamicity=0.570081 - pe=5.74e-01 -
>>>>> pf=0.574081 - pg=0.574081
>>>>> Message-Id:
>>>>> <20140331043828.C990B21B38 at npx11.npx11.m5.internal.cloudapp.net>
>>>>> Date: Mon, 31 Mar 2014 04:38:28 +0000 (UTC)
>>>>>
>>>>> Alguém sabe o que pode ser? Como é um ambiente de produção, esta
>>>>> difiicl ficar fazendo testes. Preciso implementar uma configuração
>>>>> que barre este tipo de emails.
>>>>>
>>>>> --
>>>>> Claudio da Silva Junior
>>>>> csjunior at gmail.com
>>>>>
>>>>>
>>>> Configure SPF no(s) seu(s) domínio(s).
>>>>
>>>>
>>> _______________________________________________
>>> Postfix-br mailing list
>>> Postfix-br at listas.softwarelivre.org
>>> http://listas.softwarelivre.org/cgi-bin/mailman/listinfo/postfix-br
>>>
>>
>>
>> _______________________________________________
>> Postfix-br mailing list
>> Postfix-br at listas.softwarelivre.org
>> http://listas.softwarelivre.org/cgi-bin/mailman/listinfo/postfix-br
>>
>>
>
> _______________________________________________
> Postfix-br mailing list
> Postfix-br at listas.softwarelivre.org
> http://listas.softwarelivre.org/cgi-bin/mailman/listinfo/postfix-br
>
>
> _______________________________________________
> Postfix-br mailing list
> Postfix-br at listas.softwarelivre.org
> http://listas.softwarelivre.org/cgi-bin/mailman/listinfo/postfix-br
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listas.softwarelivre.org/pipermail/postfix-br/attachments/20140429/b5b4cc81/attachment-0001.html>

More information about the Postfix-br mailing list