Hi all.
Over the past few weeks the number of spam messages has been growing and I've been trying to block the offending IP ranges.
I've been adding the IP ranges into the /etc/clearos/firewall.d/local but it doesn't appear to work.
Example: I put in
But then I still get many spam messages from 216.99.148.167; 216.99.148.169; 216.99.148.175 etc. etc.
When I do the command
Since it didn't seem to be working properly, I have now blocked the individual IP addresses. That appears to work however it is somewhat time consuming adding each IP address manually. The subnet notation would be so much more efficient.
Have I done something wrong in the subnet statement in the local file that it doesn't work?
Over the past few weeks the number of spam messages has been growing and I've been trying to block the offending IP ranges.
I've been adding the IP ranges into the /etc/clearos/firewall.d/local but it doesn't appear to work.
Example: I put in
$IPTABLES -I INPUT -s 216.99.148.0/24 -j DROP # Psychz network spam 2But then I still get many spam messages from 216.99.148.167; 216.99.148.169; 216.99.148.175 etc. etc.
When I do the command
iptables -nvL | grep DROPSince it didn't seem to be working properly, I have now blocked the individual IP addresses. That appears to work however it is somewhat time consuming adding each IP address manually. The subnet notation would be so much more efficient.
Have I done something wrong in the subnet statement in the local file that it doesn't work?
In Firewall
Share this post:
Accepted Answer
Can you post the e-mail headers of the two IP's that were in the list?
Are you by any chance using the Clearcenter MX backup? If so, that can completely defeat firewall blocks. The reason for that is that when your firewall is blocked the sender falls back to sending it to your MX Backup server (some naughty systems even try to start with the backup server). Then the backup server sees you are available and forwards it on to you, so really the spam is coming from the MX Backup server and not directly from the IP's you quote. The only way round that is to run your own backup server and apply the same firewall rules to both.
Are you by any chance using the Clearcenter MX backup? If so, that can completely defeat firewall blocks. The reason for that is that when your firewall is blocked the sender falls back to sending it to your MX Backup server (some naughty systems even try to start with the backup server). Then the backup server sees you are available and forwards it on to you, so really the spam is coming from the MX Backup server and not directly from the IP's you quote. The only way round that is to run your own backup server and apply the same firewall rules to both.
Responses (11)
-
Accepted Answer
-
Accepted Answer
Thank you Nick.
I am running ClearOS mail server.
I am assuming the IPs aren't connected as the spam is intermittent. So when the reconnect would happen it should block but it doesn't.
Is there a way that I can check?
I'll look into the ipset. I'm always looking for ways to be more efficient. Thanks again for your help. -
Accepted Answer
nuke wrote:
As long as the firewall and the mailserver are on the same machine this is fine. I don't know how you'd check but I'd be interested in the mailserver log for anything managing to get through. Also what do you get from:
I am running ClearOS mail server.
with the blocks in place?iptables -nvL INPUT -
Accepted Answer
Hi Nick,
Thanks in advance for having a look.
I had 107.160.17.0/24 originally in the firewall local but then I removed that since it didn't appear to work. So I put individual lines. Those appear to work. But I'd rather just block the IP range. I do have IP ranges in the list from before, and I assume those work but I can't tell at the moment.
This morning I got a bunch of spam from:
107.160.17.92 > in list
107.160.17.104 > in list
107.160.17.108 > new
107.160.17.112 > new
107.160.17.116 > new
107.160.17.118 > new
107.160.17.124 > new
I'm going to add the new in a moment but first here is the list of INPUT DROPs.
# iptables -nvL INPUT
Chain INPUT (policy DROP 46898 packets, 4417K bytes)
pkts bytes target prot opt in out source destination
2692 172K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587,220,993,110,995 match-set f2b-postfix-sasl src reject-with icmp-port-unreachable
10 560 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 25,465,587 match-set f2b-SMTP-auth src reject-with icmp-port-unreachable
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 220,993,110,995 match-set f2b-cyrus-imap src reject-with icmp-port-unreachable
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW match-set country-list src
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set snortsam_INGRESS src
278 21128 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state RELATED,ESTABLISHED
0 0 DROP all -- * * 216.99.148.175 0.0.0.0/0
0 0 DROP all -- * * 216.99.148.169 0.0.0.0/0
0 0 DROP all -- * * 216.99.148.167 0.0.0.0/0
0 0 DROP all -- * * 199.167.137.17 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.106 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.104 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.102 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.100 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.98 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.96 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.94 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.92 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.90 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.88 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.86 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.84 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.80 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.76 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.74 0.0.0.0/0
0 0 DROP all -- * * 107.160.17.70 0.0.0.0/0
0 0 DROP all -- * * 104.149.178.214 0.0.0.0/0
0 0 DROP all -- * * 104.149.178.212 0.0.0.0/0
0 0 DROP all -- * * 104.149.178.210 0.0.0.0/0
0 0 DROP all -- * * 104.149.178.208 0.0.0.0/0
0 0 DROP all -- * * 104.149.178.204 0.0.0.0/0
0 0 DROP all -- * * 104.149.178.202 0.0.0.0/0
0 0 DROP all -- * * 104.149.178.200 0.0.0.0/0
0 0 DROP all -- * * 104.149.178.198 0.0.0.0/0
0 0 DROP all -- * * 104.149.178.196 0.0.0.0/0
0 0 DROP all -- * * 104.149.178.194 0.0.0.0/0
6 252 DROP tcp -- * * !127.0.0.1 0.0.0.0/0 tcp dpt:3128
0 0 DROP all -- * * 101.188.165.241 0.0.0.0/0
0 0 DROP all -- * * 103.107.236.182 0.0.0.0/0
0 0 DROP all -- * * 103.224.182.243 0.0.0.0/0
0 0 DROP all -- * * 104.153.108.74 0.0.0.0/0
0 0 DROP all -- * * 104.194.218.51 0.0.0.0/0
0 0 DROP all -- * * 109.236.32.0/22 0.0.0.0/0
0 0 DROP all -- * * 115.231.220.215 0.0.0.0/0
0 0 DROP all -- * * 122.144.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 124.149.199.6 0.0.0.0/0
0 0 DROP all -- * * 13.113.224.207 0.0.0.0/0
0 0 DROP all -- * * 13.77.46.77 0.0.0.0/0
0 0 DROP all -- * * 13.77.58.33 0.0.0.0/0
0 0 DROP all -- * * 137.226.113.9 0.0.0.0/0
0 0 DROP all -- * * 149.56.149.29 0.0.0.0/0
0 0 DROP all -- * * 163.172.23.6 0.0.0.0/0
0 0 DROP all -- * * 164.160.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 164.52.24.140 0.0.0.0/0
0 0 DROP all -- * * 167.114.15.64/29 0.0.0.0/0
0 0 DROP all -- * * 167.114.189.192/29 0.0.0.0/0
0 0 DROP all -- * * 169.229.3.91 0.0.0.0/0
0 0 DROP all -- * * 172.192.14.51 0.0.0.0/0
0 0 DROP all -- * * 176.57.180.22 0.0.0.0/0
3 122 DROP all -- * * 185.200.118.0/25 0.0.0.0/0
0 0 DROP all -- * * 185.202.103.51 0.0.0.0/0
0 0 DROP all -- * * 185.246.210.0/24 0.0.0.0/0
0 0 DROP all -- * * 185.30.166.0/24 0.0.0.0/0
0 0 DROP all -- * * 187.49.236.185 0.0.0.0/0
0 0 DROP all -- * * 192.102.6.0/23 0.0.0.0/0
0 0 DROP all -- * * 192.99.98.104 0.0.0.0/0
0 0 DROP all -- * * 193.104.68.17 0.0.0.0/0
0 0 DROP all -- * * 193.112.190.175 0.0.0.0/0
0 0 DROP all -- * * 194.74.181.123 0.0.0.0/0
0 0 DROP all -- * * 195.22.22.20 0.0.0.0/0
0 0 DROP all -- * * 200.229.202.176 0.0.0.0/0
0 0 DROP all -- * * 206.128.153.219 0.0.0.0/0
0 0 DROP all -- * * 208.100.26.231 0.0.0.0/0
0 0 DROP all -- * * 213.202.230.144 0.0.0.0/0
0 0 DROP all -- * * 218.75.37.18 0.0.0.0/0
0 0 DROP all -- * * 218.75.40.149 0.0.0.0/0
0 0 DROP all -- * * 23.101.224.255 0.0.0.0/0
0 0 DROP all -- * * 37.187.148.221 0.0.0.0/0
0 0 DROP all -- * * 37.49.224.0/22 0.0.0.0/0
0 0 DROP all -- * * 38.123.205.178 0.0.0.0/0
0 0 DROP all -- * * 38.69.156.147 0.0.0.0/0
0 0 DROP all -- * * 46.161.27.27 0.0.0.0/0
3 180 DROP all -- * * 46.161.27.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.229.170.197 0.0.0.0/0
0 0 DROP all -- * * 5.101.40.82 0.0.0.0/0
0 0 DROP all -- * * 5.39.218.36 0.0.0.0/0
0 0 DROP all -- * * 54.207.11.46 0.0.0.0/0
0 0 DROP all -- * * 54.233.236.68 0.0.0.0/0
0 0 DROP all -- * * 60.191.38.77 0.0.0.0/0
0 0 DROP all -- * * 63.251.20.151 0.0.0.0/0
2 88 DROP all -- * * 66.240.205.34 0.0.0.0/0
4 176 DROP all -- * * 66.240.236.119 0.0.0.0/0
0 0 DROP all -- * * 69.16.196.163 0.0.0.0/0
0 0 DROP all -- * * 73.65.208.195 0.0.0.0/0
0 0 DROP all -- * * 74.91.122.249 0.0.0.0/0
0 0 DROP all -- * * 77.220.180.235 0.0.0.0/0
0 0 DROP all -- * * 80.82.70.210 0.0.0.0/0
28 1232 DROP all -- * * 80.82.77.0/24 0.0.0.0/0
0 0 DROP all -- * * 85.94.204.144/28 0.0.0.0/0
0 0 DROP all -- * * 91.197.232.11 0.0.0.0/0
0 0 DROP all -- * * 92.60.16.0/23 0.0.0.0/0
0 0 DROP all -- * * 93.55.122.185 0.0.0.0/0
12 518 DROP all -- * * 94.102.48.0/20 0.0.0.0/0
0 0 DROP all -- * * 154.118.32.0/23 0.0.0.0/0
0 0 DROP all -- * * 62.210.77.54 0.0.0.0/0
48 3395 DROP all -- * * 146.88.240.0/20 0.0.0.0/0
0 0 DROP all -- * * 192.241.219.147 0.0.0.0/0
13 1193 DROP all -- * * 181.56.0.0/13 0.0.0.0/0
0 0 DROP all -- * * 85.217.192.0/20 0.0.0.0/0
0 0 DROP all -- * * 195.133.144.0/22 0.0.0.0/0
0 0 DROP all -- * * 195.24.192.0/19 0.0.0.0/0
0 0 DROP all -- * * 95.170.72.0/24 0.0.0.0/0
0 0 DROP all -- * * 37.97.254.27 0.0.0.0/0
0 0 DROP all -- * * 185.138.248.0/22 0.0.0.0/0
0 0 DROP all -- * * 45.147.198.0/24 0.0.0.0/0
0 0 DROP all -- * * 193.169.255.0/24 0.0.0.0/0
0 0 DROP all -- * * 194.0.16.0/20 0.0.0.0/0
0 0 DROP all -- * * 185.234.219.63 0.0.0.0/0
0 0 DROP all -- * * 103.37.114.0/24 0.0.0.0/0
0 0 DROP all -- * * 69.94.128.0/19 0.0.0.0/0
14 633 DROP all -- * * 172.104.0.0/15 0.0.0.0/0
0 0 DROP all -- * * 216.99.148.0/24 0.0.0.0/0
0 0 DROP all -- * * 69.12.64.0/19 0.0.0.0/0
0 0 DROP all -- * * 104.223.0.0/17 0.0.0.0/0
0 0 DROP all -- * * 195.22.126.0/23 0.0.0.0/0
5 300 DROP all -- * * 83.97.20.0/24 0.0.0.0/0
0 0 DROP all -- * * 45.141.100.0/22 0.0.0.0/0
0 0 DROP all -- * * 195.133.196.0/23 0.0.0.0/0
0 0 DROP all -- * * 176.113.83.0/24 0.0.0.0/0
0 0 DROP all -- * * 194.32.248.0/24 0.0.0.0/0
0 0 DROP all -- * * 194.87.101.0/24 0.0.0.0/0
0 0 DROP all -- * * 162.214.0.0/15 0.0.0.0/0
0 0 DROP all -- * * 142.4.0.0/19 0.0.0.0/0
0 0 DROP all -- * * 162.144.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 91.150.64.0/18 0.0.0.0/0
0 0 DROP all -- * * 110.170.128.0/17 0.0.0.0/0
0 0 DROP all -- * * 198.108.66.0/23 0.0.0.0/0
0 0 DROP all -- * * 185.153.196.0/22 0.0.0.0/0
0 0 DROP all -- * * 174.136.14.0/24 0.0.0.0/0
0 0 DROP all -- * * 109.236.32.0/22 0.0.0.0/0
0 0 DROP all -- * * 193.32.161.0/24 0.0.0.0/0
4 160 DROP all -- * * 61.219.11.0/24 0.0.0.0/0
0 0 DROP all -- * * 195.62.47.0/24 0.0.0.0/0
0 0 DROP all -- * * 193.108.248.0/22 0.0.0.0/0
1 44 DROP all -- * * 66.240.192.138 0.0.0.0/0
0 0 DROP all -- * * 185.100.87.191 0.0.0.0/0
0 0 DROP all -- * * 185.222.211.0/24 0.0.0.0/0
0 0 DROP all -- * * 103.89.88.0/22 0.0.0.0/0
0 0 DROP all -- * * 177.91.32.0/22 0.0.0.0/0
0 0 DROP all -- * * 199.254.28.0/22 0.0.0.0/0
0 0 DROP all -- * * 199.249.112.0/20 0.0.0.0/0
0 0 DROP all -- * * 192.200.202.0/24 0.0.0.0/0
0 0 DROP all -- * * 185.138.250.0/27 0.0.0.0/0
0 0 DROP all -- * * 103.103.196.97 0.0.0.0/0
54518 2227K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x12/0x12 state NEW reject-with tcp-reset
1126 306K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
0 0 DROP all -- ppp0 * 127.0.0.0/8 0.0.0.0/0
5471K 10G ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
33M 54G ACCEPT all -- enp3s2 * 0.0.0.0/0 0.0.0.0/0
2062K 117M ACCEPT all -- p2p1 * 0.0.0.0/0 0.0.0.0/0
1237 36440 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 0
45 6524 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 3
1358 94980 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:67 dpt:68
0 0 ACCEPT tcp -- * * 0.0.0.0/0 my.ip tcp dpt:1875
2389 221K ACCEPT tcp -- * * 0.0.0.0/0 my.ip tcp dpt:80
1202 106K ACCEPT tcp -- * * 0.0.0.0/0 my.ip tcp dpt:443
5986 521K ACCEPT tcp -- * * 0.0.0.0/0 my.ip tcp dpt:993
39 2505 ACCEPT udp -- * * 0.0.0.0/0 my.ip udp dpt:123
1 42 ACCEPT udp -- * * 0.0.0.0/0 my.ip udp dpt:1194
40 2148 ACCEPT tcp -- * * 0.0.0.0/0 my.ip tcp dpt:1194
1704 120K ACCEPT tcp -- * * 0.0.0.0/0 my.ip tcp dpt:995
5139 4065K ACCEPT tcp -- * * 0.0.0.0/0 my.ip tcp dpt:25
59 3675 ACCEPT tcp -- * * 0.0.0.0/0 my.ip tcp dpt:587
2440 239K ACCEPT tcp -- * * 0.0.0.0/0 my.ip tcp dpt:465
138 19195 ACCEPT 47 -- * * 0.0.0.0/0 my.ip
161 14666 ACCEPT tcp -- * * 0.0.0.0/0 my.ip tcp dpt:1723
94276 15M ACCEPT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:1024:65535 state RELATED,ESTABLISHED
4444K 6090M ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 state RELATED,ESTABLISHED -
Accepted Answer
That is very interesting and might be what's going on. Yes, I've been using Clear mail MX as backup.
I read about this over the weekend and changing some settings in either Spamassassin or Postfix but I can't remember which. I flew over my head as I didn't even thing about the Clear MX. It was along the lines of making sure that email only came in via the lower MX records. But that screws up if the server goes down for a while. Then all the email go into the black hole.
I'll collect the maillog info this evening and post.
Thanks again. -
Accepted Answer
Here is the maillog lines.
It does look like they pushed the spam to the backup. The first few lines shows the clearsdn.com server delivering the spam message. Since each spam message comes from a different domain, it will come through from an OK from the clearsdn.com IP address. :-(
I never would have checked this despite seeing the clearsdn.com in the maillog.
Unbelievable. So probably the firewall was working OK.
Now to figure out how to stop this.
Dec 12 12:33:27 mydomain postfix/smtpd[4026]: connect from mail1-newark.clearsdn.com[173.255.233.57]
Dec 12 12:33:27 mydomain postgrey[864]: action=pass, reason=client AWL, client_name=mail1-newark.clearsdn.com, client_address=173.255.233.57, sender=meredith-provide-insurance-myemail=mydomain.com@startclassic.com, recipient=myemail@mydomain.com
Dec 12 12:33:27 mydomain postfix/smtpd[4026]: BF91B404DB7A4: client=mail1-newark.clearsdn.com[173.255.233.57]
Dec 12 12:33:27 mydomain postfix/cleanup[4031]: BF91B404DB7A4: message-id=<0.0.0.1B.1D7EF7B516F32FA.5D4C46@mail.startclassic.com>
Dec 12 12:33:27 mydomain postfix/qmgr[30038]: BF91B404DB7A4: from=<meredith-provide-insurance-myemail=mydomain.com@startclassic.com>, size=27399, nrcpt=1 (queue active)
Dec 12 12:33:27 mydomain postfix/smtpd[4026]: disconnect from mail1-newark.clearsdn.com[173.255.233.57]
Dec 12 12:33:27 mydomain mailfilter: starting up (sender=meredith-provide-insurance-myemail=mydomain.com@startclassic.com, recipients=myemail@mydomain.com, client_address=173.255.233.57)
Dec 12 12:33:27 mydomain postfix/smtpd[4035]: connect from localhost[127.0.0.1]
Dec 12 12:33:27 mydomain postfix/smtpd[4035]: E805B404DB7A5: client=localhost[127.0.0.1]
Dec 12 12:33:27 mydomain postfix/cleanup[4031]: E805B404DB7A5: message-id=<0.0.0.1B.1D7EF7B516F32FA.5D4C46@mail.startclassic.com>
Dec 12 12:33:28 mydomain postfix/qmgr[30038]: E805B404DB7A5: from=<meredith-provide-insurance-myemail=mydomain.com@startclassic.com>, size=27571, nrcpt=1 (queue active)
Dec 12 12:33:28 mydomain postfix/smtpd[4035]: disconnect from localhost[127.0.0.1]
Dec 12 12:33:28 mydomain mailfilter: successfully completed (sender=meredith-provide-insurance-myemail=mydomain.com@startclassic.com, recipients=myemail@mydomain.com, client_address=173.255.233.57, id=<0.0.0.1B.1D7EF7B516F32FA.5D4C46@mail.startclassic.com>
Dec 12 12:33:28 mydomain postfix/pipe[4032]: BF91B404DB7A4: to=<myemail@mydomain.com>, orig_to=<myemail@mydomain.com>, relay=mailprefilter, delay=0.4, delays=0.23/0.01/0/0.15, dsn=2.0.0, status=sent (delivered via mailprefilter service)
Dec 12 12:33:28 mydomain postfix/qmgr[30038]: BF91B404DB7A4: removed
Dec 12 12:33:28 mydomain amavis[10542]: (10542-10) ESMTP :10024 /var/lib/amavis/tmp/amavis-20211212T055718-10542-KCJe2dBj: <meredith-provide-insurance-myemail=mydomain.com@startclassic.com> -> <myemail@mydomain.com> SIZE=27571 Received: from mail.mydomain.ca ([127.0.0.1]) by localhost (mydomain.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <myemail@mydomain.com>; Sun, 12 Dec 2021 12:33:28 -0500 (EST)
Dec 12 12:33:28 mydomain amavis[10542]: (10542-10) dkim: VALID Author+Sender+MailFrom signature by d=startclassic.com, From: <meredith-provide-insurance@startclassic.com>, a=rsa-sha1, c=relaxed/relaxed, s=dkim, i=meredith-provide-insurance@startclassic.com, ORIG [127.0.0.1]:37710, m.list(ml:http://www.startclassic.com/b6f5B2V395Cp8I911O1wg1x6a67I28SrI4gsitftvsYbxDrDh8xbGwEGsi8jRcoKooe5sG10Y6yzMi3h/treating-rankle)
Dec 12 12:33:28 mydomain amavis[10542]: (10542-10) dkim: VALID Author+Sender+MailFrom signature by d=startclassic.com, From: <meredith-provide-insurance@startclassic.com>, a=rsa-sha1, c=nofws, s=dkim, i=meredith-provide-insurance@startclassic.com, ORIG [127.0.0.1]:37710, m.list(ml:http://www.startclassic.com/b6f5B2V395Cp8I911O1wg1x6a67I28SrI4gsitftvsYbxDrDh8xbGwEGsi8jRcoKooe5sG10Y6yzMi3h/treating-rankle)
Dec 12 12:33:28 mydomain amavis[10542]: (10542-10) Checking: FOBg0prF-Mbk [127.0.0.1] <meredith-provide-insurance-myemail=mydomain.com@startclassic.com> -> <myemail@mydomain.com>
Dec 12 12:33:28 mydomain amavis[10542]: (10542-10) p003 1 Content-Type: multipart/alternative
Dec 12 12:33:28 mydomain amavis[10542]: (10542-10) p001 1/1 Content-Type: text/plain, size: 324 B, name:
Dec 12 12:33:28 mydomain amavis[10542]: (10542-10) p002 1/2 Content-Type: text/html, size: 24387 B, name:
Dec 12 12:33:29 mydomain amavis[10542]: (10542-10) spam-tag, <meredith-provide-insurance-myemail=mydomain.com@startclassic.com> -> <myemail@mydomain.com>, No, score=4.062 tagged_above=-99 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=2.43, RAZOR2_CHECK=1.729, SPF_HELO_NONE=0.001] autolearn=no autolearn_force=no
Dec 12 12:33:29 mydomain amavis[10542]: (10542-10) dkim: candidate originators: From:<meredith-provide-insurance@startclassic.com>, mail_from:<meredith-provide-insurance-myemail=mydomain.com@startclassic.com>
Dec 12 12:33:29 mydomain amavis[10542]: (10542-10) dkim: not signing, empty signing domain, From: <meredith-provide-insurance@startclassic.com>
Dec 12 12:33:29 mydomain postfix/smtpd[4039]: connect from localhost[127.0.0.1]
Dec 12 12:33:29 mydomain postfix/smtpd[4039]: C9EEA404DB7DC: client=localhost[127.0.0.1]
Dec 12 12:33:29 mydomain postfix/cleanup[4031]: C9EEA404DB7DC: message-id=<0.0.0.1B.1D7EF7B516F32FA.5D4C46@mail.startclassic.com>
Dec 12 12:33:29 mydomain postfix/smtpd[4039]: disconnect from localhost[127.0.0.1]
Dec 12 12:33:29 mydomain postfix/qmgr[30038]: C9EEA404DB7DC: from=<meredith-provide-insurance-myemail=mydomain.com@startclassic.com>, size=28549, nrcpt=1 (queue active)
Dec 12 12:33:29 mydomain amavis[10542]: (10542-10) FOBg0prF-Mbk FWD from <meredith-provide-insurance-myemail=mydomain.com@startclassic.com> -> <myemail@mydomain.com>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10026): 250 2.0.0 Ok: queued as C9EEA404DB7DC
Dec 12 12:33:29 mydomain amavis[10542]: (10542-10) Passed CLEAN {RelayedInternal}, LOCAL [127.0.0.1]:37710 [107.160.17.104] <meredith-provide-insurance-myemail=mydomain.com@startclassic.com> -> <myemail@mydomain.com>, Queue-ID: E805B404DB7A5, Message-ID: <0.0.0.1B.1D7EF7B516F32FA.5D4C46@mail.startclassic.com>, mail_id: FOBg0prF-Mbk, Hits: 4.062, size: 27537, queued_as: C9EEA404DB7DC, dkim_sd=dkim:startclassic.com, 1821 ms
Dec 12 12:33:29 mydomain amavis[10542]: (10542-10) TIMING-SA total 1538 ms - parse: 2.5 (0.2%), extract_message_metadata: 28 (1.8%), get_uri_detail_list: 1.62 (0.1%), tests_pri_-1000: 5 (0.3%), tests_pri_-950: 0.78 (0.1%), tests_pri_-900: 5 (0.3%), tests_pri_-90: 0.62 (0.0%), tests_pri_0: 202 (13.1%), check_spf: 98 (6.3%), poll_dns_idle: 1123 (73.0%), tests_pri_20: 231 (15.0%), check_razor2: 228 (14.8%), tests_pri_30: 1.29 (0.1%), check_pyzor: 0.19 (0.0%), tests_pri_500: 1046 (68.1%), get_report: 0.70 (0.0%)
Dec 12 12:33:29 mydomain postfix/smtp[4036]: E805B404DB7A5: to=<myemail@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.9, delays=0.07/0.02/0/1.8, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10026): 250 2.0.0 Ok: queued as C9EEA404DB7DC)
Dec 12 12:33:29 mydomain postfix/qmgr[30038]: E805B404DB7A5: removed
Dec 12 12:33:29 mydomain amavis[10542]: (10542-10) size: 27537, TIMING [total 1825 ms] - SMTP greeting: 1.2 (0%)0, SMTP EHLO: 0.5 (0%)0, SMTP pre-MAIL: 0.5 (0%)0, SMTP pre-DATA-flush: 1.5 (0%)0, SMTP DATA: 39 (2%)2, check_init: 0.3 (0%)2, digest_hdr: 2.6 (0%)2, digest_body_dkim: 25 (1%)4, collect_info: 3.2 (0%)4, mime_decode: 9 (0%)5, get-file-type2: 59 (3%)8, parts_decode: 0.2 (0%)8, check_header: 0.5 (0%)8, AV-scan-1: 57 (3%)11, spam-wb-list: 0.4 (0%)11, SA msg read: 0.5 (0%)11, SA parse: 2.9 (0%)11, SA check: 1532 (84%)95, decide_mail_destiny: 5 (0%)95, notif-quar: 0.4 (0%)95, fwd-connect: 47 (3%)98, fwd-mail-pip: 2.9 (0%)98, fwd-rcpt-pip: 0.2 (0%)98, fwd-data-chkpnt: 0.0 (0%)98, write-header: 0.6 (0%)98, fwd-data-contents: 0.5 (0%)98, fwd-end-chkpnt: 23 (1%)99, prepare-dsn: 0.5 (0%)100, report: 1.2 (0%)100, main_log_entry: 4.3 (0%)100, update_snmp: 1.8 (0%)100, SMTP pre-response: 0.2 (0%)100, SMTP response: 0.2 (0%)100, unlink-3-files: 0.3 (0%)100, rundown: 0.6 (0%)100
Dec 12 12:33:29 mydomain mailfilter: starting up (sender=meredith-provide-insurance-myemail=mydomain.com@startclassic.com, recipients=myemail@mydomain.com, client_address=127.0.0.1)
Dec 12 12:33:30 mydomain lmtp[4044]: Delivered: <0.0.0.1B.1D7EF7B516F32FA.5D4C46@mail.startclassic.com> to mailbox: user.myemail
Dec 12 12:33:30 mydomain lmtp[4044]: USAGE myemail user: 0.006206 sys: 0.002068
Dec 12 12:33:30 mydomain mailfilter: filter successfully completed.
Dec 12 12:33:30 mydomain mailfilter: successfully completed (sender=meredith-provide-insurance-myemail=mydomain.com@startclassic.com, recipients=myemail@mydomain.com, client_address=127.0.0.1, id=<0.0.0.1B.1D7EF7B516F32FA.5D4C46@mail.startclassic.com> -
Accepted Answer
It is very hard to stop this as the ClearSDN servers are configured OK. If your network goes down for a short while, a well-behaved sending server should retry later, but not all do. I think the ClearOS postfix is configured to keep trying for up to 5 days before it gives up, but I can't remember exactly. If your server refuses anything because of postfix or spamassassin checks, the ClearSDN servers will keep trying to deliver the messages for a week. You may just have to accept this level of spam if you want to use an MX backup service you don't control. -
Accepted Answer
Thanks Nick.
Out of curiousity, is there way to run email from the MX backup through spamassassin before putting into the mailbox? Or perhaps have postfix check MX email coming in through those same checks? I already have postfix checking rbl lists and in spamassassin it is checking URIBL.
Thanks again for your help. -
Accepted Answer
AKAIK it does go through spamassassin, but none of the RBL lists will work as they all look up the ClearSDN server IP's. The other tests will work. See the line in your logs:
This message scored 4.062 and you can see the breakdown of the different elements.Dec 12 12:33:29 mydomain amavis[10542]: (10542-10) spam-tag, <meredith-provide-insurance-myemail=mydomain.com@startclassic.com> -> <myemail@mydomain.com>, No, score=4.062 tagged_above=-99 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RAZOR2_CF_RANGE_51_100=2.43, RAZOR2_CHECK=1.729, SPF_HELO_NONE=0.001] autolearn=no autolearn_force=no -
Accepted Answer
Nick Howitt wrote:
AKAIK it does go through spamassassin, but none of the RBL lists will work as they all look up the ClearSDN server IP's.
Nick, I figured out something that might help others. (Perhaps this is also stupid rule as other valid senders might use this, but I haven't found any using this form in the past month's logs.)
I put the following in the Spamassassin blacklist and now i'm spam free from those people stuffing the MX backup. I noticed that they always have the same form in the logs:
form of email address:
<meredith-provide-insurance-myemail=mydomain.com@startclassic.com>
Following put in the Spamassassin blacklist:
*myemail=mydomain.com@*
So far in the past 3 days, it's caught and gotten rid of 1200+ spam. It's a shame for the wasted processing and bandwidth but my email client is clean for the first time in weeks.
Maybe this should be cross posted to the forum dealing with Spamassassin? -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »