1

I'm currently running a centOS server with directadmin and custombuild. I keep getting spoofed phishing mails with spoofed from addresses that have SPF setup properly.

Spamassassin gives it a score 1.8, probably because the mail seem legit and other tests compounded result in a negative score. So negative score + SPF test score = 1.8

In directadmin you have ways to block mail, but this is looking at the from address, not the mailserver that is spoofing.

All mails have these same sending mailserver headers: Received: from cm17.websitewelcome.com (cm17.websitewelcome.com [100.42.49.20]) by gateway34.websitewelcome.com (Postfix)

IP addresses change and subdomains change. But if I can somewhere block all mail from *.websitewelcome.com my problem is solved for a while.

Can I block this somewhere in Postfix or Exim? Increasing SPF test score value is also an approach, but this can mark a lot of legit mails as well

user3411864
  • 131
  • 3

2 Answers2

1

In Postfix you can block it directly on smtpd(8).

According to http://www.postfix.org/SMTPD_ACCESS_README.html you can use

smtpd_client_restrictions - Reject all client commands

With it you can (http://www.postfix.org/postconf.5.html#smtpd_client_restrictions)

check_client_access type:table

Search the specified access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets. See the access(5) manual page for details.

http://www.postfix.org/access.5.html contains example:

  /etc/postfix/main.cf:
           smtpd_client_restrictions =
               check_client_access hash:/etc/postfix/access

and

/etc/postfix/access:
.websitewelcome.com REJECT
100.42.48.0/20 REJECT

(use whois to find network number and mask)

don't forget to call postmap(1)

Or you can block the whole IP network on your firewall, like

sudo iptables -I INPUT --src=100.42.48.0/20 -m tcp -p tcp --dport=25 -j DROP
user996142
  • 211
  • 1
  • 5
  • If I whois websitewelcome.com I get an IP in USA and not in Rusland. So the subdomains get new IP ranges. So blocking IP is only effective for a short period – user3411864 Feb 05 '22 at 12:00
  • What about `smtpd_sender_restrictions` or `smtpd_helo_restrictions`? You can block on this level also – user996142 Feb 05 '22 at 16:18
0

Firewall block:

iptables -t raw -A PREROUTING -s ${BAD_IP} -j DROP

Block by header:

In /etc/postfix/main.cf

header_checks = /etc/postfix/header_checks

In /etc/postfix/header_checks

/From:\ .*baddomain\.tld/ DISCARD BAD AND STINKY DOMAIN

Run these commands

postmap /etc/postfix/header_checks
systemctl restart postfix
Cameron
  • 176
  • 3