1

I am trying to stop spam from one sender. They each time uses another mail server. here is headers from original email (i replaced my email and host with: my-email@my-domain.com, sender email and host i replaced with: sender-email@sender-website.com, all other is unchanged):

From - Mon Jan 27 14:17:08 2014
X-Account-Key: account7
X-UIDL: 1201266183.11294
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:                                                                                 
Return-Path: <4a590193769-1-589@delivery-gate.com>
Received: from my-domain.com ([unix socket])
     by localhost (Cyrus v2.2.13-Debian-2.2.13-10) with LMTPA;
     Mon, 27 Jan 2014 14:15:18 +0200
X-Sieve: CMU Sieve 2.2
X-Greylist: delayed 460 seconds by postgrey-1.27 at mnl-bck; Mon, 27 Jan 2014 14:15:05 EET
Received: from gw13.delivery-gate.com (gw13.delivery-gate.com [72.29.83.9])
    by my-domain.com (ESMTP daemon) with ESMTP id 999EA15F505
    for <my-email@my-domain.com>; Mon, 27 Jan 2014 14:15:05 +0200 (EET)
MIME-Version: 1.0
From: Blah blah blah <sender-email@sender-website.com>
To: my-email@my-domain.com
X-Original-To: my-email@my-domain.com
Reply-To: Blah blah blah <sender-email@sender-website.com>
Subject: {(***Disarmed***)} =?UTF-8?B?VmFsZW50xKtuYSBkaWVuYSBuxIFrIQ==?=
Date: Mon, 27 Jan 2014 12:07:07 +0000
DKIM-Signature: v=1; a=rsa-sha1; q=dns/txt; l=6092; s=default;
    t=1390824427; c=relaxed/simple;
    h=From:To:Subject;
    d=delivery-gate.com;
    z=From:=20Blah blah blah=20<sender-email@sender-website.com>
    |To:=20my-email@my-domain.com
    |Subject:=20=3D?UTF-8?B?VmFsZW50xKtuYSBkaWVuYSBuxIFrIQ=3D=3D?=3D;
    bh=fOfN6GO2cjh0ZljdK73x8C71zUg=;
    b=BGlxwArEBjFsawRUIO7e9DyOBaUvFs0xgUCPKVkOXVoF0ND5BKxQzCuDqpV3ek1kOGo/gn0UaCH0j405y/XXEfhTE83NN6C/V7zY2pcxf6iBeMAxxqy93CNL1UsAjRLhZOBhg2m1c47WPpHzZdn9dOxXM190YD6x+xqHo8Ydu+c=
Content-Type: multipart/alternative;
    boundary="=_6ec15ca19a7f51e90ef52ebaa3d3dfc1"
Message-Id: <20140127120707.1874C2C0E5614@gw13.delivery-gate.com>
X-my-domain.com-MailScanner: Found to be clean
X-my-domain.com-MailScanner-SpamScore:  2.77
X-my-domain.com-MailScanner-From: 4a590193769-1-589@delivery-gate.com
X-MailScanner-Envelope-To: my-email@my-domain.com


--=_6ec15ca19a7f51e90ef52ebaa3d3dfc1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"

I edited /etc/postfix/sender_access to reject email from sender-website.com. But that does not work, because postfix is seeing that email comes from different sender/server. From postfix log file:

Jan 27 14:15:05 myMailServer postfix/smtpd[12822]: connect from gw13.delivery-gate.com[72.29.83.9]
Jan 27 14:15:05 myMailServer postgrey[4304]: delayed 460 seconds: client=gw13.delivery-gate.com, from=4a590193769-#-#@delivery-gate.com, to=my-email@my-domain.com
Jan 27 14:15:05 myMailServer postfix/policy-spf[12827]: : testing: stripped sender=4a590193769@delivery-gate.com, stripped rcpt=my-email@my-domain.com
Jan 27 14:15:05 myMailServer postfix/policy-spf[12827]: : SPF pass: smtp_comment=Please see http://www.openspf.org/why.html?sender=4a590193769-1-589%40delivery-gate.com&ip=72.29.83.9&receiver=myMailServer: 72.29.83.0/24 contains 72.29.83.9, header_comment=myMailServer: domain of 4a590193769-1-589@delivery-gate.comdesignates 72.29.83.9 as permitted sender
Jan 27 14:15:05 myMailServer postfix/policy-spf[12827]: decided action=DUNNO
Jan 27 14:15:05 myMailServer postfix/smtpd[12822]: 999EA15F505: client=gw13.delivery-gate.com[72.29.83.9]
Jan 27 14:15:05 myMailServer postfix/cleanup[12829]: 999EA15F505: hold: header Received: from gw13.delivery-gate.com (gw13.delivery-gate.com [72.29.83.9])??by my-domain.com (ESMTP daemon) with ESMTP id 999EA15F505??for <my-email@my-domain.com>; Mon, 27 Jan 2014 14:15:05 +0200 (EET) from gw13.delivery-gate.com[72.29.83.9]; from=<4a590193769-1-589@delivery-gate.com> to=<my-email@my-domain.com> proto=ESMTP helo=<gw13.delivery-gate.com>
Jan 27 14:15:05 myMailServer postfix/cleanup[12829]: 999EA15F505: message-id=<20140127120707.1874C2C0E5614@gw13.delivery-gate.com>
Jan 27 14:15:05 myMailServer postfix/smtpd[12822]: disconnect from gw13.delivery-gate.com[72.29.83.9]

So, when i am looking message source in thunderbird, i see header: From: Blah blah blah <sender-email@sender-website.com>. How i can block email from that sender (sender-website.com)? There is no point to block IP, because next time it will different. I have also set up MailScanner, but that too does not see proper from header. I already blacklisted that domain in MailScanner too.

Guntis
  • 673
  • 1
  • 10
  • 20

1 Answers1

2

So you have added sender-email@sender-website.com REJECT to your sender_access file, have you added hash:/etc/postfix/sender_access to your smtpd_recipient_restrictions = as the first option?

You may also have more luck using the smtp_nested_header_checks option as well, as it allows you to examine any Non-MIME header for identifiers.

NickW
  • 10,183
  • 1
  • 18
  • 26
  • yes, yes and yes. For other rules it works. Postfix just does not see correct `sender from`. `smtpd_recipient_restrictions = hash:/etc/postfix/access, check_sender_access hash:/etc/postfix/sender_access, permit_sasl_authenticated,...` – Guntis Jan 27 '14 at 13:02
  • Can you show the lines in `/var/log/maillog` where this email is arriving? It should show the `From` email that postfix is seeing.. – NickW Jan 27 '14 at 13:07
  • see my question – Guntis Jan 27 '14 at 13:22
  • maybe you could just add that email to your spamassassin blacklist, give it 10 points off the bat.. – NickW Jan 27 '14 at 13:24
  • While in theory multiple From: headers are not permitted, it looks like this mailer does something similar to a FWD: to avoid his email showing up as the From: address to the MTA, that `From -` is an awfully odd artifact to have at the top of your headers. – NickW Jan 27 '14 at 13:38
  • i added sender-domain.com to spamassassin blacklist_from. then see if it works :) – Guntis Jan 27 '14 at 13:45
  • 1
    I was looking, you might be able to catch this guy with `smtp_nested_header_checks` as well, it's worth looking into at the very least.. – NickW Jan 27 '14 at 13:48
  • I also added rule into header_checks file. I hope that it helps :) Thanks @NickW – Guntis Jan 27 '14 at 14:12
  • Well, this may take a little while to see if it's functional, let us know here if it does or doesn't work.. – NickW Jan 27 '14 at 14:14
  • 1
    Make sure you remember to do postmap /etc/postfix/sender_access changes are made until that happens. Plus you might need to restarted postfix too – Matthew Lock Aug 13 '14 at 07:55
  • @NickW `smtp_nested_header_checks` did the trick. Can You write it as answer? – Guntis Dec 19 '14 at 09:18
  • @Guntis done :) – NickW Dec 22 '14 at 09:57