[Postfixbuch-users] policyd mit leerem form umgangen

Jan P. Kessler postfix at jpkessler.info
Mi Feb 18 23:53:03 CET 2009 

Stolzenberg, Marcus schrieb:
> Hallo Liste.
>  
> Habe seit ein paar Tagen das Problem, dass wohl von Spamern ein leeres 
> From benutzt wird um den Policyd zu umgehen.
> Zu allem Übel kommen diese Mails dann auch noch 2 Mal und Passieren 
> das Greylisting.
>  
> Das ganze sieht dann z.B. so aus:
>  
> postfix/policyd-weight[15368]: decided action=DUNNO NULL (<>) Sender; 
> <client=88.226.113.204> <helo=dsl88-226-29132.ttnet.net.tr> <from=> 
> <to=foo.bar.com <mailto:to=device-fault-manager at ekom21.de>>; delay: 0
>  
> Jemand einen Tip wie ich diese Spams los werden kann?

Konservativ:
- Überlasse das einem Contentfilter.

Mutig:
- Nimm ein paar knallharte Blacklisten in die Konfiguration auf. Eine 
Auswahl dazu am Ende der Mail.

Irgendwo dazwischen:
- Schreib Dir eine Restriction Class mit verschiedenen RBLs und 
"härteren" Prüfungen und lass nur den Absender "<>" via 
check_sender_access gegen diese Prüfungen laufen.
- Bau Dir ein eigenes Regelwerk mit einem policy daemon (z.b. 
www.postfwd.org)

Es hängt ein wenig von Deinem Umfeld, Deinem Wissenstand und Deiner 
Motivation ab.


jpk at mail:~ $ rblcheck2.pl 88.226.113.204

===============================================================================
QUERY: 88.226.113.204  NAME: dsl88-226-29132.ttnet.net.tr  ADDR: 
88.226.113.204
  
---------------------------------------------------------------------------
  listed on RBL:bl.spamcop.net, result: 127.0.0.2, time: 1s
  "Blocked - see http://www.spamcop.net/bl.shtml?88.226.113.204"
  
---------------------------------------------------------------------------
  listed on RBL:blackholes.five-ten-sg.com, result: 127.0.0.2, time: 1s
  "miscellaneous address blocks that have sent spam here"
  
---------------------------------------------------------------------------
  listed on RBL:cblless.anti-spam.org.cn, result: 127.0.8.5, time: 2s
  "Mail from 88.226.113.204 refused, see 
http://anti-spam.org.cn/Rbl/Query/Result?IP=88.226.113.204"
  
---------------------------------------------------------------------------
  listed on RBL:cblplus.anti-spam.org.cn, result: 127.0.8.6, time: 2s
  "Mail from 88.226.113.204 refused, see 
http://anti-spam.org.cn/Rbl/Query/Result?IP=88.226.113.204"
  
---------------------------------------------------------------------------
  listed on RBL:dnsbl-2.uceprotect.net, result: 127.0.0.2, time: 1s
  "Net 88.226.0.0/17 is UCEPROTECT-Level2 listed because of 683 abusers. 
Your ISP TTNET TTnet Autonomous System/AS9121 has to fix this. See: 
http://www.uceprotect.net/rblcheck.php?ipr=88.226.113.204"
  
---------------------------------------------------------------------------
  listed on RBL:dnsbl-3.uceprotect.net, result: 127.0.0.2, time: 1s
  "Your ISP TTNET TTnet Autonomous System/AS9121 is UCEPROTECT-Level3 
listed because he is responsible for a total of 78711 abusers on the 
net. See: http://www.uceprotect.net/rblcheck.php?ipr=88.226.113.204"
  
---------------------------------------------------------------------------
  listed on RBL:hostkarma.junkemailfilter.com, result: 127.0.1.1, time: 1s
  "Quit listed 88.226.113.204 See 
http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists"
  
---------------------------------------------------------------------------
  listed on RBL:ips.backscatterer.org, result: 127.0.0.2, time: 1s
  "Sorry 88.226.113.204 is blacklisted at 
http://www.backscatterer.org/?ip=88.226.113.204"
  
---------------------------------------------------------------------------
  listed on RBL:zen.spamhaus.org, result: 127.0.0.4, time: 1s
  "http://www.spamhaus.org/query/bl?ip=88.226.113.204"
  
---------------------------------------------------------------------------
  listed on RBL:zz.countries.nerd.dk, result: 127.0.3.24, time: 1s
  "tr"
  
---------------------------------------------------------------------------
  listed on RHSBL:abuse.rfc-ignorant.org, result: 127.0.0.4, time: 2s
  "Not supporting abuse at domain"
  
---------------------------------------------------------------------------
  listed on RHSBL:hostkarma.junkemailfilter.com, result: 127.0.2.3, time: 1s
  "Familiar Domains"
  
---------------------------------------------------------------------------
  listed on RHSBL:rddn.dnsbl.net.au, result: 127.0.0.2, time: 1s
  "ttnet.net.tr see http://dnsbl.net.au/rddn/"
  
---------------------------------------------------------------------------
  listed on RHSBL:whois.rfc-ignorant.org, result: 127.0.0.5, time: 2s
  "Inaccurate or missing WHOIS data"
  
---------------------------------------------------------------------------
10 of 29 RBLs, 4 of 13 RHSBLs, Finished after 2 seconds
===============================================================================

Mehr Informationen über die Mailingliste Postfixbuch-users