Stan Hoeppner | 1 Apr 01:25 2011

Re: SMTP client host name spoofing

mouss put forth on 3/31/2011 4:38 PM:
> Le 31/03/2011 17:52, Stan Hoeppner a écrit :
>>
>> Received: from mail-iw0-f176.google.com (biz88.inmotionhosting.com
>> [66.117.14.32])
>> 	by greer.hardwarefreak.com (Postfix) with ESMTP id F297D6C12E
>> 	for <stan <at> hardwarefreak.com>; Thu, 31 Mar 2011 06:29:19 -0500
>>
>>
>> biz88.inmotionhosting.com is the reverse name and
>> mail-iw0-f176.google.com is the forward name, correct?  How is this VPS
>> hosted snowshoe spammer spoofing a forward host name of google.com?
>>
> 
> they are spoofing HELO. 

Which is the answer to my question.

> if you feel motivated, contact InMotion.
> otherwise [snip]

You should know me well enough by now mouss to realize that I'd already
blocked the parent /20, and Corporate-Colocation's other 19 netblocks,
after some investigation, before I sent my question to the list. ;)

--

-- 
Stan

Wietse Venema | 1 Apr 02:23 2011

Re: Postscreen + Logwatch = A bunch of unmatched entries

Sahil Tandon:
> On Thu, 2011-03-31 at 12:50:30 -0700, Steve Jenkins wrote:
> 
> > On Thu, Mar 31, 2011 at 12:29 PM, Steve Jenkins <stevejenkins <at> gmail.com> wrote:
> > > Anyone know if LogWatch 7.4.0 recognizes them
> > 
> > Well, I can answer my first question myself. I just installed it and
> > can confirm that Logwatch 7.4.0 (released earlier this month) does NOT
> > recognize Postscreen entries:
> 
> [ .. ]
> 
> > Anyone had any luck getting Postscreen and Logwatch to play nice together?
> 
> Have you tried asking the creators of the log parsing software?

I suppose it is a script with a config file with patterns for "known"
logfile messages. If someone can share a copy, then I could try to
write some rules for normal postscreen, dnsblog and tlsproxy logging.

	Wietse

Victor Duchovni | 1 Apr 03:22 2011

Re: Adjust smtp to limitations of a host

On Thu, Mar 31, 2011 at 10:18:52PM +0100, Mark Alan wrote:

> On Thu, 31 Mar 2011 14:53:11 -0400, Victor Duchovni
> <Victor.Duchovni <at> morganstanley.com> wrote:
> > Why would this be a response to "too many recipient commands", a
> > single message with many recipients is sent over a single connection,
> > unless you have set an ill-advised destination recipient limit.
> 
> All _recipient_limit parameters are all at their defaults. With the
> exception of things related to ciphers and TLS, we try hard to keep the
> default Postfix settings.
> 
> > > /etc/postfix/main.cf
> > > slow_destination_concurrency_failed_cohort_limit = 3 # we give up
> > > after getting three 421
> > > slow_destination_recipient_limit = 20 # keep it bellow 25
> > 
> > This increases the number of connections, which is unlikely what you
> > want, provided of course you have messages with a large recipient
> > count.
> 
> It was not obvious to us. The idea was simply to put a limit on each
> burst of messages sent to the slow transport MTA's.

The actual effect is to drive up the number of messages, this parameter
limits the number of recipients per message delivery, thus a 100-recipient
message now gets sent 5 times instead of the default 2.

> > > /etc/postfix/master.cf
> > > slow      unix  -       -       -       -       -       smtp
(Continue reading)

Ultrabug | 1 Apr 09:20 2011
Picon

Re: Adjust smtp to limitations of a host

On 31/03/2011 18:39, Victor Duchovni wrote:
> On Thu, Mar 31, 2011 at 10:15:55AM +0200, Ultrabug wrote:
> 
>> Dear list,
>>
>> I'm facing a problem where I have to adapt and optimize my smtp servers
>> to a host's constraints which are as follow :
>>
>> - maximum 3 connections to each MX of the host (he has 10 MX so
>> potentially I should be able to make 30 connections)
> 
> What happens if you happen to exceed the limit on particular host
> among the 10? If it just quickly returns a 4XX code, and does not
> penalize future connections, ignore this limit and let Postfix do
> what it does by default.
> 

The result is pretty much that they deny any further email with 4XX
codes AND penalize further connections. It just stops accepting any new
mail.

>> - maximum 1000 connections per MX per hour
> 
> Connection caching should help if volume is high enough to worry about
> this. Note this is just less than one connection every 3 seconds, but
> Postfix caches idle connections for 2 seconds, so if your output rate
> is 1200 messages spaced perfectly 3 seconds apart, you lose, but this
> is fairly unlikely.
> 

(Continue reading)

Vincent Lefevre | 1 Apr 09:47 2011
Picon

Re: SMTP client host name spoofing

On 2011-03-31 21:16:16 +0200, Jeroen Geilman wrote:
> HELO checks are the primary defense against backscatter of this sort; I use
> a simple subset of the available options:
> 
> smtpd_helo_restrictions = reject_invalid_helo_hostname,
> reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname,
> check_helo_access hash:/etc/postfix/helo_access, permit
> 
> Where helo_access contains my own IPs and hostnames.
> 
> This setup will reject an AMAZING amount of spam.
> Fair warning: it may also yield the occasional false positive due to a
> misconfigured client mail system!
> The usual warn_if_reject will help out with that.

I really think it is a bad idea to use reject_unknown_helo_hostname.
Some machines sending mail are on a local network, so that resolving
their hostname doesn't make sense outside this network. The main
goal of the EHLO hostname being for logging purpose (to identify
the machine), the easiest solution may be to give the hostname (the
alternate solution of giving the local IP address isn't a good idea
if the address is dynamical).

--

-- 
Vincent Lefèvre <vincent <at> vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)

Murray S. Kucherawy | 1 Apr 10:01 2011

RE: SMTP client host name spoofing

> -----Original Message-----
> From: owner-postfix-users <at> postfix.org [mailto:owner-postfix-users <at> postfix.org] On Behalf Of
Vincent Lefevre
> Sent: Friday, April 01, 2011 12:47 AM
> To: postfix-users <at> postfix.org
> Subject: Re: SMTP client host name spoofing
> 
> I really think it is a bad idea to use reject_unknown_helo_hostname.
> Some machines sending mail are on a local network, so that resolving
> their hostname doesn't make sense outside this network.

Those machines should be talking to a public-facing MTA that tolerates unqualified names; they shouldn't
be talking to the public Internet with an unqualified name.

But even then, sending a hostname without a domain name violates the SMTP RFC.  In the face of such widespread
abuse, I'm a fan of being as strict as possible.

The RFCs also make specific admonitions against making filtering decisions based on HELO/EHLO, but a lot
of people do it anyway (and for good reason).

Reindl Harald | 1 Apr 10:03 2011
Picon

Re: SMTP client host name spoofing

Am 01.04.2011 09:47, schrieb Vincent Lefevre:
>> Where helo_access contains my own IPs and hostnames.
>>
>> This setup will reject an AMAZING amount of spam.
>> Fair warning: it may also yield the occasional false positive due to a
>> misconfigured client mail system!
>> The usual warn_if_reject will help out with that.
> 
> I really think it is a bad idea to use reject_unknown_helo_hostname.
> Some machines sending mail are on a local network, so that resolving
> their hostname doesn't make sense outside this network. The main
> goal of the EHLO hostname being for logging purpose (to identify
> the machine), the easiest solution may be to give the hostname (the
> alternate solution of giving the local IP address isn't a good idea
> if the address is dynamical)

your users has to use SASL and are not affected as long your machine
is useable configured, every other out there dealing directly
as MTA has to have a PTR, A-Record and correct HELO(EHLO

Vincent Lefevre | 1 Apr 11:15 2011
Picon

Re: SMTP client host name spoofing

On 2011-04-01 01:01:34 -0700, Murray S. Kucherawy wrote:
> Those machines should be talking to a public-facing MTA that
> tolerates unqualified names; they shouldn't be talking to the public
> Internet with an unqualified name.

The main smarthost of my ISP gets blacklisted by some lists each time
someone sends spam (this is a small ISP, so that it gets blacklisted
much easier than large ISP's, which are probably whitelisted). There's
also a smarthost that checks incoming messages with an antispam
software, but false positives would be dropped without notice, which
is unacceptable.

> But even then, sending a hostname without a domain name

Actually mine has a resolvable domain name after the first dot (only
the full hostname isn't resolvable).

> violates the SMTP RFC. In the face of such widespread abuse, I'm a
> fan of being as strict as possible.

Well, it violates only a SHOULD (because I should send an IP address
while I don't). In practice, not so many people reject messages with
unresolvable hostnames. So, currently, that's better than using one
of my ISP's smarthost.

I could now use SASL (this wasn't possible in the past because I didn't
have my own server), but there would still be problems to solve: how
can I use a fallback (on the client side) to the direct method when for
some reason, the server is not reachable?

(Continue reading)

Reindl Harald | 1 Apr 11:31 2011
Picon

Re: SMTP client host name spoofing


Am 01.04.2011 11:15, schrieb Vincent Lefevre:

> I could now use SASL (this wasn't possible in the past because I didn't
> have my own server), but there would still be problems to solve: how
> can I use a fallback (on the client side) to the direct method when for
> some reason, the server is not reachable?

if your MTA is not reachable you can not send mail at this moment
so simple it goes in days of SPF/DKIM no MUA there is really no
reason for any workaround

if your internet-connection is broken the MUA holds back the mail
and if your server down you should get him up and will not die
if you can not send a message now . how often this happens really?

Selcuk Yazar | 1 Apr 12:17 2011
Picon

mail sending rule

Hi,


is it possible to create rule or script in postfix that one user can't send email totaly more than a 100 emails ? expect sending a group ? 
we have 

destination_recipts setting 50 but , every time an user send 50 mail. I wantto restrict total mail of user. or some script about control this 50 receipt mails.


thanks in advance

--
Selçuk YAZAR
http://www.selcukyazar.blogspot.com

Gmane