MY TURN WITH ALEKSANDER

In 2021 Sean Connor posted about getting pestered with repeated
spam messages from various email addresses, always with the same
subject, name, and text in Russian:
gopher://gopher.conman.org/0Phlog:2021/07/20.2

He ended up simply deleting the email accounts that were receiving
the messages, but also later posted a less drastic solution
suggested by someone else for filtering them out with Postfix based
on the general form of the constantly changing email addresses that
Aleksandr (or Mayboroda) uses:
gopher://gopher.conman.org/0Phlog:2021/08/28.1
gopher://gopher.conman.org/0Phlog:2022/01/16.1
gopher://gopher.conman.org/0Phlog:2022/01/17.1

So starting sometime before early Febuary (when I last purged my
backup store of emails), I've been getting my own dose of
Aleksandr. It seems quite pointless to me, as it did for Connor,
because I don't read Russian. But except for a ten-day break in
Febuary I've been getting a few every day, from ever-changing
email accounts. Odds are that they got the email address from
scraping my website, as it's the main address for my online store.

I don't get that much other spam so I don't bother with automatic
spam filtering, but waiting for all these useless identical emails
to download on the days when my internet connection is scratchy,
just to bulk-select and delete them, eventually tipped me over the
line into doing something.

The solution that one of Connor's readers supplied was to configure
Postfix to block all emails with part of the sender's addresses
matching the regular expression "s[0-9]{1,2}.[a-z]*.ru" or
"info@.[a-z]*.ru". I'm also using Postfix, and running grep through
almost a decade of emails in my archive (not including deleted
emails such as spam) showed that I hadn't previously received any
legitimate email from addresses matching those expressions. Still,
they do seem like really broad filters, almost as if I might be
doing what the spammer wants if this is some politically-motivated
attack to ruin the reputation of all Russian email addresses.

Looking closer at the emails I noticed a couple of unusual headers:
X-Vjhy-Campaign-Uid: [random-looking altha-numeric string]
X-Vjhy-Subscriber-Uid: [random-looking altha-numeric string]

The string after "X-Vjhy-Campaign-Uid" keeps changing, but the
"X-Vjhy-Subscriber-Uid" value is always the same (in over 100
"Aleksandr" emails from lots of different addresses). At a guess
I'd say that this is probably something inserted by a bulk email
service or software that the spammer is using. I'm guessing that
"Vjhy" is something random that they typed in to fill in a
configuration field. Searching through my email history again,
nothing there had one of these headers or even anything like them,
so this seemed like a narrower way to block the spam.

My, possibly lazy, solution to this in the Postfix configuration
was to Create a "/etc/postfix/header_checks" file containing:
# Block "Aleksandr" spam which comes from various domains and IPs
# but always has this header which no other email seems to use:
/^X-Vjhy-Subscriber-Uid: .*/    DISCARD Aleksandr spam

EDIT: "Aleksandr" eventually changed the "Vjhy" bit of the headers
     to something else, so, at slightly more risk of
     false-positives, I'm now using:
      /^X-.*-Subscriber-Uid: .*/    DISCARD Aleksandr spam
     This probably blocks everything from the bulk mail platform
     that they're using though.

Then add this line in /etc/postfix/main.cf:
header_checks = regexp:/etc/postfix/header_checks

Now the Postfix documentation makes the point that this is the
wrong way to filter spam because new mail processing is delayed
while it checks all the header lines from each email through the
regular expression/s in "/etc/postfix/header_checks". Setting up
proper filters allows checking to be done further down the line in
a non-blocking way. Still in this case it's just one rule (well OK,
it always _starts_ with one) and I don't get nearly enough mail or
server load for this to be a meaningful problem. I also like that
it gets rid of the spam right at the start of processing and
doesn't waste any more time on it, given that it's often been the
bulk of my day's external email to that (or any) address.
Interestingly they still show spam filtering rules in the example
at the end of the regexp_table(5) man page.

Also "pcre" instead of "regexp" is supposed to be faster, but
"postconf -m" didn't list it as available in my Postfix build. Run
"postfix reload" to make it load the new configuration.

Before long the Postfix log showed a number of correct matches for
"Aleksandr spam", and after a couple of days none has made it
through, so it looks like I might have won my personal battle
against Aleksandr.

I also turned up yet another victim of Aleksandr online (I seem to
be late to Aleksandr's party), who blocked the spam simply based on
the curiously-unchanging subject line (the postmap step isn't
necessary, and as already noted you can use regexp if pcre isn't
available):
https://iliasa.eu/postfix-discard-mail-based-on-header/

Related Postfix documentation links:
http://www.postfix.org/BUILTIN_FILTER_README.html
http://www.postfix.org/cleanup.8.html
http://www.postfix.org/header_checks.5.html
http://www.postfix.org/regexp_table.5.html  - Examples at bottom
http://www.postfix.org/SMTPD_ACCESS_README.html

- The Free Thinker.

You are viewing proxied material from aussies.space. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.