* * * * *

                       A most persistent spam, part VII

I received a follow-up message from Rooberto [1] about the “Aleksandr [2]
Russian spam emails:

> From: Robysampler <XXXXXXXXXXXXXXXXXXXXX>
> To: Sean Conner <[email protected]>
> Subject: Re: About "Mayboroda_aleks" on your personal blog
> Date: Mon, 17 Jan 2022 17:33:35 +0100
>
> Hi Sean.
>
> Thanks very much for your fast reply.
>
> i have some good news about "Mayboroda"
>
> here some lines of my postfix log showing "Mayboroda" has tryed again,
> sending me some spam today:
>
> -----[ data ]-----
> Jan 17 11:48:47 mydomain postfix/smtpd[23894]: warning: hostname tefalongo.ru does not resolve to address 185.186.3.10
> Jan 17 11:48:47 mydomain postfix/smtpd[23894]: NOQUEUE: reject: RCPT from unknown[185.186.3.10]: 450 4.7.25 Client host rejected: cannot find your hostname, [185.186.3.10]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<s7.kroshem.ru>
> Jan 17 12:18:49 mydomain postfix/smtpd[24258]: warning: hostname tefalongo.ru does not resolve to address 185.186.3.10
> Jan 17 12:18:49 mydomain postfix/smtpd[24258]: NOQUEUE: reject: RCPT from unknown[185.186.3.10]: 450 4.7.25 Client host rejected: cannot find your hostname, [185.186.3.10]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<s7.kroshem.ru>
> Jan 17 12:18:49 mydomain postfix/smtpd[24258]: NOQUEUE: reject: RCPT from unknown[185.186.3.10]: 450 4.7.25 Client host rejected: cannot find your hostname, [185.186.3.10]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<s7.kroshem.ru>
> Jan 17 12:48:49 mydomain postfix/smtpd[24629]: connect from s7.kroshem.ru[185.186.3.10]
> Jan 17 12:48:49 mydomain postfix/smtpd[24629]: NOQUEUE: reject: RCPT from s7.kroshem.ru[185.186.3.10]: 554 5.7.1 <[email protected]>: Sender address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<s7.kroshem.ru>
> -----[ END OF LINE ]-----
>
> in particular the last line shows that the regular expression has found a
> match on "[email protected]" and replyed "Sender address rejected: Access
> denied" and REJECTED the incoming Email.
>
> there are some other tweaks you can implement into your "main.cf" postfix
> configuration file that will help you to avoid junk emails
>
> the following is a partial extract from my postfix "main.cf" configuration:
>
> -----[ data ]-----
> smtpd_recipient_restrictions = permit_mynetworks,
>       permit_sasl_authenticated,
>       check_sender_access regexp:/etc/postfix/rejected.senders, #check recipients by regular expression
>       check_policy_service unix:private/policyd-spf,
>       reject_rhsbl_helo dbl.spamhaus.org,           #check if domain or ip is flagged as spam in spamhouse database
>       reject_rhsbl_reverse_client dbl.spamhaus.org, #check if domain or ip is flagged as spam in spamhouse database
>       reject_rhsbl_sender dbl.spamhaus.org,         #check if domain or ip is flagged as spam in spamhouse database
>       reject_rbl_client zen.spamhaus.org            #check if domain or ip is flagged as spam in spamhouse database
>
> smtpd_sender_restrictions =  permit_mynetworks,
>       permit_sasl_authenticated,
>       reject_unknown_reverse_client_hostname, #Reject the request when the client IP address has no address->name mapping.
>       reject_unknown_client_hostname,         #Reject the request when 1) the client IP address->name mapping fails, or
>                                                 #2) the name->address mapping fails, or
>                                                 #3) the name->address mapping does not match the client IP address.
>       reject_unknown_sender_domain            #Reject the request when Postfix is not the final destination for the sender address
> -----[ END OF LINE ]-----
>
> Many of these tweaks i've implemented were taken from the document at the
> following webpage:
>
> http://www.armellin.com/friends/postfix/postconf.5.html [3]
>
> Feel free to publish our conversation in your blog as you wish.
>
> It's nice to help other people to get rid of the plague of "Mayboroda" :D
>
> Thanks Sean
>
> Best Regards
>
> Roberto
>

Thank you again, Roberto.

[1] gopher://gopher.conman.org/0Phlog:2021/01/16.1
[2] gopher://gopher.conman.org/0Phlog:2021/07/20.2
[3] http://www.armellin.com/friends/postfix/postconf.5.html

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.