One of my e-mail addresses seemed to be targeted with a fishing / spam campaign. They tried to let me believe I needed to sign some important documents.
As I got up to 30 messages a day for it, it got a little bit annoying. Luckily for me they use the same e-mail address / domain as the “From sender” to look legit. So that’s something I can use to filter them out “at the front-door” using postfix.
With postfix you can define restriction classes to control how Postfix decides what to do with an incoming message / client. So what I’m going to do is introduce a restriction based on the “Sender from address”, as they use one that’s always sort of the same.
So let’s define a restriction class of our own. The class consists of a check on the sender address and makes use of a hash map to decide what to do.
Let’s add the following line to main.cf
reject_spam_messages = check_sender_access hash:/etc/postfix/known_spam_senders, permit<br>This will define a restriction class called “reject_spam_messages” which uses a file “known_spam_senders” to check the sender address (From) against.
The file /etc/postfix/known_spam_senders consists of the domains / e-mail addresses we want to filter out:
spammydomain.com REJECT 550
emailaddress@spammydomain.com REJECT 550
anotherspammydomain.com REJECT 550Postfix will try to match the sender address agains the first column of the file. The next column contains what to do, in this case reject the message. The third column contains the SMTP code used (see: RFC-5321, SMTP protocol)
We need to convert this plaintext file into a hash lookup file which Postfix will use. We can do this with the postmap command, it will generate a known_spam_senders.db file:
postmap hash:known_spam_sendersOk, so now we have a file containing the addresses / domains we want to reject . Next step is to create a file which contains the e-mail addresses we want to protect, “protected_destinations”.
This file looks something like the following:
address1@mydomain.com reject_spam_messages
address2@mydomain.com reject_spam_messagesThe file instructs Postfix to apply the reject_spam_messages class whenever the recipient is one of the e-mail addresses in the first column.
This file also needs to be converted into a hash lookup file, again using the postmap command:
postmap hash:protected_destinationsSo, we know have created a restriction class and two files. One containing the e-mail addresses we want to “protect” and one containing the sender addresses we want to reject for those. Let’s tie them together.
We do this by adding the “protected_destinations” into the smtpd_recipient_restrictions. Therefore we edit that parameter in the main.cf configuration file:
smtpd_recipient_restrictions = reject_unauth_destination, ..., check_recipient_access hash:/etc/postfix/protected_destinationsThe value “check_recipient_access hash:/etc/postfix/protected_destinations” has been added at the end of the smtpd_recipient_restrictions parameter.
Let’s check if everything we did works out the way it should
We can check this in a number of ways. First lets check what happens when Postfix encounters the protected recipient.
root@iraj:/etc/postfix# postmap -q address1@mydomain.com protected_destinations
reject_spam_messages
root@iraj:/etc/postfix# Postfix will get the “reject_spam_messages” as the restriction class to check, so it will do that. Let’s see if we check the hash map for the spammer’s addresss….
root@iraj:/etc/postfix# postmap -q hi@spammydomain.com known_spam_senders
REJECT 550
root@iraj:/etc/postfix#The check instructs Postfix to reject the message with a 550 code.
Ok, so our files seem to be OK.
Have postfix reload itself and the “protection” should be alive.
Let’s, to be sure, check a real SMTP session:
root@iraj:/etc/postfix# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 my.emailserver.com ESMTP Postfix (Solaris)
helo localhost
250 my.emailserver.com
mail from:<hi@spammydomain.com>
250 2.1.0 Ok
rcpt to:<address1@mydomain.com>
554 5.7.1 <hi@spammydomain.com>: Sender address rejected: 550
quit
root@iraj:/etc/postfix#As we can see Postfix is indeed rejecting the message the spammer tried to deliver using his spammydomain.com address.
All good….. until they use a different Sender address….