Score:1

How to block spoofed mail from *.host.com

cn flag

I'm currently running a centOS server with directadmin and custombuild. I keep getting spoofed phishing mails with spoofed from addresses that have SPF setup properly.

Spamassassin gives it a score 1.8, probably because the mail seem legit and other tests compounded result in a negative score. So negative score + SPF test score = 1.8

In directadmin you have ways to block mail, but this is looking at the from address, not the mailserver that is spoofing.

All mails have these same sending mailserver headers: Received: from cm17.websitewelcome.com (cm17.websitewelcome.com [100.42.49.20]) by gateway34.websitewelcome.com (Postfix)

IP addresses change and subdomains change. But if I can somewhere block all mail from *.websitewelcome.com my problem is solved for a while.

Can I block this somewhere in Postfix or Exim? Increasing SPF test score value is also an approach, but this can mark a lot of legit mails as well

Score:1
de flag

In Postfix you can block it directly on smtpd(8).

According to http://www.postfix.org/SMTPD_ACCESS_README.html you can use

smtpd_client_restrictions - Reject all client commands

With it you can (http://www.postfix.org/postconf.5.html#smtpd_client_restrictions)

check_client_access type:table

Search the specified access database for the client hostname, parent domains, client IP address, or networks obtained by stripping least significant octets. See the access(5) manual page for details.

http://www.postfix.org/access.5.html contains example:

  /etc/postfix/main.cf:
           smtpd_client_restrictions =
               check_client_access hash:/etc/postfix/access

and

/etc/postfix/access:
.websitewelcome.com REJECT
100.42.48.0/20 REJECT

(use whois to find network number and mask)

don't forget to call postmap(1)

Or you can block the whole IP network on your firewall, like

sudo iptables -I INPUT --src=100.42.48.0/20 -m tcp -p tcp --dport=25 -j DROP
user3411864 avatar
cn flag
If I whois websitewelcome.com I get an IP in USA and not in Rusland. So the subdomains get new IP ranges. So blocking IP is only effective for a short period
de flag
What about `smtpd_sender_restrictions` or `smtpd_helo_restrictions`? You can block on this level also
Score:0
fr flag

Firewall block:

iptables -t raw -A PREROUTING -s ${BAD_IP} -j DROP

Block by header:

In /etc/postfix/main.cf

header_checks = /etc/postfix/header_checks

In /etc/postfix/header_checks

/From:\ .*baddomain\.tld/ DISCARD BAD AND STINKY DOMAIN

Run these commands

postmap /etc/postfix/header_checks
systemctl restart postfix
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.