Score:-1

Which IP do I need to ban scammer email

cn flag

I got scam email from zcsend.net. This time the sender address is fake one. And I need to use fail2ban to ban it. However, they are many addresses here in the source which one should I ban?

Scam email

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.elcolie.com
    by mail.elcolie.com with LMTP
    id CQu1FWy08mQ8UwEA83h3bQ
    (envelope-from <[email protected]>)
    for <[email protected]>; Sat, 02 Sep 2023 04:05:00 +0000
Received: from localhost (localhost [127.0.0.1])
    by mail.elcolie.com (Postfix) with ESMTP id 4F41E835F9
    for <[email protected]>; Sat,  2 Sep 2023 04:05:00 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=135.84.81.239; helo=sender-239.fsu3.zcsend.net; envelope-from=bounce_826278108+a.1ffd60557f594e44_gm1@mail18.psnd.zcsend.net; receiver=<UNKNOWN> 
Authentication-Results: mail.elcolie.com; dmarc=none (p=none dis=none) header.from=ahrdigital.com.br
Authentication-Results: mail.elcolie.com;
    dkim=pass (1024-bit key; unprotected) header.d=mail18.psnd.zcsend.net [email protected] header.a=rsa-sha256 header.s=k1 header.b=mfuyyvvw;
    dkim-atps=neutral
Received: from sender-239.fsu3.zcsend.net (sender-239.fsu3.zcsend.net [135.84.81.239])
    by mail.elcolie.com (Postfix) with ESMTPS id 4A931833FE
    for <[email protected]>; Sat,  2 Sep 2023 04:04:59 +0000 (UTC)
Received: from 172.30.236.109 by sender-239.fsu3.zcsend.net
    with SMTP id 169362748867145850; Fri, 01 Sep 2023 21:04:48 -0700
DKIM-Signature: a=rsa-sha256; b=mfuyyvvwcocf77Gr4eWhg010x1Vak0knteAbKgX+PiHKD2TdnhfbGOZHCItAcuEJSjZN2UGRM/dQMzI9WfytdauyhtACpvDVf+uIn6qRmlNkOn140NbFVuYPDUABu1IBCr6wEwXR2pLevy7Zz1vFWUEuRck+70wzVwMjrj7+yvE=; c=simple/simple; s=k1; d=mail18.psnd.zcsend.net; v=1; bh=LMN9EQQS8smfom6q8kw8Y3zjTellj/Oo1rnIjeRT56c=; h=date:from:to:message-id:subject:mime-version:content-type:list-unsubscribe:list-unsubscribe-post:x-csa-complaints;
Date: Fri, 1 Sep 2023 21:04:48 -0700 (PDT)
From: "Parcel Team" <[email protected]>
To: [email protected]
Message-ID: <zcb.3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d.1ffd60557f594e44.1693627488661@mail18.psnd.zcsend.net>
Subject: =?UTF-8?B?Tm90aWZpY2F0aW9uOsKgIENhc2UgTnVtYmVyICMzMzYxNzI=?=
MIME-Version: 1.0
Content-Type: multipart/alternative; 
    boundary="----=_Part_8830362_773276248.1693627488657"
List-Unsubscribe: <https://vldxa-cmpzourl.maillist-manage.com/ua/optout?od=3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d&rd=1ffd60557f594e44&sd=1ffd60557f57b0ef&n=11699e4c32dbb4c>,<mailto:[email protected]>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
X-CSA-Complaints: [email protected]
Reply-To: [email protected]
X-JID: 3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d.1ffd60557f3f24e4
X-campaignid: zohocampaigns.3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d.zcb.1ffd60557f594e44.11699e4c32dbb4c
X-Zoho-RID: zohocampaigns.3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d.zcb.1ffd60557f594e44.11699e4c32dbb4c
X-Report-Abuse: <Please send a copy of this message along with header to abuse+3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d_zcb_1ffd60557f594e44@zohocampaigns.com>, <https://vldxa-cmpzourl.maillist-manage.com/campaigns/ReportAbuse.zc?od=3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d&rd=1ffd60557f594e44&sd=1ffd60557f57b0ef&n=11699e4c32dbb4c>

------=_Part_8830362_773276248.1693627488657
Content-Type: text/plain;charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I replace my real email address with [email protected]

Since my email server is using https://github.com/docker-mailserver/docker-mailserver I simply run docker exec 2834fea5aa2e setup fail2ban ban 135.84.81.239

Questions:

  1. Am I correct?
  2. Am I missing any concern?
anx avatar
fr flag
anx
But.. that actually is Zoho-managed IP space? If you want to make adjustments for that sender, you would not need to worry about individual addresses, they are all properly named. But you probably do not, they seem to process complaints just fine.
Score:1
ru flag

Blacklisting a single Zoho server won't really do much. They've got a few more.

If you want to ban their servers in total, do it by host domain zcsend.net or by envelope FROM @(.*).psnd.zcsend.net>.

If you don't want to ban them entirely, all you've got left is a complaint.

Of course, you could also try filtering by header FROM but that is just too easily spoofed.

Score:0
jp flag

Fail2Ban is not designed for this

Why would you need to use Fail2Ban? Fail2Ban(1) is not for blocking spam, but...

a set of server and client programs to limit brute force authentication attempts.

DNS Real-time blackhole lists (RBL)

The IP address in the example, 135.84.81.239, is currently blacklisted in real-time blackhole lists (RBL):

Instead of blocking individual IP addresses every time a spam gets through, you could utilize some external services that are already doing that in scale. In addition, most of them will remove the listing when the problem has been resolved.

There are many RBL providers having different kind of listings. You should analyse which of these lists are suitable for your needs. E.g.,

Configuring RBLs in Postfix

Your headers show you are using Postfix. You can configure, e.g., SpamCop in your main.cf by adding a reject_rbl_client in smtpd_recipient_restrictions where it will be evaluated after full HELO, MAIL FROM & RCPT TO.

smtpd_recipient_restrictions =
    . . .
    reject_rbl_client bl.spamcop.net,
    . . .
    permit
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.