+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Contributions Area (/forum-40.html)
+--- Forum: Howtos (/forum-41.html)
+--- Thread: [HowTo] Block bogus sender mx in postfix... (/thread-1773.html)
[HowTo] Block bogus sender mx in postfix... - rbtux - 11-13-2007 06:47 AM
Some Spamservers use mx records pointing to IANA reserved address ranges or wildcard addresses
This servers can be blocked by postfix with the following steps:
1. Create /etc/postfix/bogus_mx.cidr with the following content:
Quote:# Reserved Ranges
0.0.0.0/8 REJECT IP address of MX is IANA reserved range
10.0.0.0/8 REJECT IP address of MX is a RFC1918 address
127.0.0.0/8 REJECT IP address of MX is IANA reserved range
169.254.0.0/16 REJECT IP address of MX is a APIPA address
172.16.0.0/12 REJECT IP address of MX is a RFC1918 address
192.0.2.0/24 REJECT IP address of MX is IANA reserved range
192.168.0.0/16 REJECT IP address of MX is a RFC1918 address
198.18.0.0/15 REJECT IP address of MX is IANA reserved range
224.0.0.0/3 REJECT IP address of MX is IANA reserved range
240.0.0.0/12 REJECT IP address of MX is IANA reserved range
# WILDCARDS
62.4.64.119 REJECT IP address of MX host is a wild-card NU.
64.18.138.88 REJECT IP address of MX host is a wild-card CG.&RW.
64.70.19.33 REJECT IP address of MX host is a wild-card WS.
69.25.75.72 REJECT IP address of MX host is a wild-card NU.
72.51.27.58 REJECT IP address of MX host is a wild-card CM.
75.101.130.205 REJECT IP address of MX host is a wild-card MP.
193.33.61.2 REJECT IP address of MX host is a wild-card TK.
195.178.186.40 REJECT IP address of MX host is a wild-card ST.
195.20.32.103 REJECT IP address of MX host is a wild-card TK.
203.119.4.28 REJECT IP address of MX host is a wild-card PH.
208.87.149.250 REJECT IP address of MX host is a wild-card pjn.qsrch.net.
209.172.59.196 REJECT IP address of MX host is a wild-card TK.
212.181.91.6 REJECT IP address of MX host is a wild-card NU.
217.119.57.22 REJECT IP address of MX host is a wild-card TK.
222.231.8.226 REJECT IP address of MX host is a wild-card KR.
2. Configure Postfix:
Add the following before permit_mynetworks to smtpd_sender_restrictions of your /etc/postfix/main.cf:
Quote:check_sender_mx_access cidr:/etc/postfix/bogus_mx.cidr
3. Reload Postfix:
Quote:postfix reload
4. Keep your wildcard section up to date (I do it once a week)
This can be done with the following skript (It takes a while to run...):
Thx to Uwe Driessen, Jan P. Kessler, Ralph Hildebrandt and Andreas Winkelmann from the german Postfixbuch-Mailinglist for creating this script... I hope I did not miss somebody!
Quote:#!/bin/bashNoticed? This was a oneliner :-)
curl -s ftp://ftp.internic.net/domain/root.zone.gz | \
gunzip -c | \
awk ' / NS / {if (length($1) > 1) print "_."$1}' | \
sort -u | \
#Zum sort:
sort -b -t. -k1,1n -k2,2n -k3,3n -k4,4n| \
#sortiert IP-V4 Adressen numerisch nach 1., 2., 3. und 4. Zahl
dig -f - +noall +answer | \
awk ' $5 ~ /[0-9]+\.[0-9]+\./ {
gsub("_.","",$1);
print $5" REJECT IP address of MX host is a wild-card "$1
}' | \
sort -g | \
awk ' BEGIN{
oline=""; }
{
if (NR>1) {
if( length(oline) > 0) {
split(oline,arr);
if ($1==arr[1]) {
oline=oline"&"$11;
}
else {
print oline;
oline=$0;
}
}
else {
oline=$0;
}
}
else {
oline=$0;
}
}
END{ print oline;}'
5. Thats it
RE: [HowTo] Block bogus sender mx in postfix... - BeNe - 11-13-2007 06:50 AM
Cool!
Thanks a lot....very useful!
Greez BeNe
RE: [HowTo] Block bogus sender mx in postfix... - pgentoo - 12-02-2007 09:28 AM
You have a small typo.
In one point you call the file bogus_mx.cider, and the other spot you call it bogus_mx.cidr.
Not a big issue, just figured i'd let you know.
-
Jesse
RE: [HowTo] Block bogus sender mx in postfix... - rbtux - 12-02-2007 09:32 AM
thanks jesse
fixed it...
RE: [HowTo] Block bogus sender mx in postfix... - rbtux - 12-02-2007 09:48 AM
updated bogus wildcard mx list...
RE: [HowTo] Block bogus sender mx in postfix... - raphael - 12-05-2007 10:44 AM
better turn anti spoofing protection (see /etc/sysctl.conf), and use linblock with a list from bluetack. See:
http://nas-central.org/index.php/Peer_Guardian-based_blocklist_(Linblock) (etch has all the cpan modules, no need to download from cpan.org).
RE: [HowTo] Block bogus sender mx in postfix... - rbtux - 12-05-2007 05:07 PM
Well the both methods does not serve the same purpose...
The way with sender-mx block addresses that must not be used as mx-hosts or addresses that are wildcards an therefore could be used by every domain...
The method you mentioned depends on third party listings which at least I would not use unscored... This purpose is well done by policyd-weight...
But every admin should know himself, howto stay speamfree (or at least nearly spamfree)
RE: [HowTo] Block bogus sender mx in postfix... - rbtux - 12-19-2007 08:03 PM
updated list...
RE: [HowTo] Block bogus sender mx in postfix... - rbtux - 01-16-2009 06:44 AM
updated bogus list...
you may do so too ;-)