5

I have Postfix configured to block email from a persistent spammer that has found a "bulletproof" spam service provider (known as Amazon SES), but of course the block fails because the MAIL FROM (aka "Return-Path") is a string such as 01000165f9022c82-37fa3cc3-d63c-4548-be3d-125d50e43aaf-000000@amazonses.com while the From header passed in the DATA command is ThePartyFixxCompany@gmail.com.

Is there a way to block the address/domain in the From header during the SMTP transaction, rather than filtering it to /dev/null with some after-the-fact process like Sieve, Amavis, Spamassassin, etc.?

This answer suggests it's not possible, but then goes on to emphasise a different point that is not relevant to my question, so it's not clear to me that it is absolutely not possible.

I don't think my postconf output is relevant to this question, as Postfix is running as it should be (I'm running 2.10.1.). I'm looking for a configuration tweak. Thanks.

CraigH
  • 101
  • 1
  • 9
  • 2
    Remember to forward such spam to `abuse@amazonaws.com`. They're pretty good about killing such spammers. If you actually tell them it's happening. – Michael Hampton Sep 26 '18 at 17:10
  • @MichaelHampton Thanks for the suggestion. I've sent them dozens of complaints and they've all been ignored, hence my giving up and going to this extreme. It blows me away that these guys, using the same domain and two Gmail accounts, have been getting away with this for almost a year now. – CraigH Sep 26 '18 at 22:29
  • I wound up here with exactly the same problem. As of today, Amazon says, " Hello, Thank you for submitting your report to AWS Abuse. In reviewing your report, we can see that it concerns the AWS SES service. This can be seen in the header you provided as it contains a URL ending in amazonses.com. We have forwarded your report to that team for further investigation. For faster resolution we recommended sending all cases containing amazonses.com in the header to email-abuse@amazon.com. All other reports should continue to be sent to ec2-abuse@amazon.com. Thank you, AWS Abuse Team" – Bill McGonigle Jan 18 '19 at 00:53
  • @BillMcGonigle I've recv different replies from them depending on offender. Yesterday got one that says: *We've determined that an Amazon EC2 instance was running at the IP address you provided in your abuse report. We have reached out to our customer to determine the nature and cause of this activity or content in your report.* They were sending faked AWS emails. @amazon.com on From: and a url like `hxxp://aws.amazon.com.signin.redirect.uri.new.session.(some domain+hash)`. I'm filtering for them now when return path doesn't match 'bounces.amazon.com' since it passed regular spam filters. – B. Shea Oct 08 '19 at 20:28

1 Answers1

5

Just to show that the suggestion feature when you enter a subject works, when I entered the subject for this question the first result was a link to Route mail in postfix to different relays based on subject. It's not what I was looking for, but it led me to look more closely at header_checks despite what is stated in the answer at the link in my question. A web search led me to How to filter mail with postfix header_checks, which was the answer I was looking for.

In my case this worked in /etc/postfix/header_checks:

/^From:.*partyfixx/ REJECT

I actually put a very rude message after "REJECT", but that's not appropriate to include here.

Here is the log entry for their most recent attempt:

Sep 25 01:41:54 mymailserver postfix/cleanup[19112]: F2A6428C3FD: reject: header From: The Party Fixx Company <ThePartyFixxCompany@gmail.com> from a9-98.smtp-out.amazonses.com[54.240.9.98]; from=<010001660e63cb43-c865ad08-e534-4fbd-acbe-ba6fed55ed25-000000@amazonses.com> to=<me@example.com> proto=ESMTP helo=<a9-98.smtp-out.amazonses.com>: 5.7.1 Rude message redacted!!!

The regex is case insensitive.

Other answers I found useful:

CraigH
  • 101
  • 1
  • 9
  • You can also do this with Sieve/Pigeonhole - https://serverfault.com/a/967654/92023 - I show a `default.sieve` file that checks the 'From:' in the examples. – B. Shea May 24 '19 at 15:23
  • Thanks, but as I said in the OP, I was looking for a solution to create a hard bounce, not use Sieve to filter email. – CraigH Oct 07 '19 at 08:47
  • @CraighH Sorry - my fault read/understood incorrectly. Yeah, regex header check is best. But you can do a 'hard' bounce under Sieve was my point: `If header :matches "from" "*partyfixx*" { Reject "Sorry, this is a known spam source."; Stop; } ` (Good luck..!) – B. Shea Oct 07 '19 at 17:16
  • 1
    @bshea OK, it wasn't immediately obvious to me that the script rejected the message. But doesn't Postfix need to accept the message first in order for Sieve to process it? If that happens, you've lost the opportunity to reject the message during the SMTP transaction, and (especially since we're dealing with spammers here) you then risk backscatter. – CraigH Oct 07 '19 at 22:33
  • Yes, exactly. Why it's better to catch it with `header_check` as you posted before handing off to the MDA/LDA - such as Dovecot. And yep on backscatter. But, anytime you outbound a bounce (soft or hard) you can cause that, though, depending.. – B. Shea Oct 08 '19 at 19:34