Archive for the Filters Category

Bot Connection Attempts to Postfix

Posted by Filed Under Filters with Comments Off

There are obviously many different kinds of bots that systematically search the Internet for vulnerabilities.  At times you may see bot connection attempts to your Postfix mail server in the logs.  Here is an example of what that may look like.

As you examine the logs (/var/log/maillog centOS) you see that the smtpd daemon receives a connection from a machine at 91.121.140.186.  Immediately the smptd daemon which listens on port 25 recognizes that the connection is a command that is not related to a mail server “GET / HTTP/1.1″ and issues the report “warning: non-SMTP command” and disconnects from the client.

The anvil daemon which is a defense against denial-of-service attacks reports that the max connection rate is one connection per 60 seconds “max connection rate 1/60s”.

Feb 20 10:31:59 mail postfix/smtpd[891]: connect from ns355468.ovh.net[91.121.140.186]
Feb 20 10:31:59 mail postfix/smtpd[891]: warning: non-SMTP command from ns355468.ovh.net[91.121.140.186]: GET / HTTP/1.1
Feb 20 10:31:59 mail postfix/smtpd[891]: disconnect from ns355468.ovh.net[91.121.140.186]
Feb 20 10:35:19 mail postfix/anvil[893]: statistics: max connection rate 1/60s for (smtp:91.121.140.186) at Feb 20 10:31:59
Feb 20 10:35:19 mail postfix/anvil[893]: statistics: max connection count 1 for (smtp:91.121.140.186) at Feb 20 10:31:59
Feb 20 10:35:19 mail postfix/anvil[893]: statistics: max cache size 1 at Feb 20 10:31:59

As you review this information remember that anvil is designed to be used as a defense mechanism protecting against attacks, it is not designed to regulate legitimate traffic.

Policy Banks with Amavis

Posted by Filed Under Filters with Comments Off

Amavisd-new provides Policy Banks that allow you to manage messages based on the client or sender.  For example if you wanted senders to be able to send to email lists without using the server resources for scanning with Spamassassin and ClamAv for these outgoing messages you could create a Policy Bank

Solution: Specify Clients Who Can Bypass Scanning
This solution will allow the mail server to avoid the scanning process to save on system resources, This solution will require you to add an additional port so you can separate options.

master.cf
Notice that there are two ports here. The port 10024 assumes you are using it with Amavis to scan incoming mail on a re-injection port. The 10026 port is what you can separate the outgoing mail to avoid scanning to save on resources for your server.
smtp inet  n       -       n       -       -       smtpd
-o content_filter=smtp-amavis:[127.0.0.1]:10024
4025 inet  n       -       n       -       -       smtpd
-o mynetworks=127.0.0.0/8,192.168.1.0/24
-o smtpd_client_restrictions=permit_mynetworks,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026

smtp-amavis unix    -       -       n       -       6     smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
-o max_use=20
-o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n    -       n       -       -     smtpd
-o content_filter=
-o local_recipient_maps=
-o replay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes

You need to add the additional port and set up the Policy Bank in amavisd.conf.

$inet_socket_port = [10024, 10026];

You will set up the Policy Bank, “SERVER” for the Policy Bank on port 10026.
$interface_policy{’10026′} = ‘SERVER’;

$policy_bank{‘SERVER’} = {  # Server mail submitted to port 4025
originating => 1,  # mail submitted by server
bypass_spam_checks_maps   => [1],  # no spam check
bypass_banned_checks_maps => [1],  # no banned check
bypass_header_checks_maps => [1],  # no header checks
};

The mail can actually avoid the content filter and be sent to port 4025.  By placing an IP Address in the amavis_bypass_client you will be able to control who will be able to use this option.

4025 inet  n       -       n       -       -       smtpd
-o content_filter=
-o smtpd_client_restrictions=hash:/etc/postfix/amavis_bypass_client,reject

The reject will stop other clients from having this option.

contents of /etc/postfix/amavis_bypass_client:
192.168.7.9 OK

Once you have made the changes you want restart Postfix and amavis and check network connections to verify your ports are listening.  You should see these four ports.

netstat -aunt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:10024             0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:10025             0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:10026             0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:4025                0.0.0.0:*                   LISTEN

Exmaples of what you should see in logs.
Outgoing Mail Scanned with Spamassassin before changes.
Mail sent out is tagged as SPAMMY and scores 6.282
Jan 30 06:22:58 mail postfix/pickup[9525]: C22BA73479D: uid=501 from=<tom>
Jan 30 06:22:58 mail postfix/cleanup[9600]: C22BA73479D: message-id=<20100130132258.C22BA73479D@mail.testexample.com>
Jan 30 06:22:58 mail postfix/qmgr[9526]: C22BA73479D: from=<tom@testexample.com>, size=309, nrcpt=1 (queue active)
Jan 30 06:23:13 mail amavis[9566]: (09566-01) Passed SPAMMY, <tom@testexample.com> -> <joe@example.com>, Message-ID: <20100130132258.C22BA73479D@mail.testexample.com>, mail_id: y-Y0FBXjT2KH, Hits: 6.282, size: 309, queued_as: DF09F734795, 14102 ms

After Changes  No Scan
This indicates that Spamassassin did not scan the mail as there are no hits.
Jan 30 07:11:22 mail amavis[10249]: (10249-01) Passed CLEAN, <tom@testexample.com> -> <joe@example.com>, Message-ID: <20100130141111.EC9A6734791@mail.testexample.com>, mail_id: 7fdE5pMr6Zjb, Hits: -, size: 298, queued_as: 77B6073478D, 10576 ms

Incoming Mail Indicates it is Scanned
Jan 30 17:40:38 mail amavis[19274]: (19274-01) 2822.From: <joe@example.com>

Jan 30 17:40:38 mail amavis[19274]: (19274-01) collect banned table[0]: tom@testexample.com, tables: DEFAULT=>Amavis::Lookup::RE=ARRAY(0x983e7a0)
Jan 30 17:40:38 mail amavis[19274]: (19274-01) p.path tom@testexample.com: “P=p001,L=1,M=text/plain,T=asc”
Jan 30 17:40:43 mail amavis[19274]: (19274-01) spam_scan: score=6.283 autolearn=no tests=[FH_DATE_PAST_20XX=3.384,TVD_SPACE_RATIO=2.899]
Jan 30 17:40:43 mail amavis[19274]: (19274-01) do_notify_and_quar: ccat=Spammy (5,0) (“5″:Spammy, “1,1″:CleanTag, “1″:Clean, “0″:CatchAll) ccat_block=(), qar_mth=
Jan 30 17:40:43 mail amavis[19274]: (19274-01) SPAM-TAG, <joe@example.com> -> <tom@testexample.com>, Yes, score=6.283 tagged_above=2 required=6.2 tests=[FH_DATE_PAST_20XX=3.384, TVD_SPACE_RATIO=2.899] autolearn=no

Vacation Message for Postfix

Posted by Filed Under Filters with Comments Off

The vacation program is not built specifically for Postfix.  So you will need to set it up separately from Postfix and then integrate it. The vacation feature allows you to configure a message that will be returned to the sender when you are out of the office.  If you are using a CentOS version you will not find vacation in any repositories so you will have to compile it, which is not too difficult.

# yum install gdbm-devel
# cd /usr/local/src/
# wget http://internap.dl.sourceforge.net/sourceforge/vacation/vacation-1.2.7.0.tar.gz
# tar -xvzf vacation*
# cd vacation-1.2.7.0
By default it will want to place the man pages in a different localtion so it may be easier just too create the necessary folders and be done with it.
# mkdir /usr/man
# mkdir /usr/man/man1
# make
# make install
The result will be that the binary will be placed in /usr/bin/vacation.

For each user, they must be local users, not virtual users, create a “.vacation.msg” file that looks something like this:
Subject: Out of the Office

I am out of the office until December 14.  I will contact you as soon as I return.

This file must be placed in the user’s home directory.

You must also create a “.forward” file in the user’s home.  The format should look like this:

\myuser, “|/usr/bin/vacation  myuser”

Be sure to replace “myuser” with the real username.

That should make it all work so that when you send a message to the user who is out of the office, Postfix will  return the message in the vacation file.

Header Checks: Examples of What Not to Do

Posted by Filed Under Filters with Comments Off

Listed here are a number of header checks that do work but they are ineffective for the most part.  Here is the problem.  When you look at these examples they have a Subject that you are searching for.  As a result you will be writing header checks until the day you die, not good.    My thinking is that you will want to discard this methodology for header checks that are more general and throw a wider net over the problem.  Two reason for this are; first you have SpamAssassin or some other program to do actual Spam testing later.  Second, you need to preserver resources on your Postfix mail server.  Actually this is the most important aspect of what you are doing is trying to save yourself money and time by reducing the load on your server.   If you place too many header checks in Postfix you will begin to see a speed loss and resource loss.

So review your header checks and make sure you are using each line wisely.

/^Subject: Get Viagra Online Now !!!/                REJECT
/^Subject: ENLARGE YOUR PACAKGE GUARANTEED/            REJECT
/^Subject: Add REAL Inches To Your Package! GUARANTEED/    REJECT
/^Subject: At Last, Herbal V, the All Natural Alternative!/    REJECT
/^Subject: Have Hair Loss? We Can Help You!\.\.Read on\.\./    REJECT
/^Subject: Pill to Increase Your Ejaculation by \d{3}%/        REJECT
/^Subject: free trial herbal viagra good for men and women/    REJECT
/^Subject: STAYING POWER/                    REJECT
/^Subject: Isn\’t It Time You Solved Your \”little\” Problem\?\s*\d{2,6}/    REJECT
/^Subject: Non Prescription Alternative to Viagra/        REJECT

# financial / money

/^Subject: INSTANT Daily PAY!/                    REJECT
/^Subject: INSTANT Pay to \$\d{2,3} A Day!/            REJECT
/^Subject: The easiest way to make money on the internet!/    REJECT
/^Subject: INTEREST RATES HAVE DROPPED/                REJECT !
/^Subject: Make Money In Your Sleep! /                REJECT
/^Subject: Lowest Rates In Years! /                REJECT
/^Subject: make money now!!!!!/                    REJECT
/^Subject: HOME-BASED BUSINESSES /                REJECT
/^Subject: Sick of paying and paying and staying in debt? /    REJECT
/^Subject: Recession Hurts!/                    REJECT
/^Subject: Got Debt\?\s*Cut Your Bills in HALF!/            REJECT
/^Subject: Double your policy at No Extra Cost!/        REJECT
/^Subject: Make \d{2}% Yearly Fully Secured!/            REJECT
/^Subject: Have tax problems?\s*\[\w{4,6}\]/            REJECT
/^Subject: Got a Mortgage\?\s{1,9}\d.\d{2}% Fixed Rate Mortgage/    REJECT
/^Subject: Rates Have Fallen Again!\s{1,9}\d.\d{2}% Fixed Rate Mortgage/    REJECT
/^Subject: Take Advantage of Falling Interest Rates!/        REJECT
/^Subject: Double Your Life Insurance at NO EXTRA COST!/    REJECT
/^Subject: Got Debt\?.*\[\w{4,6}\\]/                REJECT
/^Subject: Are you in debt\?\s*\[\w{4,6}\\]/            REJECT
/^Subject: Refinance rates as low as \d.\d{2}%/            REJECT
/^Subject: Hot Casino Action – \d{2,3}% Bonus/            REJECT
/^Subject: Double your policy at No Extra Cost!/        REJECT
/^Subject: Need More Life Insurance\? Double it for No Extra Cost/    REJECT
/^Subject: Did you get your money\?/                REJECT
/^Subject: Tired of dropping stock prices\?\d{1,6}/        REJECT
/^Subject: \d{2,6}\s*Work From Home /                REJECT
/^Subject: Debt Consolidation.\s*\[\w{4,6}\]/            REJECT
/^Subject: Mortgage interest rates are lowered AGAIN/        REJECT
/^Subject: Re:  Easy money!  Muy dinero! \(/            REJECT
/^Subject: Feel the Excitement of CyberXCasino/            REJECT
/^Subject: Free Loan Quotations\.\.\.\.\.Lower your Rate!/        REJECT
/^Subject: Free Vacation$/                    REJECT
/^Subject: GUARANTEED MONTHLY INCOME- Join FREE NOW!/        REJECT
/^Subject: Is your mortgage APR as low as \d.\d{2}/        REJECT
/^Subject: Tired of the 40 X 40.*\?/                REJECT
/^Subject: NEVER REPAY, FREE CASH GRANTS\.*\s*\d{2,7}$/        REJECT
/^Subject: Are You Making \$\w{2,}\+ A Month Online\?\s*\d{2,7}$/    REJECT
/^Subject: Secure Your Financial Future!$/            REJECT
/^Subject: \d{2,3}% OFF Your Life Insurance/            REJECT

# piracy

/^Subject: Copy Your Favorite DVD Movies !!!/            REJECT
/^Subject: EASILY COPY ANY DVD MOVIE FOR FREE!/            REJECT
/^Subject: Favorite Movie not on DVD?/                REJECT

# random

/^Subject: Try this, it really works! /                REJECT
/^Subject: Increased Emotional Stability /            REJECT
/^Subject: Free Travel/                        REJECT
/^Subject: Chart Returns – Charles Taylor /            REJECT
/^Subject: You could search for a year and\.\.\.\.\./        REJECT
/^Subject: Escape the Ordinary\.\.\.\.\.\.New Opportunity for you\.\./    REJECT
/^Subject: This Is What You’ve Been Waiting For\..*\d{2,6}/    REJECT
/^Subject: Get Rid of those Paper Piles!\s*\d{2,6}/        REJECT
/^Subject: Imaging Software for the Home.*\d{2,6}/        REJECT
/^Subject: End static on the cell/                REJECT
/^Subject: Free Trials & HBC Updates!/                REJECT
/^Subject: Free Trials from Home Business Connection/        REJEC
/^Subject: Fw: Marketing your product or service just got easier!/    REJECT
/^Subject: Re: I did not hear back from you$/            REJECT
/^Subject: Safe, Easy Snoring Solution!\s*\w{2,7}/        REJECT

# search engines

/^Subject: Search Engine Bids Are Now Half Price!/        REJECT
/^Subject: Guaranteed Top Ten Search Engine Placement!!\s*\d{2,7}/    REJECT

# spamware / email addresses

/^Subject: \d{2,3} Million Fresh Email Addresses/        REJECT
/^Subject: \d{2,3} Million Email Addresses – \$\d{2,3}/        REJECT
/^Subject: Internet Marketing Works! -\w{48}/            REJECT
/^Subject: Lets Learn How to market successfully!\s*\d{2,7}/    REJECT

# spyware

/^Subject: Investigate Anyone or Anything now!/            REJECT
/^Subject: NEW!! Find out ANYTHING about ANYONE w\/ your PC!/    REJECT

# paranoia

/^Subject: Protect yourself from Small pox and Anthrax Naturally\s*\w{2,7}/    REJECT

# just plain unrealistic

/^Subject: Boost Your Windows Reliability/            REJECT
/^Subject: Give Windows Operating System A Boost In Reliability!/    REJECT

Dropping X-Mailers in Header Checks

Posted by Filed Under Filters with Comments Off

Header checks with Postfix can be used to deal with unwanted mail before your server wastes time with it.  Created the file /etc/postfix/header_checks and then add this line in your main.cf.

header_checks = pcre:/etc/postfix/header_checks

The format line for each header check follows this pattern:

/^HEADER:.*content_for_review/   ACTION

The HEADER that you usually will act on is the Subject header.  However, you can also filter headers based on the X-Mailer.  One idea is to DISCARD all mail that comes from typical X-Mailers that a Spammer will use.  Here is a list of X-Mailers that you could place in your header_checks file.  Note that often you will use REJECT to send a message back to the user but with these known mailers you probably do not want to send anything back to them.  Note also, that this method is bound to create some false positives, so test it for yourself before you make any final decisions.

# Following is a list of known mass mailer programs.
/^X-Mailer: 0001/                               DISCARD
/^X-Mailer: 007 Direct Email Easy/                          DISCARD
/^X-Mailer: Advanced Mass Sender/                          DISCARD
/^X-Mailer: Aristotle /                          DISCARD
/^X-Mailer: Aureate Group Mail/                          DISCARD
/^X-Mailer: Avalanche/                          DISCARD
/^X-Mailer: commercialmail /                          DISCARD
/^X-Mailer: Copia emailFacts /                          DISCARD
/^X-Mailer: Crescent Internet Tool/             DISCARD
/^X-Mailer: CyberCreek/                          DISCARD
/^X-Mailer: DiffondiCool/                       DISCARD
/^X-Mailer: Dynamic Opt-In Emailer /                          DISCARD
/^X-Mailer: DMailer /                          DISCARD
/^X-Mailer: eGroups Message Poster /                          DISCARD
/^X-Mailer: E-Mail Delivery Agent/              DISCARD
/^X-Mailer: Emailer Platinum/                   DISCARD
/^X-Mailer: E-mail sender /                          DISCARD
/^X-Mailer: e-Merge  /                          DISCARD
/^X-Mailer: Entity/                             DISCARD
/^X-Mailer: Extractor/                          DISCARD
/^X-Mailer: Floodgate/                          DISCARD
/^X-Mailer: GMail2 /                          DISCARD
/^X-Mailer: GOTO Software Sarbacane/            DISCARD
/^X-Mailer: Inet_Mail_Out /                          DISCARD
/^X-Mailer: jfmailer /                          DISCARD
/^X-Mailer: Mail Bomber /                          DISCARD
/^X-Mailer: MailWorkz/                          DISCARD
/^X-Mailer: MassE-Mail/                         DISCARD
/^X-Mailer: MaxBulk.Mailer/                     DISCARD
/^X-Mailer: MailKing /                          DISCARD
/^X-Mailer: Mailloop /                          DISCARD
/^X-Mailer: MailXSender /                          DISCARD
/^X-Mailer: MassE-Mail /                          DISCARD
/^X-Mailer: MultiMailer /                          DISCARD
/^X-Mailer: NetMasters SMTP /                          DISCARD
/^X-Mailer: Opt-In Lightning /                          DISCARD
/^X-Mailer: PersMail /                          DISCARD
/^X-Mailer: PLAUZIUM /                          DISCARD
/^X-Mailer: Power CGI Bulk /                          DISCARD
/^X-Mailer: Prospect Mailer /                          DISCARD
/^X-Mailer: News Breaker Pro/                   DISCARD
/^X-Mailer: SmartMailer/                        DISCARD
/^X-Mailer: Sparc12 /                          DISCARD
/^X-Mailer: StormPort/                          DISCARD
/^X-Mailer: SuperMail-2/                        DISCARD
/^X-Mailer: Super-Duper-FastMail/                          DISCARD

Built in Content Filters for Postfix

Posted by Filed Under Filters with Comments Off

One way to implement content filtering is to use regular expressions in your header, mime_header, nested_header and  body checks.  This should be simple matches to regular expressions.  The goal with this example is to eliminate non-English characters, since we cannot read them anyway.  This will drop all non-English mail.

header_checks = pcre:/etc/postfix/header_checks
mime_header_checks = pcre:/etc/postfix/mime_header_checks
nested_header_checks = pcre:/etc/postfix/nested_header_checks
body_checks = pcre:/etc/postfix/body_checks

Notice that the map is pcre in these examples, you could use regexp. Best performance is with pcre (Perl Compatible Regular Expression) tables.  Check that you can use pcre with:

postconf -m

If you do not have pcre support you can use regexp.

When you create the file header_checks here are a couple options, there are others.

/pattern/flags action

or

!/pattern/flags action

Decide which one you want to use.  The example below uses pattern matches.

If you want to reject or discard all email that is non-English you can take these steps.

Before you set up the header_checks you need to be somewhat familiar with the actions that you want to take.  Here is a list of actions with a brief description.

Actions
DISCARD             drop out of existence
DUNNO                pretend input line did not match pattern
FILTER               write a content filter and sent to external filter
HOLD                put in hold queue
IGNORE            delete current line and move to next line
PREPEND            prepend a one with text and inspect next line
REDIRECT             enter an email to be directed to
REPLACE              put text to replace line
REJECT optional text  reply with message
WARN optional text       warning with text message

In the example two actions are shown, the first is to DISCARD which means no message will be sent to the user, it is just dropped.  The second is to REJECT and then send to message to indicate an unacceptable character set.

# Header Checks
header_checks = pcre:/etc/postfix/header_checks

Create a new file, you can move the default header_checks man page to header_checks_bk and then start a new page.

Contents of header_checks.  Thanks to Wietse Venema for this suggestion.

/[^[:print:]]{8}/ DISCARD

# Chinese, Japanese and Korean
/^Content-Type:.*?charset\s*=\s*”?(Big5|gb2312|euc-cn)”?/
REJECT HDR2100: Unaccepted character set: “$1″
/^Content-Type:.*?charset\s*=\s*”?(euc-kr|iso-2022-kr)”?/
REJECT HDR2110: Unaccepted character set: “$1″
/^Content-Type:.*?charset\s*=\s*”?(iso-2022-\w+|euc-jp|shift_jis)”?/
REJECT HDR2120: Unaccepted character set: “$1″
# Cyrrilic character sets: Russian/Ukrainian
/^Content-Type:.*?charset\s*=\s*”?(koi8-(?:r|u))”?/
REJECT HDR2200: Unaccepted character set: “$1″
/^Content-Type:.*?charset\s*=\s*”?(windows-(?:1250|1251))”?/
REJECT HDR2210: Unaccepted character set: “$1″

Once you have the file created restart postfix and then test.  Create a testpattern file and place an example in that file to test the header check.

postmap -q – pcre:/etc/postfix/header_checks < testpattern

If the pattern matches that you placed in testpattern then you will get a return on the command.  If there is no match, you will get nothing in return.
: