Answer the question
In order to leave comments, you need to log in
R
R
Roma2016-11-10 15:42:50
Roma, 2016-11-10 15:42:50
Postfix: How to check RCPT TO: and header TO: SMTP header that they are the same?
Colleagues, welcome.
Tell me, pliz, how to solve this problem:
There is a mail server (MTA) - postfix + amavisd-new + spamassassin + clam-av - which receives a large stream of spam. Most spam is cut off by postfix at the connection stage and does not reach users. But some spam emails successfully pass all postfix checks (which is not surprising) and reach spamassassin, which does not immediately start blocking them (for obvious reasons). Thus, users can get up to 20 spam emails in their inbox per day.
But such emails have one thing in common: the SMTP header "RCPT TO:" does not match the header "TO:".
Here is an example of such a letter:
Return-Path: <[email protected]>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.example.ru
X-Spam-Level: ***
X-Spam-Status: No, score=3.7 required=5.0 tests=BAYES_80,HTML_IMAGE_ONLY_08,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_1,MPART_ALT_DIFF,RP_MATCHES_RCVD,URIBL_BLACK autolearn=no version=3.3.1
Delivered-To: [email protected]
Received: from localhost (localhost [127.0.0.1])
by mail.example.ru (Postfix) with ESMTP id 052C0B6A395;
Thu, 10 Nov 2016 04:01:23 +0200 (EET)
X-Virus-Scanned: amavisd-new at example.ru
Received: from mail.example.ru ([127.0.0.1])
by localhost (mail.example.ru [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id fzLCPgV5Hjpr; Thu, 10 Nov 2016 04:01:22 +0200 (EET)
Received: from golemint.eu (mail.golemint.eu [85.25.243.93])
by mail.example.ru (Postfix) with ESMTP;
Thu, 10 Nov 2016 04:01:22 +0200 (EET)
Received: from golemint.eu (unknown [46.38.48.34])
by golemint.eu (Postfix) with ESMTPA id AE2782B0C21;
Thu, 10 Nov 2016 00:36:13 +0200 (EET)
Message-ID: <[email protected]>
Reply-To: "=?windows-1251?B?w87L08HI0s7K0SDP8O7x8uDy6PI=?=" <[email protected]>
From: "=?windows-1251?B?w87L08HI0s7K0SDP8O7x8uDy6PI=?=" <[email protected]>
To: <[email protected]>
Subject: =?windows-1251?B?3fT05ery6OLt9O7lIOvl9+Xt6OUg7/Du8fLg8ujy4A==?=
Date: Thu, 10 Nov 2016 00:36:18 +0200
--- пропущено для карткости ---And in the postfix logs there is this entry:
# grep 052C0B6A395 maillog
Nov 10 04:01:23 mail postfix/smtpd[16685]: 052C0B6A395: client=localhost[127.0.0.1]
Nov 10 04:01:23 mail postfix/cleanup[21481]: 052C0B6A395: message-id=<[email protected]>
Nov 10 04:01:23 mail postfix/qmgr[14134]: 052C0B6A395: from=<[email protected]>, size=126406, nrcpt=2 (queue active)
Nov 10 04:01:25 mail postfix/pipe[23768]: 052C0B6A395: to=<[email protected]>, relay=maildrop, delay=2.5, delays=0.01/0/0/2.4, dsn=2.0.0, status=sent (delivered via maildrop service)
Nov 10 04:01:25 mail postfix/qmgr[14134]: 052C0B6A395: removedТо есть в "rcpt to" указан "[email protected]" (мой настоящий ящик), а вот в "to" указан совсем другой адрес - "[email protected]". И таких писем среди спама прошедшего проверки postfix'а очень много.
Единственный способ, который я вижу, как отсеить этот спам, - сравнивать "TO" с "RCPT TO" и если они не совпадают, помечать как спам. Но как это реализовать, никак не соображу.
Собственно сам вопрос: Как сравнить "TO" с "RCPT TO" и если они не совпадают, отправить письмо в спам? Можно spamassassin'ом, можно postfix'ом.
Similar questions
E
K
H
B
F
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question