[Postfixbuch-users] Bounce mails und header_checks

Tobi H tobias.hiller at googlemail.com
Di Mai 27 16:53:55 CEST 2008 

bis heute morgen hat das ganze gut funktioniert.
leider seit heute morgen wieder einige mails bekommen.
allerdings an eine andere adresse, aber dieselbe domain.

habe hier mal den header einer nachricht:

________________________________________________________________________________________
Microsoft Mail Internet Headers Version 2.0
Received: from mailgate.domain.org ([10.0.0.1]) by mail.firma.local with
Microsoft SMTPSVC(6.0.3790.3959);
     Tue, 27 May 2008 16:40:43 +0200
Received: by mailgate.domain.org (mailgate, from userid 505)
    id 9D214D404D; Tue, 27 May 2008 16:40:47 +0200 (CEST)
Received: from mailgate.domain.org (localhost.localdomain [127.0.0.1])
    by mailgate.domain.org (mailgate) with SMTP id CB9FED405F;
    Tue, 27 May 2008 16:40:45 +0200 (CEST)
Received: from c163.net (unknown [61.156.14.22])
    by mailgate.domain.org (mailgate) with SMTP id 5F5A3D404D
    for <contact at domain.org>; Tue, 27 May 2008 16:40:42 +0200 (CEST)
Received: (fmail 23850 invoked for bounce); 27 May 2008 14:36:29 -0000
Date: 27 May 2008 14:36:29 -0000
From: MAILER-DAEMON at c163.net
To: contact at domain.org
Subject: ????: ????
MIME-Version: 1.0
Content-Type: multipart/mixed;
     boundary="-------1forlinkforlinkforlinkforlink1"
Message-Id: <20080527144042.5F5A3D404D at mailgate.domain.org>
X-AV-Checked: ClamAV using ClamSMTP
X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on
    mailgate.domain.org
X-Spam-Level:
X-Spam-Status: No, score=-74.2 required=4.0 tests=BAYES_50,HTML_FONT_BIG,
    HTML_MESSAGE,MIME_HTML_MOSTLY,MSGID_FROM_MTA_ID,NO_REAL_NAME,
    RAZOR2_CF_RANGE_51_100,RAZOR2_CHECK,SUBJ_ILLEGAL_CHARS,URIBL_AB_SURBL,
    URIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL,
    USER_IN_WHITELIST autolearn=disabled version=3.0.3
Return-Path: <>
X-OriginalArrivalTime: 27 May 2008 14:40:43.0651 (UTC)
FILETIME=[A4753D30:01C8C007]

---------1forlinkforlinkforlinkforlink1
Content-Type: text/plain; charset=gb2312
Content-Transfer-Encoding: quoted-printable

---------1forlinkforlinkforlinkforlink1
Content-Type: message/rfc822
Content-disposition: attachment

Return-Path: <contact at domain.org>
Received: (fmail 23824 invoked from network); 27 May 2008 14:36:27 -0000
Received: from unknown (HELO 0x5550d362.adsl.cybercity.dk) (85.80.211.98)
  by 0 with SMTP; 27 May 2008 14:36:27 -0000
IP: 85.80.211.98
Message-ID: <000601c8c007$0481818a$e2097c89 at kkflk>
From: "Breitling Watches" <contact at domain.org>
To: "Un Beatable" <rsc at c163.net>
Subject: Chanel Watches
Date: Tue, 27 May 2008 12:53:03 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_0003_01C8C007.047F5F3C"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

------=_NextPart_000_0003_01C8C007.047F5F3C
Content-Type: text/plain;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

------=_NextPart_000_0003_01C8C007.047F5F3C
Content-Type: text/html;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


------=_NextPart_000_0003_01C8C007.047F5F3C--

---------1forlinkforlinkforlinkforlink1--
__________________________________________________________________________________________________

Hat jemand eine Idee, wie ich die Regeln verschärfen kann um diese mails
auch abzuweisen?

vielen Dank im Voraus,

Tobi


Am 15. Mai 2008 17:28 schrieb Tobi H <tobias.hiller at googlemail.com>:

> das scheints gewesen zu sein...
> Wer lesen kann ist klar im vorteil ;)
> Vielen Dank!
>
> Tobi
>
> Am 15. Mai 2008 16:47 schrieb Stefan Förster <cite at incertum.net>:
>
> * Stefan Förster <cite at incertum.net> wrote:
>> > * Tobi H <tobias.hiller at googlemail.com> wrote:
>> >> habe im prinzip einfach nur das beispiel angepasst und eingefügt.
>> >> hab jetzt hier nochmal das beispiel, wie es angepasst in meiner
>> header_check
>> >> steht:
>> >>
>> >> 40:if /^Received:/
>> >> 41:    /^Received: +from +(porcupine\.org) +/
>> >> 42:        reject forged client name in Received: header: $1
>> >> 43:    /^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]+lo
>> >> +)(porcupine\.org)\)/
>> >> 44:        reject forged client name in Received: header: $2
>> >> 45:    /^Received:.* +by +(porcupine\.org)\b/
>> >> 46:        reject forged mail server name in Received: header: $1
>> >> 47:    endif
>> >> 48:   /^Message-ID:.* <!&!/ DUNNO
>> >> 49:    /^Message-ID:.*@(porcupine\.org)/
>> >> 50:       reject forged domain name in Message-ID: header: $1
>> >>
>> >> und in zeile 60 gehts dann weiter mit:
>> >> 60: /^Received: from localhost/     IGNORE
>> >>
>> >>
>> >> dazwischen halt kommentare usw.
>> >
>> > Die Leerzeichen stören ihn, denke ich:
>> >
>> > | Note: do not prepend whitespace to patterns inside if..endif.
>>
>> Oder die Whitespaces am Anfang der Zeile. Da war doch was.
>>
>> |DO NOT indent lines starting with /pattern/ between the "if" and
>> |"endif"!
>>
>>
>>
>> Ciao
>> Stefan
>> --
>> Stefan Förster     http://www.incertum.net/     Public Key: 0xBBE2A9E9
>> FdI #82: Demokratie - Statt eines Hofnarren für den König gibt es ein paar
>> hundert für das Volk. (Stefan Hager)
>> --
>> _______________________________________________
>> Postfixbuch-users -- http://www.postfixbuch.de
>> Heinlein Professional Linux Support GmbH
>>
>> Postfixbuch-users at listi.jpberlin.de
>> https://listi.jpberlin.de/mailman/listinfo/postfixbuch-users
>>
>
>
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20080527/50737c4f/attachment.html>

Mehr Informationen über die Mailingliste Postfixbuch-users