[Postfixbuch-users] DOS_OUTLOOK_TO_MX

Django django at nausch.org
Mo Apr 14 22:37:07 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Servus!

Ich steh grad ein wenig arg auf'm Schlauch, vielelicht kann mich ja
einer einen Tritt in die richtige Richtung verpassen. Meine Konfig
entspricht im Wesentlichem folgender Grundstruktur:
http://dokuwiki.nausch.org/doku.php/centos:mail_c6:spam_5#grundlagen

Also, ein (Outlook-)Nutzer schickt eine eMail an mehrere Empfänger der
gleichen Domäne und nutzt dabei ausführlich "Cc:"

hier mal der Logauszug vom AMaViS-Host:
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09)
ESMTP:[127.0.0.1]:10026
/var/amavis/tmp/amavis-20140411T162941-1337-foxKNT6J:
<zipfegladscha at it-ignorant.de> ->
<bazibua at it-ignorant.de>,<deandl at it-ignorant.de>,<zipfegladscha at it-ignorant.de>,<grischbal at it-ignorant.de>,<muadda at it-ignorant.de>,<grossvoda at it-ignorant.de>,<stefan.wars
inke at it-ignorant.de> Received: from mx01nausch.org ([10.0.0.80]) by
viruswall.dmz.nausch.org (viruswall.dmz.nausch.org [10.0.0.60])
(amavisd-new, port 1
0026) with ESMTP; Fri, 11 Apr 2014 17:26:45 +0200 (CEST)
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) smtp connection
cache, dt: 250.1, state: 0
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) body hash:
8107cbf2a5ad35d2c6d1dd2e08d02b98
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) Checking:
EAutRP2AU92V ORIGINATING [79.254.109.108]
<zipfegladscha at it-ignorant.de> ->
<bazibua at it-ignorant.de>,<deandl at it-ignorant.de>,<zipfegladscha at it-ignorant.de>,<grischbal at it-ignorant.de>,<muadda at it-ignorant.de>,<grossvoda at it-ignorant.de>,<grossmuddae at it-ignorant.de>
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) 2822.From:
<zipfegladscha at it-ignorant.de>
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) p001 1 Content-Type:
text/plain, size: 6784 B, name:
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) inspect_dsn: not a
bounce
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) Checking for banned
types and filenames
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) skipping banned
check: all recipients bypass banned checks
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) presenting full
original message to scanners as
/var/amavis/tmp/amavis-20140411T162941-1337-foxKNT6J/parts/p002
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) run_av Using
(ClamAV-clamd): (code) CONTSCAN
/var/amavis/tmp/amavis-20140411T162941-1337-foxKNT6J/parts\n
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) ClamAV-clamd:
Connecting to socket  /var/run/clamav/clamd.sock
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) new socket by
IO::Socket::UNIX to /var/run/clamav/clamd.sock, timeout 10
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) ClamAV-clamd:
Sending CONTSCAN
/var/amavis/tmp/amavis-20140411T162941-1337-foxKNT6J/parts\n to socket
/var/run/clamav/clamd.sock
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) rw_loop read: got eof
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) run_av
(ClamAV-clamd): CLEAN
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) run_av
(ClamAV-clamd) result: clean
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) calling SA parse
(0), SA vers 3.3.1, 3.003001, data as STRING, recips_ind
[0,1,2,3,4,5,6], user: "amavis"
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) spam_scan:
score=6.614 autolearn=no
tests=[BAYES_00=-1.9,DOS_OUTLOOK_TO_MX=2.845,FSL_HELO_NON_FQDN_1=0.001,HELO_NO_DOMAIN=1.023,RCV
D_IN_PBL=3.335,RCVD_IN_RP_RNBL=1.31] recips=0,1,2,3,4,5,6
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) blocking contents
category is (6) for bazibua at it-ignorant.de
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) blocking contents
category is (6) for deandl at it-ignorant.de
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) blocking contents
category is (6) for zipfegladscha at it-ignorant.de
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) blocking contents
category is (6) for grischbal at it-ignorant.de
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) blocking contents
category is (6) for muadda at it-ignorant.de
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) blocking contents
category is (6) for grossvoda at it-ignorant.de
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) blocking contents
category is (6) for grossmuddae at it-ignorant.de
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) do_notify_and_quar:
ccat=Spam (6,0) ("6":Spam, "5":Spammy, "1,1":CleanTag, "1":Clean,
"0":CatchAll) ccat_block=(6), qar_mth=
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) dkim: candidate
originators: From:<n3rd at c3n705.guru>
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) dkim: signing
(author), From: <n3rd at c3n705.guru> (From:<n3rd at c3n705.guru>),
KEY.key_ind=>0, a
=>rsa-sha256, c=>relaxed/simple, d=>c3n705.guru, s=>140310
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) smtp session:
setting up a new session
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) new socket using
IO::Socket::INET to [127.0.0.1]:10025, timeout 35
Apr 11 17:26:45 vml000060postfix/smtpd[2496]: connect from
localhost[127.0.0.1]
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) smtp greeting: 220
mx01.nausch.org ESMTP Postfix, dt: 0.9 ms
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) smtp cmd> EHLO
viruswall.dmz.nausch.org
Apr 11 17:26:45 vml000060postfix/smtpd[2496]: discarding EHLO
keywords: DSN
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) smtp resp to EHLO:
250 mx01.nausch.org\nPIPELINING\nSIZE 52428800\nETRN\nSTARTTLS\nAUTH
PLAIN LOGIN\nAUTH=PLAIN LOGIN\n
XFORWARD NAME ADDR PROTO HELO SOURCE PORT\nENHANCEDSTATUSCODES\n8BITMIME

Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) AUTH not needed,
user='', MTA offers 'PLAIN LOGIN'
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) smtp cmd> MAIL
FROM:<n3rd at c3n705.guru>
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) smtp cmd> RCPT
TO:<virusalert at c3n705.guru>
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) smtp cmd> DATA
Apr 11 17:26:45 vml000060postfix/smtpd[2496]: F24C3180:
client=localhost[127.0.0.1]
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) smtp resp to MAIL
(pip): 250 2.1.0 Ok
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) smtp resp to RCPT
(pip) (<virusalert at cen705.guru>): 250 2.1.5 Ok
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) smtp resp to DATA:
354 End data with <CR><LF>.<CR><LF>
Apr 11 17:26:45 vml000060 amavis[1337]: (1337-09) smtp cmd> QUIT
Apr 11 17:26:45 vml000060postfix/cleanup[2497]: F24C3180:
message-id=<SAEAutRP2AU92V at mx01.centos.guru>
Apr 11 17:26:46 vml000060postfix/smtpd[2496]: disconnect from
localhost[127.0.0.1]
Apr 11 17:26:46 vml000060postfix/qmgr[14609]: F24C3180:
from=<n3rd at c3n705.guru>, size=5572, nrcpt=1 (queue active)
Apr 11 17:26:46 vml000060 amavis[1337]: (1337-09) smtp resp to
data-dot (<virusalert at c3n705.guru>): 250 2.0.0 Ok: queued as F24C3180,
dt: 4.4 ms
Apr 11 17:26:46 vml000060 amavis[1337]: (1337-09)
Amavis::Out::SMTP::Session close, disconnecting
Apr 11 17:26:46 vml000060 amavis[1337]: (1337-09) SEND from
<n3rd at c3n705.guru> -> <virusalert at c3n705.guru>, 250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as F24C3180
Apr 11 17:26:46 vml000060 amavis[1337]: (1337-09) delivery method is
1, recips: bazibua at it-ignorant.de, deandl at it-ignorant.de,
zipfegladscha at it-ignorant.de, grischbal at it-ignorant.de,
muadda at it-ignorant.de, grossvoda at it-ignorant.de,
grossmuddae at it-ignorant.de
Apr 11 17:26:46 vml000060 amavis[1337]: (1337-09) DSN: sender is
credible (orig), SA: 6.614, <zipfegladscha at it-ignorant.de>
Apr 11 17:26:46 vml000060 amavis[1337]: (1337-09) status counters:
InMsgsStatus{Rejected,RejectedInternal,RejectedOriginating}
Apr 11 17:26:46 vml000060 amavis[1337]: (1337-09) Blocked SPAM
{RejectedInternal}, ORIGINATING LOCAL [79.254.109.108]:52639
[79.254.109.108] <zipfegladscha at it-ignorant.de> ->
<bazibua at it-ignorant.de>,<deandl at it-ignorant.de>,<zipfegladscha at it-ignorant.de>,<grischbal at it-ignorant.de>,<muadda at it-ignorant.de>,<grossvoda at it-ignorant.de>,<grossmuddae at it-ignorant.de>,
Message-ID: <013301cf559a$802d7120$80885360$@it-ignorant.de>, mail_id:
EAutRP2AU92V, Hits: 6.614, size: 8437, 990 ms
Apr 11 17:26:46 vml000060 amavis[1337]: (1337-09) TIMING-SA total 553
ms - parse: 2 (0.4%), extract_message_metadata: 25 (4.6%),
get_uri_detail_list: 8 (1.4%), tests_pri_-1000: 12 (2.1%),
tests_pri_-950: 1.46 (0.3%), tests_pri_-900: 1.34 (0.2%),
tests_pri_-400: 53 (9.6%), check_bayes: 52 (9.3%), tests_pri_0: 274
(49.5%), check_dkim_adsp: 3 (0.5%), check_spf: 0.23 (0.0%),
check_pyzor: 0.22 (0.0%), tests_pri_500: 161 (29.2%), poll_dns_idle:
152 (27.5%), get_report: 1.44 (0.3%)
Apr 11 17:26:46 vml000060 amavis[1337]: (1337-09) sending SMTP
response: "554 5.7.0 Reject, id=1337-09 - spam"
Apr 11 17:26:46 vml000060 amavis[1337]: (1337-09) size: 8437, TIMING
[total 995 ms] - SMTP greeting: 3 (0%)0, SMTP EHLO: 0 (0%)0, SMTP
pre-MAIL: 0 (0%)0, SMTP pre-DATA-flush: 181 (18%)18, SMTP DATA: 158
(16%)34, check_init: 1 (0%)34, digest_hdr: 1 (0%)35, digest_body_dkim:
2 (0%)35, mime_decode: 10 (1%)36, get-file-type1: 12 (1%)37,
parts_decode: 0 (0%)37, check_header: 1 (0%)37, AV-scan-1: 8 (1%)38,
spam-wb-list: 2 (0%)38, SA msg read: 1 (0%)38, SA parse: 3 (0%)38, SA
check: 544 (55%)93, decide_mail_destiny: 12 (1%)94, notif-quar: 1
(0%)94, write-header: 19 (2%)96, fwd-data-dkim: 7 (1%)97, fwd-connect:
3 (0%)97, fwd-mail-pip: 4 (0%)98, fwd-rcpt-pip: 0 (0%)98,
fwd-data-chkpnt: 0 (0%)98, write-header: 0 (0%)98, fwd-data-contents:
4 (0%)98, fwd-end-chkpnt: 7 (1%)99, prepare-dsn: 2 (0%)99,
main_log_entry: 7 (1%)100, update_snmp: 2 (0%)100, SMTP pre-response:
0 (0%)100, SMTP response: 1 (0%)100, unlink-2-files: 0 (0%)100,
rundown: 1 (0%)100
Apr 11 17:26:46 vml000060 amavis[1337]: (1337-09) load: 1 %, total
idle 3398.969 s, busy 25.400 s

Bei einem SPAM-Score von 6.614 wird natürlich gereject. :)

Was natürlich zu Buche schlägt ist:
(1) HELO_NO_DOMAIN=1.023
(2) DOS_OUTLOOK_TO_MX=2.845
(3) RCVD_IN_PBL=3.335
(4) RCVD_IN_RP_RNBL=1.31

(1) ist vermutlich Outlook-Spezigfisch, da würde ich mal darüber hinweg
    sehen
(2) liegt wpohl daran, dass die eMail direkt an die eigenen Domaene
    geht.

(3)(4) O.K. der Nutzer kommt natürlich von irgend einem versaubeutelten
    IP-Adressbereich, liefert aber auf dem Submission-Port ein, ist
    also authentifiziert.

Für Submission steht in der master.cf:
# Django : 2012-10-11
# Submission auf Port 587 geoeffnet
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o anvil_rate_time_unit=15s
  -o
smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_etrn_restrictions=reject
  -o smtpd_proxy_filter=10.0.0.60:10026
  -o milter_macro_daemon_name=ORIGINATING


In der AMaViS-Konfigdatei habe ich natürlich entsprechend, folgendes
stehen:
# Django : 2012-10-11
# default: $inet_socket_port = 10024;
# $inet_socket_port = 10024;   # listen on this local TCP port(s)
$inet_socket_port = [10024,10026];  # listen on multiple TCP ports

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
  originating => 1,  # is true in MYNETS by default, but let's make it
explicit
  os_fingerprint_method => undef,  # don't query p0f for internal clients
};

# it is up to MTA to re-route mail from authenticated roaming users or
# from internal hosts to a dedicated TCP port (such as 10026) for
filtering
$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from
our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => [""],
  spam_admin_maps  => [""],
  warnbadhsender   => 0,
  # forward to a smtpd service providing DKIM signing service
  # forward_method => 'smtp:[127.0.0.1]:10027',
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names
and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS
option
};

Irgendwie bin ich ausnahms- und zugegebenerweise etwas ratlos. :/
Warum kommt dieser DOS_OUTLOOK_TO_MX und wieso macht der Spamassassin
noch die beiden PBL und RNBL Checks. Der AMaViS- und SMTP Host sind
alle beide in my_networks.

Any idea? Ich nicht so recht mehr ...



Servus
Django
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTTEboAAoJEAdOz2FQpr/tccAP/RtHuHfPePpFwQzX9O8wSHyv
F4dQUW9WPtoi5dFR6d9sqkKiEHkWwZeab/x8m+hBcAi6lY4wppXoSKuKhYq3GqvP
BOxtIsflM7k3856Pn9tHo8at1FFqgLMaDRgWC/bu6trvY1vdjY20vu6I1L47t+fj
KJF/3ZEspv4A2q21R40xTKz+sDCCGU8RAphlmKzbABScHcGQW4gafysRL745AkGF
5qjGlniSDQAqSFyHbAEPP8ylkZlp1/hanBFWU3NNiDvJxGAwX9WMjbK9wsSZY4Gz
gmbgRauSpNz+p0PucMuBVqVQEfn0AF7tP1PEsw98JkmG6zUPIviMrxOS84snI0gO
dKlL0kwXo2Rz4NIO6kBJkDjcPmkPimCpUp9NlzOTaj2eJjNZA7NkGrGKhZApT/JU
0WvToQCMdUbDfV5uS5frnxwmNSSkcTP3v962iEdCQTvvexcdHeJ4kS4zrAbbm8+S
/004fUhAlCxtWBuVJgw5A+YikkO7q8bbeGWlr0HJ501+oelNge8M2MXAVamMO23y
wHdsTNX9eNrJNNkexoGz5Qujg93pWKxO/YarQYXcyixOFWfFKWGDpFMfph1XVkpu
Ga6iw5w2x/Qr9H6ms9hy14XQsGqKn+CtXgcYDE2bZb73s+UiBDMYXuTgfJfo/dDv
4PDNlZmMpNIMebRx5aL1
=VDPf
-----END PGP SIGNATURE-----

Mehr Informationen über die Mailingliste Postfixbuch-users