为了对付那些试图发送伪造邮件的坏人从领域包括@我的域名.tld,我曾经在以下地方制定过这些规则spamassassin/local.cf
:
trusted_networks my.ip.add.ress
score ALL_TRUSTED -100
header FAKE_LOCAL_SENDERS From =~ /\@mydomain.tld/
score FAKE_LOCAL_SENDERS 10
最近我将邮件服务器移到了一台新设备上,该设备搭载的是 Centos 8。
从那时起,从(没有 SMTP 身份验证)发送的合法电子邮件127.0.0.1
就被过滤了。
经过调查,我发现当 ALL_TRUSTED 分数不适用时,FAKE_LOCAL_SENDERS 分数仍然适用。
值得一提的是:
- 根据日志和标头,检测到的客户端确实是
127.0.0.1
- 我查找了其他
.cf
文件,/etc
但没有找到任何相关内容 - 我也寻找过 ALL_TRUSTED 字符串,但没有找到其他情况
展望文档,我甚至找不到有关这个 ALL_TRUSTED 符号名称的任何信息。
我发现它仅通过 SMTP 为受信任的主机提供, 在测试执行 v3.3.x。但我找不到适用于我的 spamassassin 版本 (v3.4.2) 的相同文档。
也许还有其他方法可以过滤伪造从,我不知道。
如果有人知道如何实现这一点,我将不胜感激。
编辑:既然我已经被问到了,这里有更详细的信息。
Postfix 日志:
Jul 9 14:58:46 mail postfix/pickup[21731]: 981041958: uid=0 from=<root>
Jul 9 14:58:46 mail postfix/cleanup[21766]: 981041958: message-id=<[email protected]>
Jul 9 14:58:46 mail opendkim[21646]: 981041958: DKIM-Signature field added (s=mydomain.tld, d=mydomain.tld)
Jul 9 14:58:46 mail postfix/qmgr[21732]: 981041958: from=<[email protected]>, size=313, nrcpt=1 (queue active)
Jul 9 14:58:47 mail postfix/10025/smtpd[21774]: connect from localhost[127.0.0.1]
Jul 9 14:58:47 mail postfix/10025/smtpd[21774]: 2997053: client=localhost[127.0.0.1]
Jul 9 14:58:47 mail postfix/cleanup[21766]: 2997053: message-id=<[email protected]>
Jul 9 14:58:47 mail opendkim[21646]: 2997053: DKIM-Signature field added (s=mydomain.tld, d=mydomain.tld)
Jul 9 14:58:47 mail postfix/qmgr[21732]: 2997053: from=<[email protected]>, size=1514, nrcpt=1 (queue active)
Jul 9 14:58:47 mail amavis[21734]: (21734-01) Passed SPAM {RelayedTaggedInbound,Quarantined}, [127.0.0.1] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: fr9Pzi3DYtmO, Hits: 10.9, size: 705, queued_as: 2997053, 556 ms
Jul 9 14:58:47 mail postfix/amavis/smtp[21771]: 981041958: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.86, delays=0.17/0.13/0/0.55, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2997053)
Jul 9 14:58:47 mail postfix/qmgr[21732]: 981041958: removed
Jul 9 14:58:47 mail dovecot[21781]: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'Junk'
Jul 9 14:58:47 mail postfix/pipe[21780]: 2997053: to=<[email protected]>, orig_to=<[email protected]>, relay=dovecot, delay=0.38, delays=0.21/0.01/0/0.16, dsn=2.0.0, status=sent (delivered via dovecot service)
Jul 9 14:58:47 mail postfix/qmgr[21732]: 2997053: removed
收到的邮件标题:
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: from localhost (localhost [127.0.0.1])
by mail.mydomain.tld (Postfix) with ESMTP id 2997053
for <[email protected]>; Thu, 9 Jul 2020 14:58:47 +0700 (+07)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.mydomain.tld 2997053
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.tld;
s=mydomain.tld; t=1594281527;
bh=Pb3GbVbRabH8he07wAoFCdFxIXnMcJZfD3IMOd8OwIU=;
h=Subject:Date:From:From;
b=4aenJY5Qg8lKtX7amYiCHKuile4cEaO5gRk+HzdInYH5BIl96FY+SwVwyYdCFUUSJ
MR/UsQM47wmxJSafYFF7xE1BNxXqe/DtejiQjuumvZG9OhgJRo79kPJ3Or/J7yvETs
OLq6Bk3nbj3JsK3dcUxPBcC2E6WPfyFbw+2o6zQk=
X-Virus-Scanned: amavisd-new at mydomain.tld
X-Spam-Flag: YES
X-Spam-Score: 10.9
X-Spam-Level: **********
X-Spam-Status: Yes, score=10.9 tagged_above=2 required=6.2
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FAKE_LOCAL_SENDERS=10,
MISSING_HEADERS=3, NO_RELAYS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no
Received: from mail.mydomain.tld ([127.0.0.1])
by localhost (mail.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id fr9Pzi3DYtmO for <[email protected]>;
Thu, 9 Jul 2020 14:58:46 +0700 (+07)
Received: by mail.mydomain.tld (Postfix, from userid 0)
id 981041958; Thu, 9 Jul 2020 14:58:46 +0700 (+07)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.mydomain.tld 981041958
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.tld;
s=mydomain.tld; t=1594281526;
bh=Pb3GbVbRabH8he07wAoFCdFxIXnMcJZfD3IMOd8OwIU=;
h=Subject:Date:From:From;
b=vnht27+6RxYrr/uoq2kJUzWPNIwzHoE6yqVWuQ4eyXGcoBqhQlb7I8fLNuW+OlT3C
P0rPqWxVGGxigDyPMH9m/t0VLoF9drO9RA3NYc2FgF6S8J4XBcA3+z3GogzAJ82vto
pFMXVGyqHlFsEPDkhuQz8V2P/AHduKzkg//L13HY=
Subject: ***Spam*** Test mail
Message-Id: <[email protected]>
Date: Thu, 9 Jul 2020 14:58:46 +0700 (+07)
From: root <[email protected]>
spamassassin/local.cf:
# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)
# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.
required_hits 5
report_safe 0
rewrite_header Subject [SPAM]
## MY CONF
use_bayes 1
bayes_path /var/spool/amavisd/.spamassassin/bayes
header __RCVD_IN_HOSTKARMA eval:check_rbl('HOSTKARMA-lastexternal','hostkarma.junkemailfilter.com.')
describe __RCVD_IN_HOSTKARMA Sender listed in JunkEmailFilter
tflags __RCVD_IN_HOSTKARMA net
header RCVD_IN_HOSTKARMA_W eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.1')
describe RCVD_IN_HOSTKARMA_W Sender listed in HOSTKARMA-WHITE
tflags RCVD_IN_HOSTKARMA_W net nice
score RCVD_IN_HOSTKARMA_W -5
header RCVD_IN_HOSTKARMA_BL eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.2')
describe RCVD_IN_HOSTKARMA_BL Sender listed in HOSTKARMA-BLACK
tflags RCVD_IN_HOSTKARMA_BL net
score RCVD_IN_HOSTKARMA_BL 3.0
header RCVD_IN_HOSTKARMA_BR eval:check_rbl_sub('HOSTKARMA-lastexternal', '127.0.0.4')
describe RCVD_IN_HOSTKARMA_BR Sender listed in HOSTKARMA-BROWN
tflags RCVD_IN_HOSTKARMA_BR net
score RCVD_IN_HOSTKARMA_BR 1.0
header RCVD_IN_BL_SPAMCOP_NET eval:check_rbl_txt('spamcop', 'bl.spamcop.net.', '(?i:spamcop)')
describe RCVD_IN_BL_SPAMCOP_NET Received via a relay in bl.spamcop.net
tflags RCVD_IN_BL_SPAMCOP_NET net
#reuse RCVD_IN_BL_SPAMCOP_NET
score RCVD_IN_HOSTKARMA_BR 3.0
## testing
score MISSING_FROM 5.0
score MISSING_DATE 5.0
score MISSING_HEADERS 3.0
score PDS_FROM_2_EMAILS 3.0
score EMPTY_MESSAGE 5.0
score FREEMAIL_DISPTO 2.0
score FREEMAIL_FORGED_REPLYTO 3.5
score DKIM_ADSP_NXDOMAIN 5.0
score FORGED_GMAIL_RCVD 2.5
# from mydomain.tld
header FAKE_LOCAL_SENDERS From =~ /\@mydomain.tld/
score FAKE_LOCAL_SENDERS 10
trusted_networks my.ip.add.ress
score ALL_TRUSTED -100
注意:我只编辑了域名和IP地址。
您可能会注意到,有一个命令:
rewrite_header Subject [SPAM]
标题中的最后一个主题以 为前缀***Spam***
,这会被 dovecot 覆盖。
$sa_spam_subject_tag = '***Spam*** ';