我应该禁止电子邮件标头中的哪个 IP 地址来阻止来自此来源的垃圾邮件?

tag-icon tag-icon email email-server
我应该禁止电子邮件标头中的哪个 IP 地址来阻止来自此来源的垃圾邮件?

我收到了来自 的诈骗邮件zcsend.net。这次发件人地址是伪造的。我需要使用 Fail2Ban 来禁止来自同一来源的邮件。但是,邮件头中有很多地址。我应该禁止哪一个?

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail.elcolie.com
    by mail.elcolie.com with LMTP
    id CQu1FWy08mQ8UwEA83h3bQ
    (envelope-from <[email protected]>)
    for <[email protected]>; Sat, 02 Sep 2023 04:05:00 +0000
Received: from localhost (localhost [127.0.0.1])
    by mail.elcolie.com (Postfix) with ESMTP id 4F41E835F9
    for <[email protected]>; Sat,  2 Sep 2023 04:05:00 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=135.84.81.239; helo=sender-239.fsu3.zcsend.net; envelope-from=bounce_826278108+a.1ffd60557f594e44_gm1@mail18.psnd.zcsend.net; receiver=<UNKNOWN> 
Authentication-Results: mail.elcolie.com; dmarc=none (p=none dis=none) header.from=ahrdigital.com.br
Authentication-Results: mail.elcolie.com;
    dkim=pass (1024-bit key; unprotected) header.d=mail18.psnd.zcsend.net [email protected] header.a=rsa-sha256 header.s=k1 header.b=mfuyyvvw;
    dkim-atps=neutral
Received: from sender-239.fsu3.zcsend.net (sender-239.fsu3.zcsend.net [135.84.81.239])
    by mail.elcolie.com (Postfix) with ESMTPS id 4A931833FE
    for <[email protected]>; Sat,  2 Sep 2023 04:04:59 +0000 (UTC)
Received: from 172.30.236.109 by sender-239.fsu3.zcsend.net
    with SMTP id 169362748867145850; Fri, 01 Sep 2023 21:04:48 -0700
DKIM-Signature: a=rsa-sha256; b=mfuyyvvwcocf77Gr4eWhg010x1Vak0knteAbKgX+PiHKD2TdnhfbGOZHCItAcuEJSjZN2UGRM/dQMzI9WfytdauyhtACpvDVf+uIn6qRmlNkOn140NbFVuYPDUABu1IBCr6wEwXR2pLevy7Zz1vFWUEuRck+70wzVwMjrj7+yvE=; c=simple/simple; s=k1; d=mail18.psnd.zcsend.net; v=1; bh=LMN9EQQS8smfom6q8kw8Y3zjTellj/Oo1rnIjeRT56c=; h=date:from:to:message-id:subject:mime-version:content-type:list-unsubscribe:list-unsubscribe-post:x-csa-complaints;
Date: Fri, 1 Sep 2023 21:04:48 -0700 (PDT)
From: "Parcel Team" <[email protected]>
To: [email protected]
Message-ID: <zcb.3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d.1ffd60557f594e44.1693627488661@mail18.psnd.zcsend.net>
Subject: =?UTF-8?B?Tm90aWZpY2F0aW9uOsKgIENhc2UgTnVtYmVyICMzMzYxNzI=?=
MIME-Version: 1.0
Content-Type: multipart/alternative; 
    boundary="----=_Part_8830362_773276248.1693627488657"
List-Unsubscribe: <https://vldxa-cmpzourl.maillist-manage.com/ua/optout?od=3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d&rd=1ffd60557f594e44&sd=1ffd60557f57b0ef&n=11699e4c32dbb4c>,<mailto:[email protected]>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
X-CSA-Complaints: [email protected]
Reply-To: [email protected]
X-JID: 3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d.1ffd60557f3f24e4
X-campaignid: zohocampaigns.3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d.zcb.1ffd60557f594e44.11699e4c32dbb4c
X-Zoho-RID: zohocampaigns.3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d.zcb.1ffd60557f594e44.11699e4c32dbb4c
X-Report-Abuse: <Please send a copy of this message along with header to abuse+3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d_zcb_1ffd60557f594e44@zohocampaigns.com>, <https://vldxa-cmpzourl.maillist-manage.com/campaigns/ReportAbuse.zc?od=3za2ac949e760ea75599504c608f73642fe6611a47f75af214445fe34174e0169d&rd=1ffd60557f594e44&sd=1ffd60557f57b0ef&n=11699e4c32dbb4c>

------=_Part_8830362_773276248.1693627488657
Content-Type: text/plain;charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

我已经用以下地址替换了我的真实电子邮件地址[email protected]

由于我的电子邮件服务器正在使用https://github.com/docker-mailserver/docker-mailserver 我只是跑 docker exec 2834fea5aa2e setup fail2ban ban 135.84.81.239

问题:

  1. 我找到了正确的 IP 地址吗?
  2. 我阻止的正确吗?
  3. 我是否遗漏了什么?

答案1

查找正确的 IP 地址

每一个消息传输代理(MTA) 处理电子邮件时会在邮件顶部添加标题,因此标题是按降序排列的;最上面的是最新的。要查找 IP 地址,您应该查找Received服务器首次接受电子邮件的标题。

Received: from sender-239.fsu3.zcsend.net (sender-239.fsu3.zcsend.net [135.84.81.239])
    by mail.elcolie.com (Postfix) with ESMTPS id 4A931833FE
    for <[email protected]>; Sat,  2 Sep 2023 04:04:59 +0000 (UTC)

这里,后面的第一个地址fromHELO不可信任的服务器的主机名。IP 地址和PTR与其关联的主机名 ( ) 位于括号中。

因此,135.84.81.239这就是您要查找的 IP 地址。然而,这还不够……

Fail2Ban 不是为此设计的

为什么你会需要使用Fail2Ban?失败禁止(1)不是为了阻止垃圾邮件,但是......

一组用于限制暴力身份验证尝试的服务器和客户端程序。

DNS实时黑洞名单(红线)

示例中的 IP 地址135.84.81.239目前已列入实时黑洞名单(红线):

每次垃圾邮件通过时,您无需封锁单个 IP 地址,而是可以利用一些已经大规模实施此类服务的外部服务。此外,大多数服务在问题解决后都会删除列表。

许多 RBL 提供商都有不同类型的列表。您应该分析哪些列表适合您的需求。例如,

在 Postfix 中配置 RBL

您的邮件头显示您正在使用 Postfix。您可以main.cf通过添加reject_rbl_clientsmtpd_recipient_restrictionsHELO在 full , MAIL FROM&之后将对其进行评估RCPT TO

smtpd_recipient_restrictions =
    . . .
    reject_rbl_client bl.spamcop.net,
    . . .
    permit

答案2

将单个 Zoho 服务器列入黑名单其实没什么用。他们还有更多服务器。

如果你想彻底禁止他们的服务器,可以通过主机域名zcsend.net信封@(.*).psnd.zcsend.net>

如果您不想完全禁止他们,那么您唯一能做的就是投诉。

当然,你也可以尝试通过以下方式进行筛选标题FROM,但是这太容易被欺骗了。

相关内容