Topic: Block email addresses

[ADG]

My server is being hit by someone who is sending emails in it to random email addresses (thousands a day), they are all coming from the same "from" address.  Is there a way I can block that address and stop those emails?

Also, I can see that in the logs, is there a way of finding out an IP address for the sender?  Ie, are those emails storing somewhere on the machine for me to look at?



ADG

[shanen]

Can you explain your setup as that will affect the solution. ie is mail stored on the server or do you delegate mail to an internal server?

[NickR]

You can see the sender's IP in smtpfront-qmail/current - the line just before the MAIL FROM: will report this.

To block mail from an address (or entire domain) to a user or all users, install Darrell May's contrib:

http://mirror.contribs.org/smeserver/contribs/dmay/mitel/contrib/Mailrules/SME5.6/dmc-mitel-mailrules-0.0.1-7.noarch.rpm

It does work fine with 6.x despite the URL mentioning 5.6.

[percheron]

I have installed this contrib on SME 6.0.1: dmc-mitel-mailrules-0.0.1-7.noarch.rpm. Does anyone know how to format a rule so that all email is rejected unless the recipient is a valid user?

I know qmail does this, but ClamAV sends a message of virus-infected email to postmaster even if the user is invalid. I am getting several thousand emails a day that report infected mail sent to random (invalid) users. I am trying to stop this mail before it is processed by ClamAV.

Also, I am unable to remove a rule once I have installed it. I tried a couple of tests and, even though I click on "remove", the rules are still there. Does anyone else have this problem?

Thanks,
jim

[NickR]

Sounds like something is broken - I see neither of these behaviours on my servers.  In Configuration / Email do you have "Mail to unknown users" set to "Return to sender"?

Maybe you also need to try tickling the SME to reconfigure its email:

/sbin/e-smith/signal-event email-update

See if that helps.

[Anonymous]

Thanks for the quick reply, Nick.

Regarding the mailrules not deleting, I was able to manually edit the SME configuration file and remove the rules. It may have been my use of the following format: d*:*@*.domain.com as a "reject" rule that prevented the remove function from working properly.


I do have the servers I am dealing with set to reject email addressed to invalid users and that appears to be functioning OK - i.e. I do not get Admin notices for the invalid users. It is the ClamAV emails alerts to "postmaster" that are now numbering in the thousands per day. I need a way to reject the email to invalid recipients before ClamAV processes the mail.

I thought this rpm would do that, but I do not know how to structure a reject rule that says, in effect, reject all email addressed to invalid users. Perhaps I don't understand what the rpm is doing. Maybe it is setup to reject email to invalid users automatically and I don't have to do anything but install the rpm. Do you know if that is the case?

Also, I found that the rpm does not work with the Dungog virtual domain rpm - that is, mail is rejected for the virtual domain users since they do not show up as a valid user or pseudonym when I inspected the mailrules.default file. So I went in and added some of these addresses as "accept" rules to see if that will work and am now monitoring the log to see if they are being accepted.

I also noticed that adding a rule to reject a valid user account does not work - it still allows the mail through. I wanted to use this in some cases where it was desired to disable the email for a user but the user name was still valid for mapping drives and other uses.

I'm just trying to figure out what this rpm does and how to make use of it.

Thanks again,
jim

[percheron]

Upon doing additional testing it appears that even adding an "Accept" rule for a specific email addresses still causes rejection in the case of the Dungog virtual domain email addresses.

If anyone knows a way to avoid this please let me know.

[NickR]

It is the ClamAV emails alerts to "postmaster" that are now numbering in the thousands per day. I need a way to reject the email to invalid recipients before ClamAV processes the mail.

I can't understand why smtpfront-qmail isn't rejecting invalid users (as it does on my boxes).  That's where your real problem lies.  Might be worth doing a manual telnet to the SMTP port and see what the actual conversation is when you attempt to send to an invalid user.

I thought this rpm would do that, but I do not know how to structure a reject rule that says, in effect, reject all email addressed to invalid users. Perhaps I don't understand what the rpm is doing. Maybe it is setup to reject email to invalid users automatically and I don't have to do anything but install the rpm. Do you know if that is the case?

That's what it has always done for me...

I also noticed that adding a rule to reject a valid user account does not work - it still allows the mail through. I wanted to use this in some cases where it was desired to disable the email for a user but the user name was still valid for mapping drives and other uses.

How are you entering the rule?  I use the following form:

Rule type: Reject
Mail to : user@mydomain.com
Mail from : *@*

and it works perfectly.

[Jon_Reynolds]

This brings up a question I have about the SMTP server that the SME server uses. Is this not the Bruce Guenters (sp?) mailfront smtp front-end for qmail? If it is then it has the function to deny unknown users at the smtp level.

i.e.

telnet mail.domain.com 25
Trying 192.168.1.30...
Connected to 192.168.1.30 (192.168.9.30).
Escape character is '^]'.
220 mail.domain.com mailfront ESMTP
mail from: gooduser@domain.com
250 Sender accepted.
rcpt to: unknownuser@domain.com
Sorry, that is an invalid e-mail address

So far I have failed miserably on getting this to work on my E-Smith server. It was done in 5.6 at this address to this contrib: http://no.longer.valid/mylinks/viewcat.php?cid=81

This would be the best way to stop mail to unknown users. This would not generate any bounce messages and send I believe a 451 error to the client MUA notifying them that there is no user with that name at that domain. This way they would instantly see the error message in their client and be able to make sure they have spelled the name right.

Would anyone like to try and help me figure this out? I think  it would be a great addition to a default SME install.

Jon

[Jon_Reynolds]

Never mind, I got it by installing this patch: http://mirror.contribs.org/smeserver/contribs/dmay/mitel/contrib/Mailrules/SME5.6/dmc-mitel-mailrules-0.0.1-7.noarch.rpm
 and am seeing correct results now through a telnet session into my SMTP server. I am also seeing it work and I all I had to do was add my users with their various domain names as an 'Accept' rule.

At first I thought that I had to list all my users first as 'Accept' then add a 'Deny' from my domain as the last rule, kinda like chains. But all that was needed was to simply add my users as 'Accept' and that was it.

I would think for your anti-virus coming from one IP you could use an RBL rule to stop it at the front door.

Jon