Joined: 19 Aug 2003
|Posted: Thu Jul 16, 2015 6:29 pm Post subject: Postfix help with email abused with forum bot
I'm running a server using postfix/amavis/policyd/spamassasssin. I have a user whose email was harvested and is being used a forum spam bot. This spam bot is registering bogus forum accounts... thousands, and the confirmation/activation emails are returning to this user... and flooding the server with SMTP requests. The rate is pretty insane. I would also like to mention that the account is not compromised, etc. It's just that the spam bot is submitting his email during user registration. To be safe we did update passwords, etc.
Here is the where the spam bot is 'sourced' from and as you can see, has been busy starting yesterday submitting user signups across many, many forums:
To combat this on my end, I was able to come up with the following header_checks in postfix:
|/^Subject:.*Account details for.*/ DISCARD
/^Subject:.*Account Activation.*/ DISCARD
/^Subject:.*Welcome to.*/ DISCARD
This is discarding the bulk of the requests, but a few are still slipping by, which is fine. BUT, this is a global rule and is impacting other 'valid' emails from other users. I've been on search on how to manage header checking on a per user/email basis, and I'm running into all sorts of issues. It doesn't appear that header_checks in postfix can 'combine' conditions. I'm not seeing anything specific enough in Amavis and Policy to manage this either. I also started exploring postfwd, but I don't see that it can do subject/content checks, just low level header handling.
Server Admin Blog - Uno-Code.com