Sunday, January 16, 2022
A most persistent spam, part VI
It seems that “Aleksandr” may have changed his name to “Mayboroda,” but it looks like it's the same type of weird spam I've since blocked successfully. Only here, reader Roberto found a way to block the spam for users of Postfix (and I did get Roberto's permission to post this email):
- From
- Robysampler <XXXXXXXXXXXXXXXXXXXXX>
- To
- sean@conman.org
- Subject
- About "Mayboroda_aleks" on your personal blog
- Date
- Sun, 16 Jan 2022 23:04:07 +0100
Dear Mr. Sean
My name is Roberto from Italy.
i've read your personal blog about the mayboroda aleks spammer, who's bothering me, filling my own company email since one and half years, at least.
as you figured out "Mayboroda", keeps changing IPs and domain/subdomains to evade every try to block him.
luckly, my company mail is served by a linux machine i own, so i have direct access to it, and as final solution i've choose to do some fine tuning in postfix config.
i've add inside postfix "main.cf" file:
smtpd_recipient_restrictions = check_sender_access regexp:/etc/postfix/rejected.sendersthen i've add in "rejected.senders":
/s[0-9]{1,2}.[a-z]*.ru/ REJECT /info@.[a-z]*.ru/ REJECTin this case you'll provide to your postfix daemon, some rejecting rules based on regular expressions.
based on hundreds of mails "Mayboroda" has sent me, i figured out the main pattern for his emails usually are
info@randomdomain.ruor
something@s(1 or 2 numbers).randomdomain.ruafter setting up your postfix you can check out the result using the command
postmap -q "your test email here" regexp:/etc/postfix/rejected.sendersfor example
postmap -q "info@s4.mayboroda.ru" regexp:/etc/postfix/rejected.sendersthe shell returns
REJECTthis will works until "Mayboroda" will continue to use the same pattern in the mail sender
I hope you'll appreciate my advices.
have a nice day and happy new year
Roberto
Best Regards
I do appreciate your advice, Roberto. Thank you. I'm sure other people will find this useful as well.
