Blocking Emails from Amazonses service in Postfix

[Multisites]

Hello,

I have an uncomfortable problem that I need to be solved as soon as possible. I have this:

CENTOS Linux Server
Apache
Postfix
Postgrey
Amavisd
Spamassassin
Fail2ban

On this Server I have several mailboxes of my customers. It is POP and SMTP Server for all those mailboxes.

Many of my customers receive emails sent by enterprises and companies which use the Amazon Simple Email Service (

http://www.amazonses.com),

a very known email-marketing service from AMAZON corporation. That's OK, no problem with that.

But there are at least two or three specific senders, who use this service (it looks they are Spammers), whose emails I want and need to reject / discard. I am trying to do this through my /etc/postfix/access file. The problem is:

1) If I try to reject / discard them by their From email address or domain name, their emails are not blocked, they enter normally to our mailboxes:

spammerdomain.com.br REJECT (the domain name is masked)
spammerdomain.com.br DISCARD
badaddress@spammerdomain.com.br REJECT (the email address is masked)
badaddress@spammerdomain.com.br DISCARD

2) If I try to reject / discard them by the Amazonses Domain, so, they are really blocked:

amazonses.com REJECT
amazonses.com DISCARD

But, I don't want to block all Amazonses users, it is a serious service. I want to reject / discard just these two or three Spammers.

Questions:

Why this happens?
How can I accomplish it?

See below the Header records of one of these Spammers emails.

Thanks a lot in advance for any help.

Mario Lima./
_________________________________________________________


HEADERS RECORDS:

Return-Path: <0103545670712110-10f5g1b2-6a2c-4b73-9a44-14436946a66d-000000@us-west-2.amazonses.com>
X-Original-To: multisites@srv8.multisitesdominios.com.br
Delivered-To: multisites@srv8.multisitesdominios.com.br
Received: from localhost (localhost [127.0.0.1])
by srv8.multisitesdominios.com.br (Postfix) with ESMTP id E02AC2240989
for <multisites@srv8.multisitesdominios.com.br>; Thu, 6 Sep 2018 16:52:16 -0300 (-03)
X-Virus-Scanned: amavisd-new at multisitesdominios.com.br
Authentication-Results: srv8.multisitesdominios.com.br (amavisd-new);
dkim=fail (1024-bit key) reason="fail (message has been altered)"
header.d=spammerdomain.com.br header.b=KvN6YosZ;
dkim=fail (1024-bit key) reason="fail (message has been altered)"
header.d=amazonses.com header.b=hhjTuzKR
Received: from srv8.multisitesdominios.com.br ([127.0.0.1])
by localhost (srv8.multisitesdominios.com.br [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ja0LXtz_VOn3
for <multisites@srv8.multisitesdominios.com.br>;
Thu, 6 Sep 2018 16:52:16 -0300 (-03)
Received: from srv4.multisitesdominios.com.br (srv4.multisitesdominios.com.br [66.226.76.119])
by srv8.multisitesdominios.com.br (Postfix) with ESMTP id 3476C2240982
for <info@multisites.com.br>; Thu, 6 Sep 2018 16:52:16 -0300 (-03)
Received: from localhost (66-226-76-119.phx.dedicated.codero.com [127.0.0.1])
by srv4.multisitesdominios.com.br (Postfix) with ESMTP id 2FD9F1E110E
for <info@multisites.com.br>; Thu, 6 Sep 2018 16:46:24 -0300 (BRT)
Received: from srv4.multisitesdominios.com.br ([127.0.0.1])
by localhost (srv4.multisitesdominios.com.br [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id VV3rcOrCRW0P for <info@multisites.com.br>;
Thu, 6 Sep 2018 16:46:23 -0300 (BRT)
Received: from a27-23.smtp-out.us-west-2.amazonses.com (a27-23.smtp-out.us-west-2.amazonses.com [54.240.27.23])
by srv4.multisitesdominios.com.br (Postfix) with ESMTP id B298E1E1133
for <info@multisites.com.br>; Thu, 6 Sep 2018 16:46:23 -0300 (BRT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=4ko4gdukdjrhwywj6hffktrinsdiwfzzo; d=spammerdomain.com.br;
t=1536263534;
h=Message-IDate:Subject:From:To:MIME-Version:Content-Type:List-Unsubscribe;
bh=YTyx7DGxlvMexh13PSD8UcbvIb16plbXPZTTeZ6974Y=;
b=KvN6YosZ9bfjcmfrjeruJDyiHSTGrfyZ6c2kedkmgfikrtiudfjeHETI8/PfOr1AQkubD/bF
nzNSNU8q5JaIWarO8SJFHFGBRQzAnqcGpBSXingwrlhITRQBSh2NJ5Mhz5qelTC7rK0
feuBJi1NGoUbhsqBQ6fc+N6iKXZ0O8GZMy45l3tw=
Message-ID: <0101016zxc345510-09e5e1a2-6a2c-4b73-9a44-14423456a66d-111111@us-west-2.amazonses.com>
Date: Thu, 6 Sep 2018 19:52:08 +0000
Subject: ABRACADABRAPEDECABRA
From: Domain to be Blocked <badaddress@spammerdomain.com.br>
Reply-To: badaddress@spammerdomain.com.br
To: Multisites Servicos Ltda <info@multisites.com.br>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="_=_swift_v4_1536228239_9f03b8f739eae9baa81fae3377f6fe3d_=_"
List-Unsubscribe: <mailto:news+unsubscribe_5b234b90e3ddbg03468216@spammerdomain.com.br>,
<mailto:news+unsubscribe_5b90fb90e3dbb603334216@spammerdomain.com.br>,
X-SES-Outgoing: 2018.09.06-54.240.27.23
Feedback-ID: 1.us-west-2.isA0hk5qbAxETBLEMujslLN7TOYVRW5EtpUo56LcIds=:AmazonSES

 

[bluegroper]

I've solved similar problem using header_checks

1. Edit your /etc/postfix/main.cf
Include something like
header_checks = pcre:/etc/postfix/header_checks.pcre

NB. Must reload postfix after editing /etc/postfix/main.cf

2. Edit your /etc/postfix/header_checks.pcre
The format can be as simple as :
<REGEX> <ACTION>

Include something like
/^From:.*badaddress@spammerdomain\.com\.br/ REJECT

3. Postfix usually comes with a header_checks file with lots of good instructions
Mine has been renamed /etc/postfix/header_checks.readme
See also man header_checks

4. You can keep the regexes simple, or make them more sophisticated, eg
/i ignore case
/s ignore case and line breaks
/.*@spammerdomain\.com\.br/s REJECT Domain has been blacklisted

5. You can change and edit your /etc/postfix/header_checks.pcre without any reloading of postfix.
With careful editing of regexes, you can reject/discard emails from individual senders, or entire domains, even Linkedin and Mailchimp. ;-)

HTH