Recently I’ve noticed a huge increase in spam from domains that are SPF authorized. They’re shilling everything from mesothelioma attorneys to home stairlifts.
After looking at the headers of a few messages I noticed something common to all of them that you can use to filter them out in Postfix (or any mail server, really):
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=18.104.22.168; helo=candixnigeria.caldwelleducation.com; email@example.com; firstname.lastname@example.org
See where it says “patrickgraves-first.last=mydomain.com@…”? The “first.last=mydomain.com” part was actually my email address (not on this server, in case you’re wondering why I’ve removed it). So I set up a rule in Postfix’ header-checks:
/envelope-from.*-first\.last=domain\.com@/ REJECT Permanently blocked for spamming.
Replace first\.last=domain\.com with whatever format your email address is (might just be something=domain\.com for example), restart postfix, and enjoy the NOQUEUEs.