Recent increase in spam from SPF authorized domains

Recently I’ve noticed a huge increase in spam from domains that are SPF authorized. They’re shilling everything from mesothelioma attorneys to home stairlifts.

After looking at the headers of a few messages I noticed something common to all of them that you can use to filter them out in Postfix (or any mail server, really):

Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=138.99.217.231; helo=candixnigeria.caldwelleducation.com; envelope-from=patrickgraves-first.last=mydomain.com@candixnigeria.caldwelleducation.com; receiver=first.last@domain.com

See where it says “patrickgraves-first.last=mydomain.com@…”? The “first.last=mydomain.com” part was actually my email address (not on this server, in case you’re wondering why I’ve removed it). So I set up a rule in Postfix’ header-checks:

/envelope-from.*-first\.last=domain\.com@/ REJECT Permanently blocked for spamming.

Replace first\.last=domain\.com with whatever format your email address is (might just be something=domain\.com for example), restart postfix, and enjoy the NOQUEUEs.