MY TURN WITH ALEKSANDER

In 2021 Sean Connor posted about getting pestered with repeated 
spam messages from various email addresses, always with the same 
subject, name, and text in Russian:
gopher://gopher.conman.org/0Phlog:2021/07/20.2

He ended up simply deleting the email accounts that were receiving 
the messages, but also later posted a less drastic solution 
suggested by someone else for filtering them out with Postfix based 
on the general form of the constantly changing email addresses that 
Aleksandr (or Mayboroda) uses:
gopher://gopher.conman.org/0Phlog:2021/08/28.1
gopher://gopher.conman.org/0Phlog:2022/01/16.1
gopher://gopher.conman.org/0Phlog:2022/01/17.1

So starting sometime before early Febuary (when I last purged my 
backup store of emails), I've been getting my own dose of 
Aleksandr. It seems quite pointless to me, as it did for Connor, 
because I don't read Russian. But except for a ten-day break in 
Febuary I've been getting a few every day, from ever-changing 
email accounts. Odds are that they got the email address from 
scraping my website, as it's the main address for my online store.

I don't get that much other spam so I don't bother with automatic 
spam filtering, but waiting for all these useless identical emails 
to download on the days when my internet connection is scratchy, 
just to bulk-select and delete them, eventually tipped me over the 
line into doing something.

The solution that one of Connor's readers supplied was to configure 
Postfix to block all emails with part of the sender's addresses 
matching the regular expression "s[0-9]{1,2}.[a-z]*.ru" or 
"info@.[a-z]*.ru". I'm also using Postfix, and running grep through 
almost a decade of emails in my archive (not including deleted 
emails such as spam) showed that I hadn't previously received any 
legitimate email from addresses matching those expressions. Still, 
they do seem like really broad filters, almost as if I might be 
doing what the spammer wants if this is some politically-motivated 
attack to ruin the reputation of all Russian email addresses.

Looking closer at the emails I noticed a couple of unusual headers:
X-Vjhy-Campaign-Uid: [random-looking altha-numeric string]
X-Vjhy-Subscriber-Uid: [random-looking altha-numeric string]

The string after "X-Vjhy-Campaign-Uid" keeps changing, but the 
"X-Vjhy-Subscriber-Uid" value is always the same (in over 100 
"Aleksandr" emails from lots of different addresses). At a guess 
I'd say that this is probably something inserted by a bulk email 
service or software that the spammer is using. I'm guessing that 
"Vjhy" is something random that they typed in to fill in a 
configuration field. Searching through my email history again, 
nothing there had one of these headers or even anything like them, 
so this seemed like a narrower way to block the spam.

My, possibly lazy, solution to this in the Postfix configuration 
was to Create a "/etc/postfix/header_checks" file containing:
 # Block "Aleksandr" spam which comes from various domains and IPs
 # but always has this header which no other email seems to use:
 /^X-Vjhy-Subscriber-Uid: .*/    DISCARD Aleksandr spam

EDIT: "Aleksandr" eventually changed the "Vjhy" bit of the headers
      to something else, so, at slightly more risk of
      false-positives, I'm now using:
       /^X-.*-Subscriber-Uid: .*/    DISCARD Aleksandr spam
      This probably blocks everything from the bulk mail platform
      that they're using though.

Then add this line in /etc/postfix/main.cf:
 header_checks = regexp:/etc/postfix/header_checks

Now the Postfix documentation makes the point that this is the 
wrong way to filter spam because new mail processing is delayed 
while it checks all the header lines from each email through the 
regular expression/s in "/etc/postfix/header_checks". Setting up 
proper filters allows checking to be done further down the line in 
a non-blocking way. Still in this case it's just one rule (well OK, 
it always _starts_ with one) and I don't get nearly enough mail or 
server load for this to be a meaningful problem. I also like that 
it gets rid of the spam right at the start of processing and 
doesn't waste any more time on it, given that it's often been the 
bulk of my day's external email to that (or any) address.
Interestingly they still show spam filtering rules in the example
at the end of the regexp_table(5) man page.

Also "pcre" instead of "regexp" is supposed to be faster, but 
"postconf -m" didn't list it as available in my Postfix build. Run 
"postfix reload" to make it load the new configuration.

Before long the Postfix log showed a number of correct matches for 
"Aleksandr spam", and after a couple of days none has made it 
through, so it looks like I might have won my personal battle 
against Aleksandr.

I also turned up yet another victim of Aleksandr online (I seem to 
be late to Aleksandr's party), who blocked the spam simply based on 
the curiously-unchanging subject line (the postmap step isn't 
necessary, and as already noted you can use regexp if pcre isn't 
available):
https://iliasa.eu/postfix-discard-mail-based-on-header/

Related Postfix documentation links:
http://www.postfix.org/BUILTIN_FILTER_README.html
http://www.postfix.org/cleanup.8.html
http://www.postfix.org/header_checks.5.html
http://www.postfix.org/regexp_table.5.html  - Examples at bottom
http://www.postfix.org/SMTPD_ACCESS_README.html

 - The Free Thinker.