Hi,

Two things. Firstly to anyone running an incoming mail server, I strongly recommend using mail blacklists. I filter my mail using blacklists and strict rfc and the result is about 3-5 spams a week combined on all the accounts on my mail server. I used dnsstuff.com as a guide to finding the right combination of blacklists. I found the best way to find a blacklist was to handpick spam on your server, check the ip addresses against dnsstuff.com and check some legitimate emails. You should get an idea of which blacklists are reliable. When you find the right blacklist, go read the black lists terms and conditions first.

My main.cf has :

smtpd_helo_restrictions = permit_mynetworks,
check_helo_access mysql:/etc/postfix/mysql/mysql-helo.cf,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client relays.ordb.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client combined.njabl.org,

This blocks 99% of spam.


Anyway, for my question. I would like to block more spam. I have noticed there are certain addresses on my server that have never existed that are often spammed. Two of these addresses are info@mydomain and contact@mydomain. Is there a plugin for postfix where I can specify spamtraps on my server, any mail entering a spam trap will cause the IP to be blocked. 4 hours first time, 8 hours second time etc...? Also having rules saying that the first few times an ip is blocked, it is block with 4xx errors. As the IP spams more and more it should do 5xx.

I want all this to be done before the data command is issued.


Thanks,

David Lublink

I'm not sure about the plug in, but you'll need to include it in smtpd_client_restrictions.

Also, here's a few other ideas on things you can add to stop spam.

smtpd_helo_required = yes

smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_unlisted_recipient
reject_unauth_destination
reject_non_fqdn_recipient
reject_unknown_recipient_domain
check_policy_service inet:127.0.0.1:60000

The last line is for greylisting. It basically checks the connecting IP, from address, and to address and if it's hasn't seen that triplet before, it will temporarily block the email. This forces the sending server to resend the email. If it resends the email, then it goes through.

Most spammers don't resend email automatically. This will also stop a significant amount. Just install Postgrey.

Actually I also have this:

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks,
check_helo_access mysql:/etc/postfix/mysql-helo.cf,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit

Just the helo restrictions blocks about 40% of the spam coming into my server. I use check_helo_access to block mailers I would consider spammers but strickly speaking aren't. This list includes: tickle-corp.com,ringo.com,getitfree.net,hi5.com.

As for 'reject_unknown_sender_domain' this is also effective, but it gives me false positives. There are still a lot of legitimate sites that don't send from real domains. Without this directive and all the above between my home server and work server we have had 3 false positives in 8 months.

I am pretty happy with these results.

I think I'll use greylisting.

Thanks,

David

The reason I haven't yet implemented greylisting is for the same reason I dislike hotmail's spam filters.

My server uses the above mentioned filters before the data command is issued. That being considered, ANY message that is rejected will be sent back to the sender immediatly. The sender will know whether or not the message was recieved. It adds a certain level of confidence to the users of my server.

I have amavis that blocks any emails that are confirmed viruses and sends warnings for suspected viruses.

I don't have any spam folders or anything. This prevents people from missing important emails and saying 'oops it was in my spam folder'.

Trouble with greylisting is emails can be delayed up to 24 hours which may cause user frustration because the users are not aware of what is happening with their messages.

David

Mail servers should be configured to resend temporarily blocked email within a few minutes. I'm a System Admin for an ISP of about 40,000 customers and we use it. The block time we have set is 60 seconds. Very rarely do we see mail being delayed more than 5 minutes.

Is it possible to exclude certain addresses from the greylisting?

I have one specific address, support@domain.tld, can't risk having delays on that one.


David

You could add the address to a file (call it postgrey_sender_whitelist or anything you want) with an OK and include it in smtpd_recipient_restrictions. Then that address would skip all the remaining checks in smtpd_recipient_restrictions. Just make sure check_sender_access comes before check_policy_service inet:127.0.0.1:60000.

postmap /etc/postfix/postgrey_sender_whitelist

Restart Postfix and off you go.

What about PTR? I have a number of messages coming from IPs and dnsstuff.com says that some servesr would block using PTR.

Is PTR a reliable way to block spam?

My understanding is PTR is the reverse DNS lookup? Where I can get a hostname from an IP address?

How do I block IPs without PTR and how does everyone feel about this method?

David

If you have Postfix version 2.3 or greater, include this line in your smtpd_client_restrictions.

reject_unknown_client_hostname

If you have a version below 2.3 use: reject_unknown_client.

This rule will take the connecting server IP address and do a reverse DNS lookup (PTR record) on it. If it does not return a hostname, the mail is rejected. If the reverse DNS lookup does produce a hostname, then Postfix does a forward lookup on that hostname. If that lookup does not produce the original connecting IP or the lookup fails, the mail is rejected.

I did this, and spam was still getting through. So I checked, turned out I had setup a mail relay (for my domain and a coulpe of others) a while ago I had forgotten about. It was by the relay that all the extra spam was getting through.

I disabled the relay, I'll see if it works. I'll post my results here.

David