Stopping spam on postfix mail server.

Hi Team,

We are running our own mail server (postfix/dovecot) and we are severely hit by spam lately. The spam is
especially directed to one particular email address.

We have installed spamassassin and let the score to be the default (5). However, most of the spam
messages's score is calculated much below 5, and thus spamassasin is not tagging them as spam.

e.g:

X-Spam-Level: *
X-Spam-Status: No, score=1.9 required=5.0 tests=HTML_MESSAGE,RP_MATCHES_RCVD,
      SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE,URIBL_BLOCKED,URIBL_DBL_SPAM
      autolearn=no version=3.3.2
Thread-Index: AQDk/HpmbBSNJI1pQg3Hg8cGEtwSMA==
Content-Language: en-us

We also installed amavisd, agents like pyzor, razor and installed dcc too. Inspite of this, we
still get lot of spam which is not detected as spam by spamassassin. Is spamassassin miscalculating?
What else can I do to stop the spam?


Thanks.
Starquest321Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
Spam is always a tough issue to deal with, because when one hole is plugged the spammers go find another one.  There are some things you can try that I've found effective on my own system, but they may not be acceptable practice on your system.

1.  Use iptables to restrict access from outside the US and Canada.  Most US based firms do business in the US and possibly Canada.  Most spam comes from outside the US.  If it is acceptable (and that's a big if), bring up iptables, load the geoip geolocation add-on, and disable incoming SMTP on port 25 from anything other than the US and Canada.

#/bin/sh

# /etc/iptables/script1
#
# This script is executed after script0 when /etc/init.d/iptables
# is called during the startup process.
#
# These rules are permanent lockouts of specific country codes as
# determined by the GeoIP database in /var/geoip.
#
# Note:  Keep the GeoIP database current using the shell scripts.

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
iptloc="/sbin/iptables"
declare -i sfail=0

# Delete all rules in any pre-existing chain
# $iptloc -F CountryLockouts
# Suppress error messages
$iptloc -F CountryLockouts > /dev/null 2> /dev/null

# Flush any pre-existing chain
# $iptloc -X CountryLockouts
# Suppress error messages
$iptloc -X CountryLockouts > /dev/null 2> /dev/null

# Declare a new iptables chain for these rules
$iptloc -t filter -N CountryLockouts
sfail=sfail+$?

# RULES BEGIN ============================================

# Accept incoming SMTP from the US
$iptloc -t filter -A CountryLockouts -m geoip --src-cc US -p tcp --dport 25 -j ACCEPT
sfail=sfail+$?

# Accept incoming SMTP from Canada
$iptloc -t filter -A CountryLockouts -m geoip --src-cc CA -p tcp --dport 80 -j ACCEPT
sfail=sfail+$?

# Reject incoming SMTP from any other country
$iptloc -t filter -A CountryLockouts -p tcp --dport 25 -j REJECT
sfail=sfail+$?


# RULES END ============================================

# Return to the calling chain
$iptloc -t filter -A CountryLockouts -j RETURN
sfail=sfail+$?

# Now insert a call to this chain at the top of INPUT
$iptloc -I INPUT 1 -j CountryLockouts
sfail=sfail+$?

exit $sfail

Open in new window


2.  If it's not acceptable to strongly filter at the iptables level, use Postscript rules to eliminate the offending countries in the Postscript configuration using the access_helo file.

# Entire country codes

/\.cn$/                                        550 Denied: China (.CN)
/\.es$/                                        550 Denied: Estonia (.ES)
/\.hu$/                                        550 Denied: Hungary (.HU)
/\.jp$/                                        550 Denied: Japan (.JP)
/\.kr$/                                        550 Denied: Korea (.KR)
/\.pl$/                                        550 Denied: Poland (.PL)
/\.ro$/                                        550 Denied: Romania (.RO)
/\.rs$/                                        550 Denied: Serbia (.RS)
/\.ru$/                                        550 Denied: Russia (.RU)
/\.sg$/                                        550 Denied: Singapore (.SG)
/\.yu$/                                        550 Denied: Yugoslavia (extinct)

# Specific IP addresses

/212\.38\.176\.10$/                            550 Denied

Open in new window


I have found these rules eliminate 99% of the spam I used to see on the system and the same goes for hostile SMTP probes.  However, they are admittedly severe and are definitely not appropriate for a company doing business outside the US on a world-wide, every country, basis.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.