?
Solved

Stopping spam on postfix mail server.

Posted on 2014-10-30
1
Medium Priority
?
615 Views
1 Endorsement
Last Modified: 2014-11-04
Hi Team,

We are running our own mail server (postfix/dovecot) and we are severely hit by spam lately. The spam is
especially directed to one particular email address.

We have installed spamassassin and let the score to be the default (5). However, most of the spam
messages's score is calculated much below 5, and thus spamassasin is not tagging them as spam.

e.g:

X-Spam-Level: *
X-Spam-Status: No, score=1.9 required=5.0 tests=HTML_MESSAGE,RP_MATCHES_RCVD,
      SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE,URIBL_BLOCKED,URIBL_DBL_SPAM
      autolearn=no version=3.3.2
Thread-Index: AQDk/HpmbBSNJI1pQg3Hg8cGEtwSMA==
Content-Language: en-us

We also installed amavisd, agents like pyzor, razor and installed dcc too. Inspite of this, we
still get lot of spam which is not detected as spam by spamassassin. Is spamassassin miscalculating?
What else can I do to stop the spam?


Thanks.
1
Comment
Question by:Starquest321
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 28

Accepted Solution

by:
Dr. Klahn earned 2000 total points
ID: 40415395
Spam is always a tough issue to deal with, because when one hole is plugged the spammers go find another one.  There are some things you can try that I've found effective on my own system, but they may not be acceptable practice on your system.

1.  Use iptables to restrict access from outside the US and Canada.  Most US based firms do business in the US and possibly Canada.  Most spam comes from outside the US.  If it is acceptable (and that's a big if), bring up iptables, load the geoip geolocation add-on, and disable incoming SMTP on port 25 from anything other than the US and Canada.

#/bin/sh

# /etc/iptables/script1
#
# This script is executed after script0 when /etc/init.d/iptables
# is called during the startup process.
#
# These rules are permanent lockouts of specific country codes as
# determined by the GeoIP database in /var/geoip.
#
# Note:  Keep the GeoIP database current using the shell scripts.

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
iptloc="/sbin/iptables"
declare -i sfail=0

# Delete all rules in any pre-existing chain
# $iptloc -F CountryLockouts
# Suppress error messages
$iptloc -F CountryLockouts > /dev/null 2> /dev/null

# Flush any pre-existing chain
# $iptloc -X CountryLockouts
# Suppress error messages
$iptloc -X CountryLockouts > /dev/null 2> /dev/null

# Declare a new iptables chain for these rules
$iptloc -t filter -N CountryLockouts
sfail=sfail+$?

# RULES BEGIN ============================================

# Accept incoming SMTP from the US
$iptloc -t filter -A CountryLockouts -m geoip --src-cc US -p tcp --dport 25 -j ACCEPT
sfail=sfail+$?

# Accept incoming SMTP from Canada
$iptloc -t filter -A CountryLockouts -m geoip --src-cc CA -p tcp --dport 80 -j ACCEPT
sfail=sfail+$?

# Reject incoming SMTP from any other country
$iptloc -t filter -A CountryLockouts -p tcp --dport 25 -j REJECT
sfail=sfail+$?


# RULES END ============================================

# Return to the calling chain
$iptloc -t filter -A CountryLockouts -j RETURN
sfail=sfail+$?

# Now insert a call to this chain at the top of INPUT
$iptloc -I INPUT 1 -j CountryLockouts
sfail=sfail+$?

exit $sfail

Open in new window


2.  If it's not acceptable to strongly filter at the iptables level, use Postscript rules to eliminate the offending countries in the Postscript configuration using the access_helo file.

# Entire country codes

/\.cn$/                                        550 Denied: China (.CN)
/\.es$/                                        550 Denied: Estonia (.ES)
/\.hu$/                                        550 Denied: Hungary (.HU)
/\.jp$/                                        550 Denied: Japan (.JP)
/\.kr$/                                        550 Denied: Korea (.KR)
/\.pl$/                                        550 Denied: Poland (.PL)
/\.ro$/                                        550 Denied: Romania (.RO)
/\.rs$/                                        550 Denied: Serbia (.RS)
/\.ru$/                                        550 Denied: Russia (.RU)
/\.sg$/                                        550 Denied: Singapore (.SG)
/\.yu$/                                        550 Denied: Yugoslavia (extinct)

# Specific IP addresses

/212\.38\.176\.10$/                            550 Denied

Open in new window


I have found these rules eliminate 99% of the spam I used to see on the system and the same goes for hostile SMTP probes.  However, they are admittedly severe and are definitely not appropriate for a company doing business outside the US on a world-wide, every country, basis.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
This is my first article on Expert Exchange on the Manual Method of Exporting Office 365 Mailboxes to PST format by using the eDiscovery mechanism of Office. Hope you will enjoy the article.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question