Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 652
  • Last Modified:

Stopping spam on postfix mail server.

Hi Team,

We are running our own mail server (postfix/dovecot) and we are severely hit by spam lately. The spam is
especially directed to one particular email address.

We have installed spamassassin and let the score to be the default (5). However, most of the spam
messages's score is calculated much below 5, and thus spamassasin is not tagging them as spam.

e.g:

X-Spam-Level: *
X-Spam-Status: No, score=1.9 required=5.0 tests=HTML_MESSAGE,RP_MATCHES_RCVD,
      SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE,URIBL_BLOCKED,URIBL_DBL_SPAM
      autolearn=no version=3.3.2
Thread-Index: AQDk/HpmbBSNJI1pQg3Hg8cGEtwSMA==
Content-Language: en-us

We also installed amavisd, agents like pyzor, razor and installed dcc too. Inspite of this, we
still get lot of spam which is not detected as spam by spamassassin. Is spamassassin miscalculating?
What else can I do to stop the spam?


Thanks.
1
Starquest321
Asked:
Starquest321
1 Solution
 
Dr. KlahnPrincipal Software EngineerCommented:
Spam is always a tough issue to deal with, because when one hole is plugged the spammers go find another one.  There are some things you can try that I've found effective on my own system, but they may not be acceptable practice on your system.

1.  Use iptables to restrict access from outside the US and Canada.  Most US based firms do business in the US and possibly Canada.  Most spam comes from outside the US.  If it is acceptable (and that's a big if), bring up iptables, load the geoip geolocation add-on, and disable incoming SMTP on port 25 from anything other than the US and Canada.

#/bin/sh

# /etc/iptables/script1
#
# This script is executed after script0 when /etc/init.d/iptables
# is called during the startup process.
#
# These rules are permanent lockouts of specific country codes as
# determined by the GeoIP database in /var/geoip.
#
# Note:  Keep the GeoIP database current using the shell scripts.

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
iptloc="/sbin/iptables"
declare -i sfail=0

# Delete all rules in any pre-existing chain
# $iptloc -F CountryLockouts
# Suppress error messages
$iptloc -F CountryLockouts > /dev/null 2> /dev/null

# Flush any pre-existing chain
# $iptloc -X CountryLockouts
# Suppress error messages
$iptloc -X CountryLockouts > /dev/null 2> /dev/null

# Declare a new iptables chain for these rules
$iptloc -t filter -N CountryLockouts
sfail=sfail+$?

# RULES BEGIN ============================================

# Accept incoming SMTP from the US
$iptloc -t filter -A CountryLockouts -m geoip --src-cc US -p tcp --dport 25 -j ACCEPT
sfail=sfail+$?

# Accept incoming SMTP from Canada
$iptloc -t filter -A CountryLockouts -m geoip --src-cc CA -p tcp --dport 80 -j ACCEPT
sfail=sfail+$?

# Reject incoming SMTP from any other country
$iptloc -t filter -A CountryLockouts -p tcp --dport 25 -j REJECT
sfail=sfail+$?


# RULES END ============================================

# Return to the calling chain
$iptloc -t filter -A CountryLockouts -j RETURN
sfail=sfail+$?

# Now insert a call to this chain at the top of INPUT
$iptloc -I INPUT 1 -j CountryLockouts
sfail=sfail+$?

exit $sfail

Open in new window


2.  If it's not acceptable to strongly filter at the iptables level, use Postscript rules to eliminate the offending countries in the Postscript configuration using the access_helo file.

# Entire country codes

/\.cn$/                                        550 Denied: China (.CN)
/\.es$/                                        550 Denied: Estonia (.ES)
/\.hu$/                                        550 Denied: Hungary (.HU)
/\.jp$/                                        550 Denied: Japan (.JP)
/\.kr$/                                        550 Denied: Korea (.KR)
/\.pl$/                                        550 Denied: Poland (.PL)
/\.ro$/                                        550 Denied: Romania (.RO)
/\.rs$/                                        550 Denied: Serbia (.RS)
/\.ru$/                                        550 Denied: Russia (.RU)
/\.sg$/                                        550 Denied: Singapore (.SG)
/\.yu$/                                        550 Denied: Yugoslavia (extinct)

# Specific IP addresses

/212\.38\.176\.10$/                            550 Denied

Open in new window


I have found these rules eliminate 99% of the spam I used to see on the system and the same goes for hostile SMTP probes.  However, they are admittedly severe and are definitely not appropriate for a company doing business outside the US on a world-wide, every country, basis.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now