Solved

Stopping spam on postfix mail server.

Posted on 2014-10-30
1
574 Views
1 Endorsement
Last Modified: 2014-11-04
Hi Team,

We are running our own mail server (postfix/dovecot) and we are severely hit by spam lately. The spam is
especially directed to one particular email address.

We have installed spamassassin and let the score to be the default (5). However, most of the spam
messages's score is calculated much below 5, and thus spamassasin is not tagging them as spam.

e.g:

X-Spam-Level: *
X-Spam-Status: No, score=1.9 required=5.0 tests=HTML_MESSAGE,RP_MATCHES_RCVD,
      SPF_HELO_PASS,SPF_PASS,T_REMOTE_IMAGE,URIBL_BLOCKED,URIBL_DBL_SPAM
      autolearn=no version=3.3.2
Thread-Index: AQDk/HpmbBSNJI1pQg3Hg8cGEtwSMA==
Content-Language: en-us

We also installed amavisd, agents like pyzor, razor and installed dcc too. Inspite of this, we
still get lot of spam which is not detected as spam by spamassassin. Is spamassassin miscalculating?
What else can I do to stop the spam?


Thanks.
1
Comment
Question by:Starquest321
1 Comment
 
LVL 25

Accepted Solution

by:
Dr. Klahn earned 500 total points
ID: 40415395
Spam is always a tough issue to deal with, because when one hole is plugged the spammers go find another one.  There are some things you can try that I've found effective on my own system, but they may not be acceptable practice on your system.

1.  Use iptables to restrict access from outside the US and Canada.  Most US based firms do business in the US and possibly Canada.  Most spam comes from outside the US.  If it is acceptable (and that's a big if), bring up iptables, load the geoip geolocation add-on, and disable incoming SMTP on port 25 from anything other than the US and Canada.

#/bin/sh

# /etc/iptables/script1
#
# This script is executed after script0 when /etc/init.d/iptables
# is called during the startup process.
#
# These rules are permanent lockouts of specific country codes as
# determined by the GeoIP database in /var/geoip.
#
# Note:  Keep the GeoIP database current using the shell scripts.

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
iptloc="/sbin/iptables"
declare -i sfail=0

# Delete all rules in any pre-existing chain
# $iptloc -F CountryLockouts
# Suppress error messages
$iptloc -F CountryLockouts > /dev/null 2> /dev/null

# Flush any pre-existing chain
# $iptloc -X CountryLockouts
# Suppress error messages
$iptloc -X CountryLockouts > /dev/null 2> /dev/null

# Declare a new iptables chain for these rules
$iptloc -t filter -N CountryLockouts
sfail=sfail+$?

# RULES BEGIN ============================================

# Accept incoming SMTP from the US
$iptloc -t filter -A CountryLockouts -m geoip --src-cc US -p tcp --dport 25 -j ACCEPT
sfail=sfail+$?

# Accept incoming SMTP from Canada
$iptloc -t filter -A CountryLockouts -m geoip --src-cc CA -p tcp --dport 80 -j ACCEPT
sfail=sfail+$?

# Reject incoming SMTP from any other country
$iptloc -t filter -A CountryLockouts -p tcp --dport 25 -j REJECT
sfail=sfail+$?


# RULES END ============================================

# Return to the calling chain
$iptloc -t filter -A CountryLockouts -j RETURN
sfail=sfail+$?

# Now insert a call to this chain at the top of INPUT
$iptloc -I INPUT 1 -j CountryLockouts
sfail=sfail+$?

exit $sfail

Open in new window


2.  If it's not acceptable to strongly filter at the iptables level, use Postscript rules to eliminate the offending countries in the Postscript configuration using the access_helo file.

# Entire country codes

/\.cn$/                                        550 Denied: China (.CN)
/\.es$/                                        550 Denied: Estonia (.ES)
/\.hu$/                                        550 Denied: Hungary (.HU)
/\.jp$/                                        550 Denied: Japan (.JP)
/\.kr$/                                        550 Denied: Korea (.KR)
/\.pl$/                                        550 Denied: Poland (.PL)
/\.ro$/                                        550 Denied: Romania (.RO)
/\.rs$/                                        550 Denied: Serbia (.RS)
/\.ru$/                                        550 Denied: Russia (.RU)
/\.sg$/                                        550 Denied: Singapore (.SG)
/\.yu$/                                        550 Denied: Yugoslavia (extinct)

# Specific IP addresses

/212\.38\.176\.10$/                            550 Denied

Open in new window


I have found these rules eliminate 99% of the spam I used to see on the system and the same goes for hostile SMTP probes.  However, they are admittedly severe and are definitely not appropriate for a company doing business outside the US on a world-wide, every country, basis.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question