Limit incoming email

[jlh1]

I recently had a problem with emails being sent to an email address that is hosted on my server.

Emails were sent to an email box that was from an external address. When the user noticed the email there were thousands in the inbox from the one address. We reacted to the email blast but by the time we had updated the blocked email address file there were thousands more.
We use postfix to filter and allow email into our system by entering valid email address into relay_recipients file.

We would like to stop the kind of external email storm that we experienced automatically without effecting internal email clients

In our research we found that the version of postfix that we are running as the following options.

smtpd_client_event_limit_exceptions = mynetworks
anvil_rate_time_unit = 60s
anvil_status_update_time = 120s
smtpd_client_message_rate_limit=500

Will this limit the external emails that meet the setting above?
Also I would not like to have the postfix server send emails back to the original sender because if the sender is not a real address I don’t want to escalate the email storm with non deliveries.

Jlh1

 

[Noway2]

The first thing to ask is if these are true SPAM or valid emails. If they are SPAM, there are several things you can do to reduce the likelihood that this will wind up in your inbox. The important thing to do is apply your security and filtering in layers. The layering is important because it allows you to apply progressively aggressive techniques so that resource intensive ones are only applied on mail that appears to be legitimate.

I am not sure if the features you have indicated will limit the influx of email. If you wish to rate limit, I would recommend either using a firewall rate limit function or a tool like fail2ban which will block on things like too many attempts to send to invalid users.

Below is the set of checks that I use on my Postfix. It contains things like verifying that the sender is a legitimate domain, requires a proper HELO, etc. It then proceeds to check against my own block lists, do a DNS check against the block lists, etc. Finally, email is passed to Spamassassin and Amavis for scanning. Note that I also use the PCRE checks, which look for items typically associated with ideographic junk.

Postfix can apply restrictions and checks to the various parts of the mail message, such as the header, the envelope, the body, etc.
I would suggest that you look at the different groupings I am using and read up on them in the Postfix.org documentation section so that you can understand what they do. Note that the order is important as the items are evaluated in the order listed.

I am also using a function called Greylisting. What this does is the first time that a client attempts to send an email it is rejected with a temporary fail code. It then makes the server try again after a period of delay. Spammers typically want to dump as much junk as they can and leave so most times they don't even try to send again, whereas a legitimate client will.

header_checks = pcre:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks

#2-13-11 add some other restrictions to help combat spam
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
   permit_mynetworks,
   reject_non_fqdn_hostname,
   reject_invalid_hostname,
   permit

unknown_hostname_reject_code = 550
unknown_address_reject_code = 554

smtpd_recipient_restrictions =
   permit_mynetworks
   permit_sasl_authenticated
   reject_rbl_client zen.spamhaus.org
   reject_rbl_client bl.spamcop.net
   check_policy_service inet:127.0.0.1:60000
   permit_mx_backup
   reject_unauth_destination
   reject_unknown_recipient_domain
   permit

#   reject_rbl_client dnsbl.sorbs.net

smtpd_sender_restrictions =
   permit_mynetworks
   reject_non_fqdn_sender
   reject_unknown_sender_domain
   check_sender_access hash:/etc/postfix/sender_access
#added to reject chinese junk
   smtpd_client_restrictions = check_client_access cidr:/etc/postfix/cn.zone

 

[jlh1]

Thank you for your response.

The email in question by its self would not be considered spam and passed all the spam rules that we have in place. It was the amount of this email sent to one email address on our server that caused our concern.

So I guess what I’m look to do is use postfix to trigger and block the email address or ip number that this emails was sent from when the volume of this email exceeds a predefined number per second.
I’m not sure if this is possible to stop or throttle incoming by individually email or IP address or would a throttle all incoming email
jlh1

 

[Noway2]

Have a look at this document:

http://www.postfix.org/TUNING_README.html

Specifically, look at the section Measures against clients that make too many connections. It looks like Postfix will allow you to limit the rate at which a client is allowed to send messages, as well as how to handle ones that make too many connections.

Alternatively, if the messages are coming in from a burst with the same IP address, you could use an IPTable rate limit filter. This would allow you to say allow 5 unrestricted connections and then limit them to one every 10 minutes or so. Here is an example that I used on port 22 (ssh connections). For mail change it to port 25 and change the timing parameters to desired values. Note, that it is done in a two rule step. One rule sets the trigger, the other blocks once it has been triggered. My rule will allow 4 connections in a minute and then start dropping. One advantage to this approach is that it is implemented in netfilter, which is part of the kernel so that it consumes as little resource as possible. The application level isn't even aware of the attempts.

-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource

 

[jlh1]

Thank you I will check it out.

Jlh1