Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

More efficient way of blocking email spammers on home server

Status
Not open for further replies.

yipton

IS-IT--Management
Jan 2, 2010
2
GB
Hi All,

I've noticed recently that my home server gets bashed by email spammers. I'm successfully blocking their attempts by:
smtpd_client_restrictions = permit_sasl_authenticated,
permit_mynetworks, warn_if_reject

I'm also trying to limit the number of smtp connections by:
smtpd_client_connection_count_limit = 30
smtpd_client_connection_count_limit = 5
where anvil_time is set to 60 seconds.

However, netstat shows that I still get ~500 simultaneous smtp connections because they connect from *loads* of different machines at the same time.

A small snippet of the REJECTS from mail.log is listed below. As can be seen, lots of different IP addresses, albeit that they are all from dynamic.hinet.net.

Is there any way I can configure postfix to somehow block all connection requests from "*.dynamic.hinet.net"? Or any other suggestion that blocks these spammer dudes more efficiently, earlier on in the email processing chain?

My setup is a Linux server running postfix behind an adsl router, where smtp is forwarded from the router to the Linux server. I only have a handful of machines on the internet side of the router who need smtp access. Should I configure them (+router) to use a different port, say 8025? Or do email spammer scan all ports these days?

Any suggestions are appreciated!

Best,
Peter


********* mail.log ******
Jan 2 17:55:33 XXX postfix/smtpd[6579]: NOQUEUE: reject: RCPT from 114-45-61-81.dynamic.hinet.net[114.45.61.81]: 554 5.7.1 <csssss@yahoo.com.tw>: Relay access denied; from=<zaxzi@yahoo.com.hk> to=<csssss@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:33 XXX postfix/smtpd[6640]: NOQUEUE: reject: RCPT from 114-45-56-28.dynamic.hinet.net[114.45.56.28]: 554 5.7.1 <ajoe_911@yahoo.com.tw>: Relay access denied; from=<qxlsommoywv@pcome.com.tw> to=<ajoe_911@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:33 XXX postfix/smtpd[6557]: NOQUEUE: reject: RCPT from 114-45-60-222.dynamic.hinet.net[114.45.60.222]: 554 5.7.1 <yourk1218@yahoo.com.tw>: Relay access denied; from=<mvtxyonnq@yahoo.ca> to=<yourk1218@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:34 XXX postfix/smtpd[6641]: NOQUEUE: reject: RCPT from 118-168-98-172.dynamic.hinet.net[118.168.98.172]: 554 5.7.1 <leaannc@yahoo.com.tw>: Relay access denied; from=<tibshzftgwnn@yahoo.no> to=<leaannc@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:34 XXX postfix/smtpd[6595]: NOQUEUE: reject: RCPT from 118-168-98-172.dynamic.hinet.net[118.168.98.172]: 554 5.7.1 <panwe1226@yahoo.com.tw>: Relay access denied; from=<exoabzrzvxbicy@gmail.com> to=<panwe1226@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:34 XXX postfix/smtpd[6619]: NOQUEUE: reject: RCPT from 114-45-61-186.dynamic.hinet.net[114.45.61.186]: 554 5.7.1 <chihuangg@yahoo.com.tw>: Relay access denied; from=<arnukzpmvahtd@yahoo.se> to=<chihuangg@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:34 XXX postfix/smtpd[6594]: NOQUEUE: reject: RCPT from 118-168-97-196.dynamic.hinet.net[118.168.97.196]: 554 5.7.1 <fan.s.0909@yahoo.com.tw>: Relay access denied; from=<jpjhp@yahoo.de> to=<fan.s.0909@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:34 XXX postfix/smtpd[6639]: NOQUEUE: reject: RCPT from 118-168-103-172.dynamic.hinet.net[118.168.103.172]: 554 5.7.1 <bork@yahoo.com.tw>: Relay access denied; from=<wloycfjlzzqttl@yahoo.dk> to=<bork@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:34 XXX postfix/smtpd[6579]: NOQUEUE: reject: RCPT from 114-45-61-81.dynamic.hinet.net[114.45.61.81]: 554 5.7.1 <jackey419@yahoo.com.tw>: Relay access denied; from=<zaxzi@yahoo.com.hk> to=<jackey419@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>

 
There are several ways you can accomplish this. Probably the best, long term solution would be to add Spamassassin, Postgrey, and Amavis to your setup. This will provide a check against run time black lists, content filtering, and blocking on most non-compliant (spam) servers.

For the short run, you can approach this either through a DNS method or through postfix.

Option 1 dns: I assume your running Linux, otherwise you will need to approach this differently. Use IP tables to create a black list based on the IP address. Add an entry to a script that gets loaded on startup to drop all packets from that domain.
1 - In /etc/network/interfaces add: pre-up iptables-restore < /etc/iptables.rules to your eth0 entry.
2 -A INPUT -j blacklist
3 -A blacklist -s <ip and cidr mask> -j DROP

Option 2 postfix: add to smtpd_recipient_restrictions the following, "check_client_access regexp:/etc/postfix/blacklist_clients" (no quotes). Then create a blacklist_clients folder that looks like this:
/dynamic\.hinet\.net$/ REJECT UCE black-listed.
Note: You will need to run postmap on your regex file to put it into the proper postfix database format.

Note: This trick comes from the following site:
There are probably lots of other ways. Google "postfix blacklist domain" and you will gets some other options. I personally use and would recommend the spamassassin and amavis approach. You may also want to look at dspam.
 
Thanks for that!

Turns out that my adsl router's firewall supports domain filter as well. Hadn't noticed that in all the time I've used it.

Anyway, problem solved!

Pete
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top