More efficient way of blocking email spammers on home server

[yipton]

Hi All,

I've noticed recently that my home server gets bashed by email spammers. I'm successfully blocking their attempts by:
smtpd_client_restrictions = permit_sasl_authenticated,
permit_mynetworks, warn_if_reject

I'm also trying to limit the number of smtp connections by:
smtpd_client_connection_count_limit = 30
smtpd_client_connection_count_limit = 5
where anvil_time is set to 60 seconds.

However, netstat shows that I still get ~500 simultaneous smtp connections because they connect from *loads* of different machines at the same time.

A small snippet of the REJECTS from mail.log is listed below. As can be seen, lots of different IP addresses, albeit that they are all from dynamic.hinet.net.

Is there any way I can configure postfix to somehow block all connection requests from "*.dynamic.hinet.net"? Or any other suggestion that blocks these spammer dudes more efficiently, earlier on in the email processing chain?

My setup is a Linux server running postfix behind an adsl router, where smtp is forwarded from the router to the Linux server. I only have a handful of machines on the internet side of the router who need smtp access. Should I configure them (+router) to use a different port, say 8025? Or do email spammer scan all ports these days?

Any suggestions are appreciated!

Best,
Peter


********* mail.log ******
Jan 2 17:55:33 XXX postfix/smtpd[6579]: NOQUEUE: reject: RCPT from 114-45-61-81.dynamic.hinet.net[114.45.61.81]: 554 5.7.1 <csssss@yahoo.com.tw>: Relay access denied; from=<zaxzi@yahoo.com.hk> to=<csssss@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:33 XXX postfix/smtpd[6640]: NOQUEUE: reject: RCPT from 114-45-56-28.dynamic.hinet.net[114.45.56.28]: 554 5.7.1 <ajoe_911@yahoo.com.tw>: Relay access denied; from=<qxlsommoywv@pcome.com.tw> to=<ajoe_911@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:33 XXX postfix/smtpd[6557]: NOQUEUE: reject: RCPT from 114-45-60-222.dynamic.hinet.net[114.45.60.222]: 554 5.7.1 <yourk1218@yahoo.com.tw>: Relay access denied; from=<mvtxyonnq@yahoo.ca> to=<yourk1218@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:34 XXX postfix/smtpd[6641]: NOQUEUE: reject: RCPT from 118-168-98-172.dynamic.hinet.net[118.168.98.172]: 554 5.7.1 <leaannc@yahoo.com.tw>: Relay access denied; from=<tibshzftgwnn@yahoo.no> to=<leaannc@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:34 XXX postfix/smtpd[6595]: NOQUEUE: reject: RCPT from 118-168-98-172.dynamic.hinet.net[118.168.98.172]: 554 5.7.1 <panwe1226@yahoo.com.tw>: Relay access denied; from=<exoabzrzvxbicy@gmail.com> to=<panwe1226@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:34 XXX postfix/smtpd[6619]: NOQUEUE: reject: RCPT from 114-45-61-186.dynamic.hinet.net[114.45.61.186]: 554 5.7.1 <chihuangg@yahoo.com.tw>: Relay access denied; from=<arnukzpmvahtd@yahoo.se> to=<chihuangg@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:34 XXX postfix/smtpd[6594]: NOQUEUE: reject: RCPT from 118-168-97-196.dynamic.hinet.net[118.168.97.196]: 554 5.7.1 <fan.s.0909@yahoo.com.tw>: Relay access denied; from=<jpjhp@yahoo.de> to=<fan.s.0909@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:34 XXX postfix/smtpd[6639]: NOQUEUE: reject: RCPT from 118-168-103-172.dynamic.hinet.net[118.168.103.172]: 554 5.7.1 <bork@yahoo.com.tw>: Relay access denied; from=<wloycfjlzzqttl@yahoo.dk> to=<bork@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>
Jan 2 17:55:34 XXX postfix/smtpd[6579]: NOQUEUE: reject: RCPT from 114-45-61-81.dynamic.hinet.net[114.45.61.81]: 554 5.7.1 <jackey419@yahoo.com.tw>: Relay access denied; from=<zaxzi@yahoo.com.hk> to=<jackey419@yahoo.com.tw> proto=SMTP helo=<94.0.91.117>

 

[Noway2]

There are several ways you can accomplish this. Probably the best, long term solution would be to add Spamassassin, Postgrey, and Amavis to your setup. This will provide a check against run time black lists, content filtering, and blocking on most non-compliant (spam) servers.

For the short run, you can approach this either through a DNS method or through postfix.

Option 1 dns: I assume your running Linux, otherwise you will need to approach this differently. Use IP tables to create a black list based on the IP address. Add an entry to a script that gets loaded on startup to drop all packets from that domain.
1 - In /etc/network/interfaces add: pre-up iptables-restore < /etc/iptables.rules to your eth0 entry.
2 -A INPUT -j blacklist
3 -A blacklist -s <ip and cidr mask> -j DROP

Option 2 postfix: add to smtpd_recipient_restrictions the following, "check_client_access regexp:/etc/postfix/blacklist_clients" (no quotes). Then create a blacklist_clients folder that looks like this:
/dynamic\.hinet\.net$/ REJECT UCE black-listed.
Note: You will need to run postmap on your regex file to put it into the proper postfix database format.

Note: This trick comes from the following site:

http://nixcraft.com/mail-servers/3288-postfix-blacklist.html

There are probably lots of other ways. Google "postfix blacklist domain" and you will gets some other options. I personally use and would recommend the spamassassin and amavis approach. You may also want to look at dspam.

 

[yipton]

Thanks for that!

Turns out that my adsl router's firewall supports domain filter as well. Hadn't noticed that in all the time I've used it.

Anyway, problem solved!

Pete