Being hammered with viruses

Peter H. Lemieux mailscanner at replies.cyways.com
Tue Apr 25 17:18:59 UTC 2017 

I rely on a combination of iptables rules and a lengthy access.db in 
sendmail to handle these sorts of problems.  You can add similar rules 
to a Postfix server using smtpd_client_restrictions, 
smtpd_sender_restrictions and smtpd_helo_restrictions in main.cf.

In client_restrictions I have

smtpd_client_restrictions = sleep 3, reject_unauth_pipelining,
         check_sender_access pcre:/etc/postfix/sender_access

The first line enforces a three-second delay on the transaction which 
blocks spam flooding from senders that don't use the HELO/EHLO commands 
in the SMTP protocol.  This is the Postfix equivalent of sendmail's 
"greetpause" directive.  I also have a set of regex-based rules in the 
/etc/postfix/sender_access file like these:

# no mail from outsiders claiming to be us
/\.example\.com$/        REJECT
/10-10-10/               REJECT

# no two-letter country-code domains except us/ca
/\.us$/                 OK
/\.ca$/                 OK
/\.[a-z][a-z]$/         REJECT US senders only

The first rejects mail coming in claiming to be from senders in the 
local domain.  That may not work for you if you support remote clients. 
The second line protects against mail claiming to be from senders using 
alleged hostnames that mimic the server's IP address.

This client is a-US based community health center so they only want to 
accept mail from the US and CA country-code domains which gives rise to 
the second set of rules.  If you don't need to accept mail from servers 
in .vn, .in, .ru, etc., rules like this can help.

In the ruleset for helo_access I block a variety of the newer top-level 
domains that have become havens for spammers:

/\.click$/              REJECT
/\.date$/               REJECT
/\.faith$/              REJECT
/\.party$/              REJECT
/\.link$/               REJECT
/\.xyz$/                REJECT
/\.download$/           REJECT
/\.top$/                REJECT
/\.space$/              REJECT
/\.win$/                REJECT
/\.stream$/             REJECT
/\.gdn$/                REJECT
/\.website$/            REJECT
/\.bid$/                REJECT

I run a script each day which scans the mail log and tallies up the 
number of rejections per IP address.  Any IP address that generated ten 
or more spam rejections in a single day is blocked via an iptables rule.

The overall objective here is to drop as much junk as possible at the 
doorstep so MailScanner need not bother with it.

Peter


On 04/25/2017 12:05 PM, Danita Zanre wrote:
> I have one site that I scan for that is just being inundated with spam
> and viruses.  My poor server simply cannot keep up!

More information about the MailScanner mailing list