Being hammered with viruses
Peter H. Lemieux
mailscanner at replies.cyways.com
Tue Apr 25 17:18:59 UTC 2017
I rely on a combination of iptables rules and a lengthy access.db in
sendmail to handle these sorts of problems. You can add similar rules
to a Postfix server using smtpd_client_restrictions,
smtpd_sender_restrictions and smtpd_helo_restrictions in main.cf.
In client_restrictions I have
smtpd_client_restrictions = sleep 3, reject_unauth_pipelining,
check_sender_access pcre:/etc/postfix/sender_access
The first line enforces a three-second delay on the transaction which
blocks spam flooding from senders that don't use the HELO/EHLO commands
in the SMTP protocol. This is the Postfix equivalent of sendmail's
"greetpause" directive. I also have a set of regex-based rules in the
/etc/postfix/sender_access file like these:
# no mail from outsiders claiming to be us
/\.example\.com$/ REJECT
/10-10-10/ REJECT
# no two-letter country-code domains except us/ca
/\.us$/ OK
/\.ca$/ OK
/\.[a-z][a-z]$/ REJECT US senders only
The first rejects mail coming in claiming to be from senders in the
local domain. That may not work for you if you support remote clients.
The second line protects against mail claiming to be from senders using
alleged hostnames that mimic the server's IP address.
This client is a-US based community health center so they only want to
accept mail from the US and CA country-code domains which gives rise to
the second set of rules. If you don't need to accept mail from servers
in .vn, .in, .ru, etc., rules like this can help.
In the ruleset for helo_access I block a variety of the newer top-level
domains that have become havens for spammers:
/\.click$/ REJECT
/\.date$/ REJECT
/\.faith$/ REJECT
/\.party$/ REJECT
/\.link$/ REJECT
/\.xyz$/ REJECT
/\.download$/ REJECT
/\.top$/ REJECT
/\.space$/ REJECT
/\.win$/ REJECT
/\.stream$/ REJECT
/\.gdn$/ REJECT
/\.website$/ REJECT
/\.bid$/ REJECT
I run a script each day which scans the mail log and tallies up the
number of rejections per IP address. Any IP address that generated ten
or more spam rejections in a single day is blocked via an iptables rule.
The overall objective here is to drop as much junk as possible at the
doorstep so MailScanner need not bother with it.
Peter
On 04/25/2017 12:05 PM, Danita Zanre wrote:
> I have one site that I scan for that is just being inundated with spam
> and viruses. My poor server simply cannot keep up!
More information about the MailScanner
mailing list