Controlling SPAM on Postfix

SPAM is a huge issue when managing a mail server. It can eat up valuable resources and bring unwanted virus potential into the network. Here are several strategies to limit the amount of SPAM that arrives on the mail server as well as in the user mailbox.

Don't Outsource Your Mail Server, Learn how to run it yourself! We specialize in helping companies become independent of outsourcing Linux services.

1. Reject SPAM at the Server

The advantage of rejecting SPAM at the server is that it has no way to infect users with virus activity, it does not consume bandwith on the network nor is it able to consume as many resources on the server because it does not need to be stored.

2. Save SPAM to a Warehouse

The advantage of saving SPAM into a warehouse is that you will reduce the loss of legitimate mail because you can review the contents of the warehouse from time to time.

3. Deliver SPAM to User with SPAM Designation

The advantage of this method is that the user can make the determination if it is SPAM or not. However, you are then counting on the user making the right decision every time and wasting a lot of network and server resources in the process.

The decision you make in terms of which option to select is determined by the significance of lost mail that is tagged as SPAM vs. the impact of a user creating a meltdown by initiating a virus on the network.

Client Detection Rules

Postfix uses these rules to control what clients are accepted for mail delivery.

smtpd_client_restrictions smtpd_helo_restrictions smtpd_sender_restrictions smtpd_recipient_restrictions smtpd_data_restrictions 

Spamming techniques typically disguise the origin of the mail. They use a number of techniques that you will need to work through to minimize.

Forged Addresses

A favorite technique of Spammers is to forge addresses by using your server hostname in the HELO greeting. Therefore, to eliminate this issue you will need to reject SMTP communication with any clients that greet your server with the server hostname, it can't be legitimate.

Step #1:
Create a file called helo_checks in the /etc/postfix directory. This file should contain a number of variations on your address on one line at a time.

/^ns\.example\.com$/ 550 Bad helo check

/^216\.114\.226\.157$/ 550 Bad helo check

/^\[216\.114\.226\.157\]$/ 550 Bad helo check

In these examples, you will see a start of string (^)and end of string anchor ($). The ^ matches matches the position before the first character in the string. So ^ns will match the n and org$ will match the g. This is a useful tool for have Postfix read one line at a time and not combine text strings.

Step #2:
Add this information to your main.cf file under smtpd restrictions.

smtpd_recipient_restrictions =

warn_if_reject reject_non_fqdn_recipient

reject_non_fqdn_sender

reject_unknown_sender_domain

reject_unknown_recipient_domain

permit_mynetworks

reject_unauth_destination

reject_non_fqdn_hostname

reject_invalid_hostname

check_helo_access pcre:/etc/postfix/helo_checks

permit

Stop Non-Routable Networks

Spammers will also use networks which are not routeable, thus not traceable. You can stop this technique with Postfix, however, your network firewall should not allow these kinds of networks to enter your network at all.

Step #1: Create bogus_mx

Create a map that will list these unrouteable networks. Place one network on each line.

0.0.0.0/8 550 Bad Network

10.0.0.0/8 550 Bad Network

127.0.0.0/8 550 Bad Network

224.0.0.0/4 550 Bad Network

192.168.0.0/16 550 Bad Network

Step #2: Enter the Line in smtpd restrictions

smtpd_recipient_restrictions =

warn_if_reject reject_non_fqdn_recipient

reject_non_fqdn_sender

reject_unknown_sender_domain

reject_unknown_recipient_domain

permit_mynetworks

reject_unauth_destination

reject_non_fqdn_hostname

reject_invalid_hostname

check_helo_access pcre:/etc/postfix/helo_checks

check_sender_mx_access cidr:/etc/postfix/bogus_mx

permit

Remember- Linear Maps (PCRE, regexp, CIDR and Flat Files)

These are typical text files. The purpose of these files is to allow Postfix to read them from top to bottom and when a match is found to take some action. This process is much like iptables in that the first match is what counts so order in the file is extremely important. One problem with these maps is that as they get larger it takes more time for Postfix to read them.

Using a Blackhole

The one thing that is important to understand when using blackholes is that these DNS blacklists require Postfix to do a DNS lookup which will take resources from your server and create latency. However, this can be a significant reduction in SPAM. In the example below two kinds of lists are used to block spam, these are only illustrations you should research your list carefully. Each list will have an address that you can enter to access the list. These two are combined in one address. That address is then entered into your smtpd restrictions.

Exploits Block List (http://www.spamhaus.org/xbl/index.lasso)
The following information is taken from spamhaus site.

“The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.”

The Spamhaus Block List (http://www.spamhaus.org/sbl/index.lasso)
The following information is taken from spamhaus site.

“The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.

The SBL is queriable in realtime by mail systems thoughout the Internet, allowing email administrators to identify, tag or block incoming connections from IP addresses which Spamhaus deems to be involved in the sending or origination of Unsolicited Bulk Email (aka "Spam").

The SBL database is maintained by a dedicated international Spamhaus team based in 9 countries, working 24 hours a day, 7 days a week to list new confirmed spam issues and - just as importantly - to delist resolved issues.”

These two lists are combined into this address.

sbl-xbl.spamhaus.org

smtpd_recipient_restrictions =

warn_if_reject reject_non_fqdn_recipient

reject_non_fqdn_sender

reject_unknown_sender_domain

reject_unknown_recipient_domain

permit_mynetworks

reject_unauth_destination

reject_non_fqdn_hostname

reject_invalid_hostname

check_helo_access pcre:/etc/postfix/helo_checks

check_sender_mx_access cidr:/etc/postfix/bogus_mx

reject_rbl_client sbl-xbl.spamhaus.org

permit

Force Address Sender Verification

One of the best methods of restricting SPAM is to require address verification. This means that Postfix will initiate a SMTP session with the client's server to verify that it is a legitimate address. This takes time and resources but...it a very effective way to deal with SPAM. You will need to add the reject_unverified_sender option.

smtpd_recipient_restrictions =

warn_if_reject reject_non_fqdn_recipient

reject_non_fqdn_sender

reject_unknown_sender_domain

reject_unknown_recipient_domain

permit_mynetworks

reject_unauth_destination

reject_non_fqdn_hostname

reject_invalid_hostname

check_helo_access pcre:/etc/postfix/helo_checks

check_sender_mx_access cidr:/etc/postfix/bogus_mx

reject_unverified_sender

permit

There is a way to enhance this process. One thing that Postfix will do is to cache the addresses it checks out and saves them in memory. This is great because the system will not have to look the same address up again...unless you restart the server as the memory will lose the addresses. However, you can tell Postfix to write the addresses to a map file that will allow Postfix to cache them permanently. Use the address_verify_map feature to make this work.

address_verify_map = btree:/var/spool/postfix/verified_senders

If you did not want to cache the negative sender addresses you can use this parameter.

address_verify_negative_cache = no