DevHeads.net

Assistance to protect from spam flood

Hi all,
Until recently I did not receive too much spam and had it pretty-much
under control. This week has gone mental. So far this week I have
received 29860 connection attempts form {some_random_number}@qq.com to
{the_same_random_number}@howitts.co.uk.

I have a mail server and two backup MX servers and most of the mail is
arriving via one of the backup servers. Some comes directly to me and
some comes via the other backup server.Because of my settings, none of
it can get through.

My postconf-n is:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
clearglassnetwork = 172.19.0.0/16
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = mailprefilter
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = $alias_maps $virtual_alias_maps
luser_relay =
mail_owner = postfix
mailbox_size_limit = 102400000
mailbox_transport = mailpostfilter
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
message_strip_characters = \0
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = howitts.co.uk
myhostname = mailserver.howitts.co.uk
mynetworks = 127.0.0.0/8, [::1]/128, 172.17.2.0/23, $clearglassnetwork
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
recipient_delimiter = +
relayhost = [smtp.ntlworld.com]:25
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_use_tls = yes
smtpd_client_restrictions = permit_mynetworks,
reject_unknown_reverse_client_hostname
smtpd_helo_required = yes
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_invalid_hostname, check_policy_service
unix:/var/spool/postfix/postgrey/socket, reject_unauth_pipelining,
reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/access, permit_sasl_authenticated,
reject_non_fqdn_sender, reject_invalid_hostname
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/www.howitts.co.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/www.howitts.co.uk/privkey.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = $alias_maps, $virtual_maps,
ldap:/etc/postfix/imap-aliases.cf, ldap:/etc/postfix/imap-groups.cf

In /etc/postfix/access I have:
howitts.co.uk        REJECT
qq.com            REJECT

The howitts.co.uk is there to stop anyone from the internet pretending
to send mail from my domain to me. My roadwarriors send on port 587 to
bypass this restriction.

This means the spam can't get through for two reasons 1 - it is from
qq.com and 2 - the users don't exist on my system.

The qq.com sent directly so me is from all sorts of IP addresses, but
often 163.com so it is not a single IP. It has the typical scattering of
sending IP's some with and some without PTR records (so from unknown).

Is there anything further I can do to cut down or stop this spam? Also
are there more effective blocks I can do to lighten the load on the
server and reduce traffic?

Thanks,

Nick

Comments

Re: Assistance to protect from spam flood

By allenc at 01/12/2019 - 16:11

On 12/01/2019 11:09, Nick Howitt wrote:
If you are troubled by Chinese hosts, you might also like to look at the thread "SMTP filter using geo-localization" for
ideas.

But as others have said, ditching the secondary MX servers and setting up Postscreen should be your first two priorities.

Talk to me off-list.

Allen C

Re: Assistance to protect from spam flood

By Bill Cole at 01/12/2019 - 13:57

Your first step should be to seriously interrogate that architectural
choice.

When variable-priority MXs were devised, the Internet was very different
and general experiences with cross-domain email were very different. It
made sense to have distant backup MXs, even if they were run by other
people. Also, spam wasn't a thing.

Today there are very few mail systems can gain anything discernible from
having multiple MXs that are not under common administrative control and
consciously configured to operate together as equals or with varied
priorities. As you have discovered, having secondary MXs which you do
not control causes hard problems with spam. In addition to the fact that
spammers have learned to hit the backup MXs first, you are presented
with the problem of very likely causing backscatter and/or silently
dropping mail.

Re: Assistance to protect from spam flood

By Dominic Raferd at 01/12/2019 - 07:44

Using postscreen even if only with zen.spamhaus.org will probably stop most
of them before they get their foot in the door. If the load remains a
problem then try the postfix jail in fail2ban - but it will only help with
repeated attempts from same ips.

Re: Assistance to protect from spam flood

By John Fawcett at 01/12/2019 - 07:43

On 12/01/2019 12:09, Nick Howitt wrote:
<a href="http://www.postfix.org/POSTSCREEN_README.html" title="http://www.postfix.org/POSTSCREEN_README.html">http://www.postfix.org/POSTSCREEN_README.html</a>

You could so is to look into additional block lists to use with
reject_rbl_client checks. I use b.barracudacentral.org as well as
zen.spamhaus.org but there are others too that can be valid either as
outright blocks or as part of the scoring mechanism to use with
postscreen_dnsbl_threshold.

You could also consider some specific smtpd_helo_restrictions like
reject_invalid_helo_hostname and reject_non_fqdn_helo_hostname. I also
use dbl.spamhaus.org with reject_rhsbl_helo and reject_rhsbl_sender. You
could also look into adding reject_unknown_recipient_domain and
reject_unknown_sender_domain.

Also if the 29860 connections are coming through with many concurrent
connections or in a short space of time you could add some
concurrency/rate limits.

John

Re: Assistance to protect from spam flood

By Nick Howitt at 01/12/2019 - 10:23

On 12/01/2019 11:43, John Fawcett wrote:

Re: Assistance to protect from spam flood

By Nick Howitt at 01/12/2019 - 10:50

On 12/01/2019 14:23, Nick Howitt wrote:

Re: Assistance to protect from spam flood

By John Fawcett at 01/12/2019 - 10:47

On 12/01/2019 15:23, Nick Howitt wrote:
John

Re: Assistance to protect from spam flood

By Nick Howitt at 01/12/2019 - 10:52

On 12/01/2019 14:47, John Fawcett wrote:

Re: Assistance to protect from spam flood

By LuKreme at 01/12/2019 - 12:42

On 12 Jan 2019, at 07:52, Nick Howitt < ... at howitts dot co.uk> wrote:
Honestly, you should not have an MX server outside of your control.

If your server is routinely down for several days, then you shouldn't be running your own server.

Re: Assistance to protect from spam flood

By Nick Howitt at 01/12/2019 - 16:58

On 12/01/2019 16:42, @lbutlr wrote:

Re: Assistance to protect from spam flood

By Kris Deugau at 01/14/2019 - 12:28

Nick Howitt wrote:
Blocking at that point is still incredibly cheap compared to accepting
the message then feeding it to eg SpamAssassin.

About the only notch better you could do would be to watch for some of
the IPs, look up the netblock they're part of in WHOIS, then block them
in the firewall. That assumes you never ever EVER want to receive mail
from anyone using those providers, with ANY domain in the sender address.

I had a P100 with maybe 32MB or RAM, running sendmail, relaying possibly
10-15K messages daily to a legacy mail system running on a Novell
Netware 4.something host (yes, really) around 2001, and rejecting a
longish list of things based on connecting IP or sender email both
within sendmail and occasionally via milter (MIMEDefang). Load was
effectively 0. If these aren't showing up in your mailbox, don't worry
about it.

-kgd

Re: Assistance to protect from spam flood

By Bill Cole at 01/13/2019 - 01:37

Not necessarily. There are spammers who use backup MXs intentionally to
scam their own customers, since they can show "successful" deliveries
without regard to what ultimately happens to the messages. There is also
the possibility that this is an intentional backscatter-flood attack on
the putative senders, using your backup MXs to bounce a flood of junk at
them.

Maybe.

If you use postscreen's pre-greeting data detection and a suitable set
of DNSBLs it is likely (if this is mostly spambots, which seems likely)
that you can keep a large fraction of them from ever talking to a real
smtpd

Re: Assistance to protect from spam flood

By John Fawcett at 01/13/2019 - 00:56

On 12/01/2019 21:58, Nick Howitt wrote:
In your specific case I would have just let them reject based on unknown
recipient (if they get past postscreen and rate limitng, when they are
in use). It doesn't require maintenance of access files unless you plan
to auotmate that. 

John

Re: Assistance to protect from spam flood

By Benny Pedersen at 01/12/2019 - 17:32

Nick Howitt skrev den 2019-01-12 21:58:

:

check valid recipient BEFORE valid senders
qq.com have SPF use it, if SPF is pass block this sender domain if its
spam, report to qq.com and hope thay listen

use postscreen

use dnsbl in postscreen

google postscreen dnsbl, it have being posted nummer of thing to solve
spamming

Re: Assistance to protect from spam flood

By John Fawcett at 01/12/2019 - 11:04

On 12/01/2019 15:52, Nick Howitt wrote:
I know it sounds a bit drastic, but you might want to think about
whether you need a backup server you don't control. A better choice if
you can't control your own backup server is to have none.

The amount of email you would lose for small outages on the main server
without a secondary MX should be close to zero. With a backup server
that cannot reject mail for unknown users, you will probably be
generating backscatter when your main server rejects email being handed
off from the backup to your main server.

John

Re: Assistance to protect from spam flood

By Durga Prasad Malyala at 01/12/2019 - 12:05

Hi,
if you implement Mailscanner etc you can assign a higher score based
on a header containing 163.com. Maybe that would work.
In any case everyone uses either mailscanner or rspamd on top of postfix.
You can try one of those
As John suggested and its my personal experience also that, If you
have a backup MX, that should also have good anti-spam as most
spammers target that server as a backdoor entry.

Regards/DP

On Sat, 12 Jan 2019 at 20:35, John Fawcett < ... at voipsupport dot it> wrote: