Menu
01101110 01100101 01110100 01110111 01101111 01110010 01101011 01100001 01100100 01101101 01101001 01101110 01110100 01101111 01101111 01101100 01110011 00001101 00001010

Background

Manage Engine

Our readers provide the funding for our platform, and we may receive a commission when you make a purchase using the links on our site.

Avoid Unwanted Email

/ May 11, 2018 — Email

The opportunists who send unsolicited bulk email (UBE) use tools that do not follow standards. This can work to an advantage in that improper configuration can allow quite a bit of filtering to be done on inbound email. For instance, the following entries in main.cf for postfix will dramatically cut down on email from misconfigured hosts:

smtpd_recipient_restrictions =  permit_mynetworks, reject_invalid_hostname, 
reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, 
reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client 
combined.njabl.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client 
dul.dnsbl.sorbs.net,reject_rbl_client list.dsbl.org,reject_rbl_client 
opm.blitzed.org,reject_rbl_client relays.ordb.org,reject_rbl_client 
sbl.spamhaus.org, permit
smpd_data_restrictions = reject_unauth_pipelining, permit

We have had good luck with the above, and have yet to notice missed email; however, do be careful with extreme restrictions like this.

For information on the specific RBL checks, see:
combined.njabl.org
cbl.abuseat.org
dul.dnsbl.sorbs.net
list.dsbl.org
opm.blitzed.org
relays.ordb.org
sbl.spamhaus.org

It is important to keep up on these, since there is some churn, and changes can disrupt your incoming email. [For instance, opm.blitzed.org is currently down as of April 28 2006.]

We have some domains that used to be used in the mid nineties to post to newsgroups, back when sharing contact information openly was more common. We ceased using these domains for email years ago, after receiving hundreds of emails a day years after removing any references from our websites. The newsgroup postings, though, are still farmed, and we are firmly embedded in the UBE machinery. Even though the email boxes are invalid, the UBE machinery bangs on our SMTP door relentlessly, causing more load at times than any other service.

Postfix has numerous options for throttling. This helps a lot. For instance, if you are getting a dictionary attack, if there are too many RCPT errors in a row, the connection will be shut down. One thing about hosting on a shared server is that dictionary attacks are quite fruitful in some cases, depending on how the server is configured, since any name in any domain might allow mail transfer. Our hunch is that as this has happened over the last ten years with one of our older domains, that these names were stored on lists as being valid, so now, we get banged with both dictionary attacks and every hostname on any domain name we ever shared a server with. Some of the names recur too often to be simply dictionary attacks.

Another problem is that the UBE tools often ignore MX records. We tried getting rid of the MX record so that the knocking would subside; however, it appears that the UBE tools ignore the MX record in many cases, and simply go to the same server as the domain A record is. The solution for this was to listen on port 25 on a secondary IP address that was different than the domain. With Postfix, this is specified in main.cf using this line:

inet_interfaces = hostalternate.example.com

Add localhost if you need it:

inet_interfaces = hostalternate.example.com, localhost

Now that Postfix listens on an IP different than our old domain’s A record, our server’s performance is considerably better.

Information

About