Spam attack on one specific domain

Discussion in 'Installation/Configuration' started by steowimmy, Oct 30, 2006.

  1. steowimmy

    steowimmy New Member

    Hi everybody!

    I use ISPConfig 2.2.5 since this Spring 06 and I'm very happy with it!

    Presently, I have a domain mydomain.tld this morning with a big mail attack tagging Spam but with 100 emails spams by minute just for this domain, it's very dangerous and slow my system for the others domains.

    For example in maillog:

    Oct 30 04:53:36 ns0002 postfix/smtpd[11192]: NOQUEUE: reject: RCPT from unknown[1.2.3.4] 550 <aert@mydomain.tld>: Recipient address rejected: User unknown in local recipient table;

    At this case, the email doesn't pass. But for the others if the user account exists on this domain, the same IP (or other one) will pass... Yeurk!

    I have see that this attack has an IP with an "unknown" tag.

    Well I want to know how can I block the "unknown" one on Postfix...

    I have followed the procedures on Fedora Core 5 x64 for ISPConfig. The version of Postfix is 2.2.8.
     
  2. falko

    falko Super Moderator

    You could change your Postfix configuration so that it is very strict and blocks most spam before it reaches SpamAssassin. You could put something like this into /etc/postfix/main.cf:

    Code:
    smtpd_helo_required = yes
    disable_vrfy_command = yes
    invalid_hostname_reject_code = 554
    multi_recipient_bounce_reject_code = 554
    non_fqdn_reject_code = 554
    relay_domains_reject_code = 554
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    unknown_sender_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554
    unverified_recipient_reject_code = 554
    unverified_sender_reject_code = 554
    
    smtpd_recipient_restrictions =
                reject_invalid_hostname,
                reject_unknown_recipient_domain,
                reject_unauth_pipelining,
                permit_mynetworks,
                permit_sasl_authenticated,
                reject_unauth_destination,
                reject_rbl_client multi.uribl.com,
                reject_rbl_client dsn.rfc-ignorant.org,
                reject_rbl_client dul.dnsbl.sorbs.net,
                reject_rbl_client list.dsbl.org,
                reject_rbl_client sbl-xbl.spamhaus.org,
                reject_rbl_client bl.spamcop.net,
                reject_rbl_client proxies.relays.monkeys.com,
                reject_rbl_client rblmap.tu-berlin.de,
                reject_rbl_client relays.ordb.org,
                reject_rbl_client dnsbl.sorbs.net,
                reject_rbl_client opm.blitzed.org,
                reject_rbl_client blackholes.easynet.nl,
                reject_rbl_client cbl.abuseat.org,
                reject_rbl_client ix.dnsbl.manitu.net,
                permit
    (Replace the directives that are already in your main.cf.)

    But be aware that this might also block legitimate emails, so you should test it.
     
  3. steowimmy

    steowimmy New Member

    Thanks Falko! It's ok!

    I have corrected the RBL filters with my personal choice!

    Super Postfix make a good job!
     

Share This Page