Fighting Spam

I started having a lot of troubles with my mail server when it started getting spammed pretty bad. I have
Postfix using Amavis to push the email through ClamAV and SpamAssasin. My server was brought to it’s knees. It was running at 98-99% processor load and it would take hours for email to go through. So here is what I did to fix the problem:

First I added a helo restriction using this:

smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access hash:/etc/postfix/helo_access,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit

This eliminated a ton of my spam. The helo_access file allows me
to make exceptions for my clients that have broken networks. In
addition, this file includes rejects for anything coming from itself.
(Handy since most Spammers try to pretend they are you, hoping to get
around your relay restrictions) It looks similar to this:
mydomain.com REJECT You are not me!
localhost REJECT You are not me!
127.0.0.1 REJECT You are not me!
localhost.localdomain REJECT You are not me!

Next I added this to my main.cf
smtpd_sender_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit
Forcing everything to use a fully qualified domain name helped
eliminate a ton of spam. The next item I did was the last of the light
weight stuff, this catches almost everything else:
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
check_sender_access
hash:/etc/postfix/sender_access,
check_recipient_access
hash:/etc/postfix/recipient_access,
check_helo_access
hash:/etc/postfix/secondary_mx_access,
reject_rbl_client list.dsbl.org
reject_rbl_client sbl-xbl.spamhaus.org,
permit

The big stuff here is the reject_rbl_client lines. These line check
the incoming server against relay databases. I used these lists because they
seemed relatively fair (I don’t want valid email getting rejected) and
people are able to get off of these lists since they don’t seem to be
Nazi’s about it.

After adding these items, pretty much the only email getting to ClamAV
and SpamAssassin are valid email messages. This brought the load of my
sever back into a managable place (4-5% CPU load) and makes email
delivery fast again.


Leave a Reply


Switch to our mobile site