Catchall account and lots of spam in a short period

[Martijn de Munnik]

Hi,

I'm using a couple of anti-spam techniques which successfully reject
(5xx) or ban (ipfilter firewall rule) most spam before even getting in
the queue. A couple of days ago about 2600 spam messages where delivered
to an user with a catch-all account. These messages where classified as
SPAM or SPAMMY by spamassassin and where indeed spam. I wonder why these
messages got through at all?

I use greylisting, blacklists, ban hosts that send one spam message for
10 minutes (ipfilter) and ban hosts that send three spam messages for
one day (ipfilter).

Are there ways to block these spam attacks? I don't see any pattern in
ips. Maybe increase the greylist period for the domain under attack (I
don't know how to do that without effecting the other domains).

Output of postconf -n:
        alias_maps = hash:/opt/csw/etc/postfix/aliases
        body_checks = regexp:/opt/csw/etc/postfix/maps/body_checks
        broken_sasl_auth_clients = yes
        command_directory = /opt/csw/sbin
        config_directory = /etc/postfix
        content_filter = amavisfeed:localhost:10024
        daemon_directory = /opt/csw/libexec/postfix
        data_directory = /opt/csw/var/lib/postfix
        default_database_type = hash
        delay_warning_time = 4h
        disable_vrfy_command = yes
        header_checks = regexp:/opt/csw/etc/postfix/maps/header_checks
        home_mailbox = Maildir/
        html_directory = /opt/csw/share/doc/postfix/html
        inet_interfaces = all
        mailbox_command = /opt/csw/bin/procmail-wrapper -o -a $DOMAIN -d
        $LOGNAME
        mailbox_size_limit = 209715200
        mailq_path = /opt/csw/bin/mailq
        manpage_directory = /opt/csw/share/man
        maximal_backoff_time = 8000s
        maximal_queue_lifetime = 7d
        message_size_limit = 20971520
        mime_header_checks =
        regexp:/opt/csw/etc/postfix/maps/mime_header_checks
        minimal_backoff_time = 1000s
        mydestination = $myhostname, localhost.$mydomain
        myhostname = stevie.youngguns.nl
        mynetworks_style = host
        myorigin = $myhostname
        newaliases_path = /opt/csw/bin/newaliases
        readme_directory = /opt/csw/share/doc/postfix/README_FILES
        receive_override_options = no_address_mappings
        recipient_delimiter = +
        relay_domains = $mydestination, slagenlandwonen.nl,
        wfcommunicatie.nl, gooischebrink.com, interjute.nl, melamo.nl,
        fair-play.nl, loopbaankamer.nl, ospl.nl, ospl.de,
        printcontrol.nl, dankers-schilderwerken.nl, promonta.nl,
        interim-denbosch.nl
        relayhost = 
        sample_directory = /opt/csw/share/doc/postfix/samples
        sendmail_path = /opt/csw/sbin/sendmail
        smtp_bind_address = 213.207.90.2
        smtp_helo_timeout = 60s
        smtp_send_xforward_command = yes
        smtp_skip_quit_response = yes
        smtp_tls_session_cache_database = btree:
        ${queue_directory}/smtp_scache
        smtpd_banner = $myhostname ESMTP
        smtpd_client_connection_count_limit = 10
        smtpd_client_restrictions = reject_rbl_client dnsbl.njabl.org,
        permit
        smtpd_data_restrictions = reject_unauth_pipelining
        smtpd_delay_reject = yes
        smtpd_hard_error_limit = 12
        smtpd_helo_required = yes
        smtpd_helo_restrictions = permit_mynetworks,            warn_if_reject
        reject_non_fqdn_hostname,               reject_invalid_hostname,        
        permit
        smtpd_recipient_limit = 25
        smtpd_recipient_restrictions = permit_sasl_authenticated,
        permit_mynetworks,              reject_non_fqdn_recipient,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,reject_invalid_hostname,
        reject_unauth_destination,              reject_unlisted_recipient,
        reject_rbl_client zen.spamhaus.org,             reject_rbl_client
        bl.spamcop.net, reject_rbl_client b.barracudacentral.org,
        reject_rbl_client psbl.surriel.com,             reject_rbl_client
        virbl.dnsbl.bit.nl,             check_policy_service 
inet:127.0.0.1:10023,
        permit
        smtpd_sasl_auth_enable = yes
        smtpd_sasl_authenticated_header = yes
        smtpd_sasl_local_domain = $myhostname
        smtpd_sasl_path = private/auth
        smtpd_sasl_security_options = noanonymous
        smtpd_sasl_type = dovecot
        smtpd_sender_restrictions = permit_mynetworks,
        reject_unknown_sender_domain,           permit
        smtpd_soft_error_limit = 3
        smtpd_tls_cert_file
        = /home/yghosting/ssl/secure-youngguns-nl.pem
        smtpd_tls_key_file = /home/yghosting/ssl/secure-youngguns-nl.key
        smtpd_tls_session_cache_database = btree:
        ${queue_directory}/smtpd_scache
        smtpd_use_tls = yes
        soft_bounce = no
        tls_random_source = dev:/dev/urandom
        transport_maps = hash:/opt/csw/etc/postfix/transport
        unknown_local_recipient_reject_code = 550
        virtual_alias_maps = hash:/opt/csw/etc/postfix/virtual
        


Kind regards,

Martijn de Munnik

-- 
YoungGuns
Kasteleinenkampweg 7b
5222 AX 's-Hertogenbosch
T. 073 623 56 40
F. 073 623 56 39
www.youngguns.nl
KvK 18076568