Hi all,
Until recently I did not receive too much spam and had it pretty-much
under control. This week has gone mental. So far this week I have
received 29860 connection attempts form {some_random_number}@qq.com to
{the_same_random_number}@howitts.co.uk.
I have a mail server and two backup MX servers and most of the mail is
arriving via one of the backup servers. Some comes directly to me and
some comes via the other backup server.Because of my settings, none of
it can get through.
My postconf-n is:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
clearglassnetwork = 172.19.0.0/16
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = mailprefilter
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = $alias_maps $virtual_alias_maps
luser_relay =
mail_owner = postfix
mailbox_size_limit = 102400000
mailbox_transport = mailpostfilter
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
message_strip_characters = \0
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = howitts.co.uk
myhostname = mailserver.howitts.co.uk
mynetworks = 127.0.0.0/8, [::1]/128, 172.17.2.0/23, $clearglassnetwork
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
recipient_delimiter = +
relayhost = [smtp.ntlworld.com]:25
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_use_tls = yes
smtpd_client_restrictions = permit_mynetworks,
reject_unknown_reverse_client_hostname
smtpd_helo_required = yes
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_invalid_hostname, check_policy_service
unix:/var/spool/postfix/postgrey/socket, reject_unauth_pipelining,
reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/access, permit_sasl_authenticated,
reject_non_fqdn_sender, reject_invalid_hostname
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/www.howitts.co.uk/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/www.howitts.co.uk/privkey.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = $alias_maps, $virtual_maps,
ldap:/etc/postfix/imap-aliases.cf, ldap:/etc/postfix/imap-groups.cf
In /etc/postfix/access I have:
howitts.co.uk REJECT
qq.com REJECT
The howitts.co.uk is there to stop anyone from the internet pretending
to send mail from my domain to me. My roadwarriors send on port 587 to
bypass this restriction.
This means the spam can't get through for two reasons 1 - it is from
qq.com and 2 - the users don't exist on my system.
The qq.com sent directly so me is from all sorts of IP addresses, but
often 163.com so it is not a single IP. It has the typical scattering of
sending IP's some with and some without PTR records (so from unknown).
Is there anything further I can do to cut down or stop this spam? Also
are there more effective blocks I can do to lighten the load on the
server and reduce traffic?
Thanks,
Nick
