I'm being attacked from a botnet and I found out about it because I got this email from mailer-daemon telling me there's no space left on device. The mail.log was filled up with messages like
Dec 5 01:56:14 ip-xxx-xxx-xxx postfix/smtpd[9634]: NOQUEUE: reject: RCPT from xxx-xxx-xxx-xxx.dynamic.hinet.net[xxx.xxx.xxx.xxx]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=SMTP helo=<xxx.xxx.xxx.xxx>
I wrote a botnet killer script. The script uses iptables to ban NETWORK RANGES with too many IP ADDRESSES trying to send messages through my server, producing the above messages in logfile.
I'm sure this can kill a legitimate traffic. I decided I need this traffic to be as follows:
S0 - standard traffic - <1 mail per minute
S1 - increased traffic - 1+ mail per minute
S2 - suspicious traffic - 10+ mails per minute
S3 - potentially unwanted traffic - 1+ mails per second
S4 - attack - 5+ mails per second
...treated as follows:
S0: No action
S1: Log
S2: Log&MailReport (to postmaster@localhost)
S3: Log&MailReport&AutoBounce (solve capcha at http://myhost.tld/anti-spam )
S4: Log&MailReport&AutoBounce (you were temporarily blocked by the mailserver)
S5: Log&MailReport&AutoBounce&AutoAbuseReport (User [email protected] is abusing our server)
Is there any way to accomplish this using postfix? If not - is there any better mailserver for that?
Thank you
EDIT: I've completely rewritten this question because people got confused and thought it was an open relay
In reality, it's just the nature of running an Internet-facing mail server. I run one on-premise as our corporate mail and we get slammed with spam mails every few seconds. The only thing you can really do is implement
logrotateand prevent the logs from growing out of control. If you need them for historical reasons,gzipcan compress them as much as 90% or more.If you'd like to take a look at this, check out this article that has tons of how-to information.