Home / server / Questions / 950425
In Process
Mat
Asked: 2019-01-24 10:10:16 +0800 CST

How to deal with outgoing spam flooding with Postfix

  • 772

I have one Postfix SMTP server with hundreds of users, which are using it to send e-mails as authenticated users.

Sometimes one account is hacked and thousand e-mails become to go out from the SMTP server, starting a spam flooding to hundreds of e-mail addresses.

This obviously make my server to be inserted into many blacklist and when I realise I need to:

  • fix the hacked account (and educate users to use good password and to change them frequently)
  • stop the flooding removing spam messages from the outgoing queue
  • check the IP address into blacklists and remove them if needed
  • monitor outgoing e-mails to check if they are marked as spam

Now I want to understand how I can efficiently prevent the flooding before it happens, because we cannot risk to be inserted into any blacklist. I think this could be reached with:

  • force users to use a good password: this can be easily reached if you are using an authentication backend like Active Directory, but what about Postfix users and virtual domains saved into the database?
  • activating fail2ban on SMTP services (but this does not work if hackers already know passwords and use them at the first try)
  • implementing some flooding detection like outgoing rate detection for the same users which could stop relay for a specific user if it's spamming: what technology can be used on top of Postfix to achieve this?
  • monitoring: some Nagios/Icinga checks for the elements in the Postfix outgoing queue (but could be too late)
  • monitoring: a lot of services which can check if the IP address is into some blacklist (but too late)

Any other idea?

postfix

2 Answers

  1. SASL-authenticated clients using your mail server to send out spam or malware are usually the result of botnets. You can catch most if not all of botnet-like behaviour using postfwd rules and the Postfwd Anti Geoip Spam Plugin which will check for both high rates of sending as well as logins from more than one country or IP address.

    Once you have installed postfwd and the plugin, you can configure rules which will block senders once they exceed certain limits.

    A typical rate limiting ruleset might look like this (anti-botnet rules are given in the instructions for the Anti Geoip Spam Plugin link above):

    id=R005; action=dunno ; client_name=friendly\.mailserver\.org\.uk$
id=R010; sender=~/.+/; action=rate(sender/100/86400/REJECT only 100 messages per day for sender [$$sender])
id=R020; sender=~/.+/; action=rate(sender/25/3600/REJECT only 25 messages per hour for sender [$$sender])
id=R030; sasl_username=~/.+/; action=rate(sasl_username/100/86400/REJECT only 100 messages per day for auth user [$$sasl_username])
id=R040; sasl_username=~/.+/; action=rate(sasl_username/25/3600/REJECT only 25 messages per hour for auth user [$$sasl_username])
id=R050; user=~/.+/; action=rate(user/100/86400/REJECT only 100 messages per day for user [$$user])
id=R060; user=~/.+/; action=rate(user/25/3600/REJECT only 25 messages per hour for user [$$user])
    • 1

  2. Search for “postfix anvil”. It provides rate limiting features for outbound. it is effective in mitigating reputation issues when an account is compromised.

    • -1