Server inundated with SPAM

[andrewb]

Hi everyone,

Over the last few weeks, our server has been inundated with spam (300 per day), particularly from the following domain suffixes;

.guru
.info
.icu
.us

I'm running SPAMASSASSIN and have recently installed BAYES.

Two questions, is it possible for ALL SPAM to be moved into a folder held on the server?

And can I block ALL emails from a particular domain suffice (e.g. .guru, .info, .icu)?

thanks
Andrew

P.S. My Spamassasin settings...

# These values can be overridden by editing ~/.spamassassin/user_prefs.cf
# (see spamassassin(1) for details)

# These should be safe assumptions and allow for simple visual sifting
# without risking lost emails.

required_hits 5.0
report_safe 0
required_score 2.0
rewrite_header Subject [**SPAM**]

# Blocked Domains and Emails

blacklist_from ∗@*.guru
blacklist_from ∗@.guru
blacklist_from ∗.guru

blacklist_from ∗@*.buzz
blacklist_from ∗@.buzz
blacklist_from ∗.buzz

[andrewb]

I've also used main.cf in postfix to call upon a file called rejected_domains with the following information

/\.guru$/ REJECT We reject all .guru domains
/\.buzz$/ REJECT We reject all .buzz domains
/\.icu$/ REJECT We reject all .icu domains
/\.us$/ REJECT We reject all .us domains
/\.am$/ REJECT We reject all .am domains
/\.bid$/ REJECT We reject all .bid domains
/\.info$/ REJECT We reject all .info domains
/\.life$/ REJECT We reject all .life domains
/\.monster$/ REJECT We reject all .monster domains
/\.xyz$/ REJECT We reject all .xyz domains
/\.casa$/ REJECT We reject all .casa domains
/\.cyou$/ REJECT We reject all .cyou domains
/\.work$/ REJECT We reject all .work domains
/\.int$/ REJECT We reject all .int domains
/\.tk$/ REJECT We reject all .tk domains

That's done the trick to stop TLD spamming domains!

[KernelOops]

Spam protection is fairly easy to do with postfix, 90% of spam are usually blocked there, the rest are blocked via opendkim/opendmarc/spamassassin.

Before you block entire top level domains, try using the postscreen feature of postfix, its a VERY powerful tool. For example, here is what I use:

Code: Select all

postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 24h
postscreen_cache_retention_time = 30d
postscreen_command_time_limit = 10s
postscreen_greet_action = enforce
postscreen_greet_wait = 10s

Then decide which blacklists you are going to use, the most popular are spamhaus, spamcop and uceprotect, here is what I use:

Code: Select all

postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_sites =
        zen.spamhaus.org*3
        bl.spamcop.net*3
        dnsbl-1.uceprotect.net*3
        dnsbl.dronebl.org*3
        hostkarma.junkemailfilter.com=127.0.0.2*3

Finally, make sure you use the postfi restrictions like: reject_unknown_reverse_client_hostname, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_sender_domain, so on and so forth.

What is important, is to block as much spam at the MTA level, because that is "cheap" in cpu/network resources, to avoid using spamassassin as much as possible, which more "expensive" in resources.

I can PM you my configuration if its any help to you.

[andrewb]

Thanks so much KernelOops and if you could PM your configuration as a base for us, that would be great!

cheers,
Andrew

[KernelOops]

Sent PM!

[andrewb]

Thanks again!