tummy.com, ltd.
Your Linux Data Center Experts

Anti-Spam via HELO blocking and Postfix Makefile.

By  Sean Reifschneider Date 2004-12-15 11:34 Tags  anti-spam,  postfix,  sean reifschneider,  technical

Last night at NCLUG, I gave a quickie talk on a simple Postfix Makefile I had built, for making management easier. The talk also turned to some of the anti-spam measures we use to make our mailboxes useful again. Here are some references.

My Postfix Makefile, including changes so that it doesn't trigger a reload on updating of .db files as suggested by Aaron Johnson, is up at ftp://ftp.tummy.com/pub/tummy/postfix/Makefile/. Download and put it in your /etc/postfix directory and run "make" to update the files.

This Makefile assumes that you have maps for "access-ip", "access-helo", "access-mailfrom" and "access-rcptto". It also looks for a "virtual-regexp" to map addresses (regexp "aliases", effectively), "header_checks" and "body"checks" (which are regexps to look for that are spam or virus reports). Here are the relevant sections of the "main.cf": 

header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_check
smtpd_recipient_restrictions =
        permit_mynetworks
        reject_non_fqdn_hostname
        reject_invalid_hostname
        reject_unauth_destination
        check_recipient_access hash:/etc/postfix/access-rcptto
smtpd_helo_restrictions =
        permit_mynetworks
        check_helo_access hash:/etc/postfix/access-helo
        reject_non_fqdn_hostname
        reject_invalid_hostname
smtpd_sender_restrictions =
        check_sender_access hash:/etc/postfix/access-mailfrom
        check_client_access hash:/etc/postfix/access-ip
        reject_unknown_sender_domain
        reject_non_fqdn_sender
smtpd_client_restrictions =
        check_client_access hash:/etc/postfix/access-ip

One of the most effective actions we've taken with Postfix is to list our IP address in the "access-helo" file. Many spammers are sending messages and starting the connection with "HELO <our IP address<". As you may be aware, the "HELO" argument is supposed to specify the sending mail server name, not the receiving IP address.

I just checked the logs and we've averaged 6,269 messages rejected per day this week because of that rule alone. That's roughly 20% of all SMTP connections we get, or nearly 7 times the number of legitimate e-mail messages we get.

I'd highly recommend that you look at what's getting sent in the "HELO" to your mail servers.

comments powered by Disqus

Join our other satisfied clients. Contact us today.