-3

I'm being attacked from a botnet and I found out about it because I got this email from mailer-daemon telling me there's no space left on device. The mail.log was filled up with messages like

Dec 5 01:56:14 ip-xxx-xxx-xxx postfix/smtpd[9634]: NOQUEUE: reject: RCPT from xxx-xxx-xxx-xxx.dynamic.hinet.net[xxx.xxx.xxx.xxx]: 554 5.7.1 <xxxxxxxxx@xxxxxxxxx.xxx>: Relay access denied; from=<xxxxxxxxx@xxxxxxxxx.xxx> to=<xxxxxxxxx@xxxxxxxxx.xxx> proto=SMTP helo=<xxx.xxx.xxx.xxx>

I wrote a botnet killer script. The script uses iptables to ban NETWORK RANGES with too many IP ADDRESSES trying to send messages through my server, producing the above messages in logfile.

I'm sure this can kill a legitimate traffic. I decided I need this traffic to be as follows:

S0 - standard traffic - <1 mail per minute
S1 - increased traffic - 1+ mail per minute
S2 - suspicious traffic - 10+ mails per minute
S3 - potentially unwanted traffic - 1+ mails per second
S4 - attack - 5+ mails per second

...treated as follows:

S0: No action
S1: Log
S2: Log&MailReport (to postmaster@localhost)
S3: Log&MailReport&AutoBounce (solve capcha at http://myhost.tld/anti-spam )
S4: Log&MailReport&AutoBounce (you were temporarily blocked by the mailserver)
S5: Log&MailReport&AutoBounce&AutoAbuseReport (User x@y.z is abusing our server)

Is there any way to accomplish this using postfix? If not - is there any better mailserver for that?

Thank you

EDIT: I've completely rewritten this question because people got confused and thought it was an open relay

lmojzis
  • 113
  • 5
  • Open relay is never a good idea. Only use an open relay in a private network for testing purpose. – Vinz Dec 04 '13 at 16:53
  • Out of curiosity, what is the reason for needing to be an open relay? It sounds like an awful lot of administrative headache for something that is universally frowned upon. – DanBig Dec 04 '13 at 16:55
  • Why not just [use RBLs](http://www.howtoforge.com/block_spam_at_mta_level_postfix)? – Nathan C Dec 04 '13 at 17:00
  • No server is ever required to be an open relay. If you think this is required, you're doing it wrong and need to do it differently. – John Dec 04 '13 at 16:18
  • It shouldn't have been an open relay on the internet for any length of time. You are contributing to the spam problem. Configure you server properly and your problem goes away. Only allow relay from known IPs and/or require authentication. Only accept delivery to the domain(s) in question. –  Dec 04 '13 at 21:09
  • @NathanC I use RBLs. This is still producing a high amount of liles filling up my logfile. – lmojzis Dec 05 '13 at 02:13

1 Answers1

1

In reality, it's just the nature of running an Internet-facing mail server. I run one on-premise as our corporate mail and we get slammed with spam mails every few seconds. The only thing you can really do is implement logrotate and prevent the logs from growing out of control. If you need them for historical reasons, gzip can compress them as much as 90% or more.

If you'd like to take a look at this, check out this article that has tons of how-to information.

Nathan C
  • 14,901
  • 4
  • 42
  • 62