I'm being attacked from a botnet and I found out about it because I got this email from mailer-daemon telling me there's no space left on device. The mail.log was filled up with messages like
Dec 5 01:56:14 ip-xxx-xxx-xxx postfix/smtpd[9634]: NOQUEUE: reject: RCPT from xxx-xxx-xxx-xxx.dynamic.hinet.net[xxx.xxx.xxx.xxx]: 554 5.7.1 <xxxxxxxxx@xxxxxxxxx.xxx>: Relay access denied; from=<xxxxxxxxx@xxxxxxxxx.xxx> to=<xxxxxxxxx@xxxxxxxxx.xxx> proto=SMTP helo=<xxx.xxx.xxx.xxx>
I wrote a botnet killer script. The script uses iptables to ban NETWORK RANGES with too many IP ADDRESSES trying to send messages through my server, producing the above messages in logfile.
I'm sure this can kill a legitimate traffic. I decided I need this traffic to be as follows:
S0 - standard traffic - <1 mail per minute
S1 - increased traffic - 1+ mail per minute
S2 - suspicious traffic - 10+ mails per minute
S3 - potentially unwanted traffic - 1+ mails per second
S4 - attack - 5+ mails per second
...treated as follows:
S0: No action
S1: Log
S2: Log&MailReport (to postmaster@localhost)
S3: Log&MailReport&AutoBounce (solve capcha at http://myhost.tld/anti-spam )
S4: Log&MailReport&AutoBounce (you were temporarily blocked by the mailserver)
S5: Log&MailReport&AutoBounce&AutoAbuseReport (User x@y.z is abusing our server)
Is there any way to accomplish this using postfix? If not - is there any better mailserver for that?
Thank you
EDIT: I've completely rewritten this question because people got confused and thought it was an open relay