The opportunists who send unsolicited bulk email (UBE) use tools that do not follow standards. This can work to an advantage in that improper configuration can allow quite a bit of filtering to be done on inbound email. For instance, the following entries in main.cf for postfix will dramatically cut down on email from misconfigured hosts:
smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_rbl_client combined.njabl.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client list.dsbl.org,reject_rbl_client opm.blitzed.org,reject_rbl_client relays.ordb.org,reject_rbl_client sbl.spamhaus.org, permit smpd_data_restrictions = reject_unauth_pipelining, permit
We have had good luck with the above, and have yet to notice missed email; however, do be careful with extreme restrictions like this.
It is important to keep up on these, since there is some churn, and changes can disrupt your incoming email. [For instance, opm.blitzed.org is currently down as of April 28 2006.]
We have some domains that used to be used in the mid nineties to post to newsgroups, back when sharing contact information openly was more common. We ceased using these domains for email years ago, after receiving hundreds of emails a day years after removing any references from our websites. The newsgroup postings, though, are still farmed, and we are firmly embedded in the UBE machinery. Even though the email boxes are invalid, the UBE machinery bangs on our SMTP door relentlessly, causing more load at times than any other service.
Postfix has numerous options for throttling. This helps a lot. For instance, if you are getting a dictionary attack, if there are too many RCPT errors in a row, the connection will be shut down. One thing about hosting on a shared server is that dictionary attacks are quite fruitful in some cases, depending on how the server is configured, since any name in any domain might allow mail transfer. Our hunch is that as this has happened over the last ten years with one of our older domains, that these names were stored on lists as being valid, so now, we get banged with both dictionary attacks and every hostname on any domain name we ever shared a server with. Some of the names recur too often to be simply dictionary attacks.
Another problem is that the UBE tools often ignore MX records. We tried getting rid of the MX record so that the knocking would subside; however, it appears that the UBE tools ignore the MX record in many cases, and simply go to the same server as the domain A record is. The solution for this was to listen on port 25 on a secondary IP address that was different than the domain. With Postfix, this is specified in main.cf using this line:
inet_interfaces = hostalternate.example.com
Add localhost if you need it:
inet_interfaces = hostalternate.example.com, localhost
Now that Postfix listens on an IP different than our old domain’s A record, our server’s performance is considerably better.