Stopping Spam by Dumping it in a Blackhole

Mail servers today are especially overburdened with Spam. This is actually costing organizations millions of dollars in purchasing hardware just to process the Spam. It takes server memory and CPU cycles to determine if an email is Spam or not and as Spam increases new servers have to be built to separate the good from the bad. Using Blackholes is a way to reduce the load on your server. Blackholes are databases of known Spammers that are kept so that you can include them in your mail server configuration to eliminate those email without having your mail server process each email. However, when using blackholes these DNS blacklists require Postfix to do a DNS lookup which will take resources from your server and create latency. However, this can be a significant reduction in Spam.

Gete more information about Postfix on a daily basis…try the Postfix Blog.

The examples below are for a Postfix Mail Server. One thing to note, there are a lot of Blackholes online, you need to check them closely to be sure they meet the needs of your organization. The ones we list are simply examples.

In the example below two kinds of lists are used to block spam, these are only illustrations you should research your list carefully. Each list will have an address that you can enter to access the list. These two are combined in one address. That address is then entered into your smtpd restrictions.

Exploits Block List (http://www.spamhaus.org/xbl/index.lasso)
The following information is taken from spamhaus site.

“The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.”

The Spamhaus Block List (http://www.spamhaus.org/sbl/index.lasso)
The following information is taken from spamhaus site.

“The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.

The SBL is queriable in realtime by mail systems thoughout the Internet, allowing email administrators to identify, tag or block incoming connections from IP addresses which Spamhaus deems to be involved in the sending or origination of Unsolicited Bulk Email (aka “Spam”).

The SBL database is maintained by a dedicated international Spamhaus team based in 9 countries, working 24 hours a day, 7 days a week to list new confirmed spam issues and – just as importantly – to delist resolved issues.”

These two lists are combined into this address.

sbl-xbl.spamhaus.org

smtpd_recipient_restrictions =
warn_if_reject reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_hostname
reject_invalid_hostname
check_helo_access pcre:/etc/postfix/helo_checks
check_sender_mx_access cidr:/etc/postfix/bogus_mx
reject_rbl_client sbl-xbl.spamhaus.org
permit

Address Sender Verification

One of the best methods of restricting SPAM is to require address verification. This means that Postfix will initiate a SMTP session with the client’s server to verify that it is a legitimate address. This takes time and resources but…it a very effective way to deal with SPAM. You will need to add the reject_unverified_sender option.

smtpd_recipient_restrictions =
warn_if_reject reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_hostname
reject_invalid_hostname
check_helo_access pcre:/etc/postfix/helo_checks
check_sender_mx_access cidr:/etc/postfix/bogus_mx
reject_unverified_sender
permit

There is a way to enhance this process. One thing that Postfix will do is to cache the addresses it checks out and saves them in memory. This is great because the system will not have to look the same address up again…unless you restart the server as the memory will lose the addresses. However, you can tell Postfix to write the addresses to a map file that will allow Postfix to cache them permanently. Use the address_verify_map feature to make this work.

address_verify_map = btree:/var/spool/postfix/verified_senders

If you did not want to cache the negative sender addresses you can use this parameter.

address_verify_negative_cache = no