1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 12:14 pm May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Still Spamming after 5 years

postfix, catch all, iptables, spam blocking

         

Frank_Rizzo

9:48 am on Oct 7, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



5 years ago my server started receiving 10,000+ spam email a day:

[webmasterworld.com...]

The simple answer to that was to just turn off the catch all addressing that I was using.

That worked, in that it stopped 99.99% of the spam messages, however, 5 years on they are still being sent, and still being rejected.

re: I don't know why / how but hundreds of email addresses for my site were added to a spam network. This is where emails were in the format:

asbvt213 at mydomain
arydur at my domain
ayr229 at my domain
azbutyq at my domain

The recipients all start with a and are all rejected.

---

After 5 years I am finally getting round to doing something about this!

Even though the server has light traffic clearly 10-20,000 emails a day is not good for the environment, and I guess it is putting a bit of strain on the server when postfix mysql and apache are all crunching data.

1. Who exactly is behind this?

2. What is the point?
2a. Are they trying to relay messages?
2b. Do they think that the email addresses are valid and thus it's worth sending 10-20,000 spams a day to those addresses?

3. Why, after 5 years of reject / unknown recipient hasn't the spam system realised that the messages are not getting through

4. What more do I need to do to stop this?

As I said, 5 years ago I just turned of catch all. This returned emails as user unknown. Shortly after I set up rbl filtering and this rejects the vast majority of the messages.

A few days ago I implemented an iptables blocking script. Every 5 minutes the maillog file is scanned for rejected: mail. If one is found the ip is dropped with ip tables.

This has had some success in that the spam rate has now gone down from an average of 15,000 per day to 6,000 but clearly this is still unacceptable.

----

Note! I do not need a solution for blocking the spam mail - I already have that with various methods. The spam emails never arrive in the inbox because they are all caught by postfix.

What I want to do is to stop these arriving at the server in the first place. To do that I would need to know who / what is behind it; why have they not realised the ayzr2234 at mydomain addresses do not exist and have never existed for 5 years.

encyclo

2:02 pm on Oct 7, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The spammers never get the bounces and they wouldn't care much about them anyway. There's no advantage to "cleansing" their list of email addresses as there is no extra costs to them of sending to invalid addresses, especially if the spam is sent by virus-infected machines not owned by the spammer. Spammers also resell lists of email addresses, where the price is for quantity not quality :)

It sounds as if you are doing well, but I don't think is will be possible to get close to eliminating much of the spam being sent to your domain.

Frank_Rizzo

4:55 pm on Oct 7, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I thought that may be an answer: They just fire and forget.

But surely there is a point where their spam lists are just too big and they have to cleanse the list?

One other point. Is there a safe limit for blocking with iptables?

I'm currently banning around 3000 IPs a day. I wonder if this is now taking the strain off postfix and putting it onto the iptables service. Would legitimate traffic now have to be queued or lose connection whilst every connection is checked for by iptables?

creeking

6:02 pm on Oct 7, 2010 (gmt 0)

10+ Year Member



I bought a domain formerly used by a free email service. :)

it gets over three thousand spams per day. all are forwarded to a gmail account.

Hoople

3:02 am on Oct 19, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



You never will get to a low value of spam messages, accept it. Some medical related F100 industries get 80-98% spam at the mx level. I've been doing email admin for 10+ years and it's now getting worse in other areas.

Maintaining an IP ban list will get a good amount of sources under control. Continue with this. How much is too big? Atypically a 1-2 million message per day front end has several member servers load balanced. Your processing speed vs budget will be the limiting factor.

To go lower from what you are doing you will have to invest in a DNS black list integrated with a greylisting or tar pitting solution. These type of filters do not accept the data (they will drop the connection before data is sent). Integrating a whitelist at this point has tremendous value. Further filtering at this point for SMTP conversation weirdness (not behaving like a known server) can reject some SPAM sent by scripts that implement SMTP poorly.

Connecting the IP tables (IP ban table, greylisting and tar pitting) is needed globally in some manner to prevent one filter from doing too much of what previously only the IP filter was doing.

Weighting factors from DNS Black Lists downstream (after data acceptance) can be integrated to do SPAM header tagging. If MS Outlook or other spam aware client is used you could then give the end user the final spam choice. Avoid using just one DNS list and giving one DNS list of many too much power. Not doing this can lead to a higher false spam rejection and the ensuing yelling end-users in your cubicle :-)

Frank_Rizzo

3:53 pm on Oct 19, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



This is on a small site where there are only 5 or so email addresses (custserv at , sales at ...) The thousands of spam emails each day are sent to the azyte34 and variations addresses which do not exist.

What I was hoping to implement was a way to read that recipient at the earliest stage, and to drop and block right at that level before postfix does what postfix does.

At the moment I believe postfix reads all mail, performs about 5 dns bl lookups, rejects the mail, and a few other things. Only at the last stage, if the bl's are passed is the 'unknown recipient' processed.

Maybe it is possible to instantly zap the connection at the beginning of the process, rather than having to do the lookups, logging, etc?

Hoople

12:56 am on Oct 20, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



zap the connection at the beginning of the process

That's the 50,000 ft view of grey listing or tar pitting. It acts as a SMTP proxy server ahead of PostFix's DNS-RBL checks. A good primer on this can be found at [en.wikipedia.org ]

For something that small there are a few grey listing add-ons for PostFix (like postgrey [postgrey.schweikert.ch ]) that have the ability to whitelist local mailboxes. Adding the frequently spamed to the greylist's internal blacklist will then dump these repeaters immediately.

I'm not a PostFix guru but I feel a blend between black listing and letting a grey listing program do it's thing will reduce the remaining load a lot. I typically place a ASSP SMTP proxy server ahead of my Microsoft Exchange 2003/2007 environments as the MS solution isn't as mature.

leafgreen

7:36 am on Oct 23, 2010 (gmt 0)

10+ Year Member



I'm not anywhere nearly as knowledgeable as Hoople or even you Frank, but I have a similar situation that I've been dealing with.
My suggestion is to shut down the mail server at your domain. Use some outside service such as Returnpath for those 5 email addresses, and forward mails to them to a new mailserver at a new domain.

encyclo

1:15 am on Oct 24, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



This is on a small site where there are only 5 or so email addresses


My suggestion is to shut down the mail server at your domain. Use some outside service such as Returnpath for those 5 email addresses, and forward mails to them to a new mailserver at a new domain.


I agree 100%. Outsource. Google Apps premier edition for five users is $250 a year, it's ad-free, you can use IMAP, you get 25Gb of space per user... the spam problem is no longer yours (and Google's filtering is virtually flawless), and it will pay for itself many times over in saved admin time. I absolutely love Google Apps, and I firmly believe that their email offering is Google's best product.

There are other outsourced alternative, of course - if you like the Microsoft way, there are hosted Exchange solutions out there too.

Status_203

8:51 am on Oct 25, 2010 (gmt 0)

10+ Year Member



I agree with the opinion to outsource email to a third party, but I'm not convinced that Google is that great at filtering anymore.

I see maybe 1 or 2 spams a month in my main inbox (which handles a handful of domains, with catchall addresses on all of them). Having resurrected a very old, never used, gmail account for my Android phone (where the only valid email is Android Marketplace receipts), I get several a week in there!

Dijkgraaf

8:16 pm on Nov 1, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



As others have mentioned, spammers don't bother cleaning up their e-mail lists as it doesn't cost them anything to send as they are usually stealing other peoples resources to do it anyway.
Project honeypot shows that sometimes an address harvested isn't used till years afterward.
Time From Harvest To First Spam
Slowest: 3 years, 4 months, 2 weeks, 3 days, 20 hours, 1 min, 31 secs
Fastest: 1 sec
Average: 2 weeks, 5 days, 12 hours, 49 mins, 41 secs

The only time they probably "clean" their list is if they want to on sell the list and the buyer wants verified good addresses.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 12:14 pm May 21, 2026