http://blog.bfccomputing.com/articles/2009/05/06/reducing-spam-with-smtp-validation-on-postfix en-us 40 My God, It's Full of Source! <p>This is a neat enhancement to postfix for reducing spam by attacking its economics: making sure it speaks SMTP properly.</p> <p>A spammer gets paid by the message delivered. So, it's in his interest to flood them out as quickly as possible. Because of this, they rarely implement mailers which negotiate the SMTP connection politely - they simply open the TCP connection and start sending.</p> <p>When an SMTP client doesn't respect the proper-back-and forth postfix expects, it'll flag it as unauthorized 'pipelining' - for example when multiple messages are sent in succession, but which would otherwise be OK.</p> <p>We can take advantage of this by forcing the issue, and increasing the odds a spammer will make this mistake by waiting just a second between establishing the TCP connection and telling the spammer we're ready to take mail. A loaded mail server may behave this way anyway, so it's not outside the norm and the resource consumption is minimal, but it attacks the economics of spamming.</p> <p>In your main.cf file, you would add to <code>smtpd_client_restrictions</code> something like this:</p> <pre> <code>smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, check_client_access hash:/etc/postfix/access-client, sleep 1, reject_unauth_pipelining </code> </pre> <p>We accept all of our own users' connections (interactive ones, perhaps) right away, and if the sender is totally unknown to us, we wait for just a second. Then we reject any unauthorized pipelining. The log will show something like this:</p> <p><code>May 6 10:49:00 mailhub postfix/smtpd[8965]: NOQUEUE: reject: RCPT from unknown[10.1.2.3]: 403 4.5.0 <a href="&#x6D;&#x61;&#105;l&#116;&#x6F;:&#x73;&#x70;&#097;&#109;&#x74;&#097;&#x72;g&#x65;&#116;&#x40;&#x65;&#x78;&#x61;&#x6D;&#112;&#x6C;&#101;&#046;&#x63;&#x6F;&#109;">&#x73;&#x70;&#097;&#109;&#x74;&#097;&#x72;g&#x65;&#116;&#x40;&#x65;&#x78;&#x61;&#x6D;&#112;&#x6C;&#101;&#046;&#x63;&#x6F;&#109;</a>: Recipient address rejected: Improper use of SMTP command pipelining</code></p> <p>when the spammer attempts to just send.</p> <p>It's worth noting that this method may not scale to very large installations, as those one second delays may be too much. But for the average-sized postfix install, it can make yet another dent in the spam deluge. Where it does consume 'too many' resources, one must weight the cost of computing resources vs. the time cost of dealing with yet another spam.</p> Wed, 06 May 2009 10:50:00 -0400 urn:uuid:8d2b1675-60f9-473c-b48a-9b9d317add3d Bill McGonigle http://blog.bfccomputing.com/articles/2009/05/06/reducing-spam-with-smtp-validation-on-postfix Internet Open Source Security http://blog.bfccomputing.com/articles/trackback/4806 <p>'Large' is probably north of 10 messages a second.</p> Wed, 06 May 2009 13:04:19 -0400 urn:uuid:820f464a-6ab0-4af8-ad17-63b5680581cd http://blog.bfccomputing.com/articles/2009/05/06/reducing-spam-with-smtp-validation-on-postfix#comment-30531 <p>Would TA fit your definition of an "average-sized postfix install"? If yes, is this something we might implement in addition to or in place of the grey-listing?</p> Wed, 06 May 2009 11:26:02 -0400 urn:uuid:fe860171-e6a6-45fd-a913-f49de0f93b9b http://blog.bfccomputing.com/articles/2009/05/06/reducing-spam-with-smtp-validation-on-postfix#comment-30530