0

Does anyone know of a way, using Postfix, to block a domain as soon as it tries to send to a specific recipient address?

Spam typically goes to several recipients in my organization. Some email addresses are active but many are dormant, meaning the email addresses still exist but should not be getting any legitimate email. If anyone sends to one of the dormant addresses, then we can assume everything else from that domain is spam.

What I want to do is as soon as an email is received to a recipient address on the dormant email list, then immediately reject all other emails from that sender domain.

Looking at the log I see the following pattern. Each email comes in about a minute apart:

I know all the dormant email addresses, and know that any mail sent to them is spam, so what I want to do is block the sending domain as soon as it sends mail to a dormant email address as so:

Block domain spamdomain.com

One idea is to scan the tail of the log every 10 seconds or so and, based on finding one of the dormant addresses, modify the check_sender_access file and restart Postfix but that might result in my server being down when real email is being received. So ideally this could be done without bringing down Postfix.

Any help is greatly appreciated.

4
  • 1
    I have been wrong more than once in assuming an email address, no longer used for 10 years, would never get legitimate mail again. Be careful to not equate "almost all mail they currently get is spam" with "no legitimate mail could possibly end up there".
    – anx
    Commented Jun 10, 2022 at 0:15
  • More of a security discussion, but for sake of completeness: In its simplest form, your approach is a DoS vulnerability: An adversary could prevent you from learning important information, or trick one of your suppliers into initiating account recovery procedures otherwise reserved for invalid mailboxes, by making your server reject mail after receiving a forged mail to one of your dormant boxes.
    – anx
    Commented Jun 10, 2022 at 4:41
  • The milter rspamd has a spamtrap module that may help you: rspamd.com/doc/modules/spamtrap.html
    – FatRabbit
    Commented Jun 10, 2022 at 6:40
  • These are all really good points and greatly appreciated. Thanks y'all.
    – MindSpiker
    Commented Jun 11, 2022 at 1:39

1 Answer 1

1

Don't do that, there are entire organizations (Spamhaus would be a notable one) that do this on a better scale, with better handling of edge cases, and with easier remediation in case it hits senders who happened to be seen sending mail to dormant mailboxes without being spammers.

If this pattern is significant at all (it is no longer a common occurrence for me), you may not be making effective use of public DNSBL providers yet. The spammers that walk into every spamtrap.. they are generally hosted with providers that have already been identified as networks few legitimate businesses want to exchange mail with.

There is one more thing, albeit much simpler than the approach you suggest, that may help you for the last mile: Setup fail2ban to briefly stop talking to senders causing multiple permanent errors. Three lines of configuration, little to no collateral damage or recurring support obligations.

I recommend not even distinguishing which error (status 5XX) that was (sent to dormant address, syntax errors, violating DMARC policies, ..) so long as you ensure your rules do not match temporary errors (status 4XX) which should be possibly to quickly retry (e.g. DNS lookup failures or consequences thereof). I found refusing connections from repeat offenders for just a few minutes to be entirely sufficient to stop the larger part of misdirected, misconfigured and ridiculously spammy senders - if they come back at all later, they have usually since hit a spamtrap of a DNSBL provider I have setup, so I will refuse them for that reason, then.

3
  • I added reject_rbl_client zen.spamhaus.org to the smtpd_recipient_restrictions section of the /etc/postfix/main.cf file which so far has worked perfectly. Thanks.
    – MindSpiker
    Commented Jun 11, 2022 at 1:42
  • @MindSpiker Careful! That is not the complete thing you have to add. It is reject_rbl_client domain=filter, you are missing the filter part! Which is very important, otherwise you would also reject mail when the lookup to that provider was refused - instead of only when the lookup produced a result.
    – anx
    Commented Jun 11, 2022 at 1:47
  • 1
    Great point @anx. Thanks for adding this. The line should be something like: reject_rbl_client zen.spamhaus.org=127.0.0.[2..11]. After messing with this I ended up setting up a free account with spamhaus.org which included copy-paste additions to main.cf including a query key.
    – MindSpiker
    Commented Sep 20, 2022 at 21:10

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .