How to deal with outgoing spam flooding with Postfix

Solution 1:

SASL-authenticated clients using your mail server to send out spam or malware are usually the result of botnets. You can catch most if not all of botnet-like behaviour using postfwd rules and the Postfwd Anti Geoip Spam Plugin which will check for both high rates of sending as well as logins from more than one country or IP address.

Once you have installed postfwd and the plugin, you can configure rules which will block senders once they exceed certain limits.

A typical rate limiting ruleset might look like this (anti-botnet rules are given in the instructions for the Anti Geoip Spam Plugin link above):

id=R005; action=dunno ; client_name=friendly\.mailserver\.org\.uk$
id=R010; sender=~/.+/; action=rate(sender/100/86400/REJECT only 100 messages per day for sender [$$sender])
id=R020; sender=~/.+/; action=rate(sender/25/3600/REJECT only 25 messages per hour for sender [$$sender])
id=R030; sasl_username=~/.+/; action=rate(sasl_username/100/86400/REJECT only 100 messages per day for auth user [$$sasl_username])
id=R040; sasl_username=~/.+/; action=rate(sasl_username/25/3600/REJECT only 25 messages per hour for auth user [$$sasl_username])
id=R050; user=~/.+/; action=rate(user/100/86400/REJECT only 100 messages per day for user [$$user])
id=R060; user=~/.+/; action=rate(user/25/3600/REJECT only 25 messages per hour for user [$$user])