OT: third party relay attack
jordan at geoghegan.ca
Tue Jan 14 17:01:46 PST 2020
On 2020-01-10 03:04, Pierre Abbat wrote:
> My mailserver is being attacked by what looks like a botnet since December 16
> at 6:07 (11:07 UTC). Many hosts all over the world are sending mail purporting
> to be from many domains all over the world to a few domains in Russia. Most of
> the IP addresses are blocked by uceprotect.net; a few are blocked by other
> blocklists. A few are not blocked, but are rejected with "Relay access
> denied". The messages come at a rate of several per second.
> There are 133 emails stuck in leaf's mail queue, but they do not appear to be
> related to this attack.
When dealing with spam, there is no magic one size fits all solution. In
order to mitigate spam, you'll need to come up with a multi-layered
I'm not sure what Steffans issue with OpenSMTPD was, it sounds like he
made himself an open relay. I've run OpenSMTPD for a while now and its
been working wonderfully for me.
Anti spam is all about showing proof of work. No reverse DNS and Forward
confirmed rDNS? Drop the connection. Bad senderscore? Drop the
connection, part of a reputable spam blocklist? drop the connection.
That way you're dropping the most egregious offenders before they've
even sent you any data. Only after they pass these basic checks is the
mail allowed in, where it is then analysed by something like Rspamd or
Doing all this with OpenSMTPD is super easy. The reverse DNS checks are
built right into it, and there are several other filters available as
well such as the sender-score filter. I then use Rspamd for spf and dkim
checks as well as spam analysis. I also use dovecot on the server and I
use the built in sieve filter to allow for easy training of the spam
I recommend checking out Gilles (the creator of OpenSMTPD) how-to guide
for setting up a functional OpenSMTPD mail server:
More information about the Users