OT: third party relay attack

Jordan Geoghegan jordan at geoghegan.ca
Tue Jan 14 17:01:46 PST 2020

On 2020-01-10 03:04, Pierre Abbat wrote:
> My mailserver is being attacked by what looks like a botnet since December 16
> at 6:07 (11:07 UTC). Many hosts all over the world are sending mail purporting
> to be from many domains all over the world to a few domains in Russia. Most of
> the IP addresses are blocked by uceprotect.net; a few are blocked by other
> blocklists. A few are not blocked, but are rejected with "Relay access
> denied". The messages come at a rate of several per second.
> There are 133 emails stuck in leaf's mail queue, but they do not appear to be
> related to this attack.
> Pierre

When dealing with spam, there is no magic one size fits all solution. In 
order to mitigate spam, you'll need to come up with a multi-layered 
anti-spam solution.

  I'm not sure what Steffans issue with OpenSMTPD was, it sounds like he 
made himself an open relay. I've run OpenSMTPD for a while now and its 
been working wonderfully for me.

Anti spam is all about showing proof of work. No reverse DNS and Forward 
confirmed rDNS? Drop the connection. Bad senderscore? Drop the 
connection, part of a reputable spam blocklist? drop the connection. 
That way you're dropping the most egregious offenders before they've 
even sent you any data. Only after they pass these basic checks is the 
mail allowed in, where it is then analysed by something like Rspamd or 
spamassasin etc.

Doing all this with OpenSMTPD is super easy. The reverse DNS checks are 
built right into it, and there are several other filters available as 
well such as the sender-score filter. I then use Rspamd for spf and dkim 
checks as well as spam analysis. I also use dovecot on the server and I 
use the built in sieve filter to allow for easy training of the spam 

I recommend checking out Gilles (the creator of OpenSMTPD) how-to guide 
for setting up a functional OpenSMTPD mail server:


More information about the Users mailing list