[BlueOnyx:19689] Re: e-mail flooding
Tigerwolf
tigerwolf at tigerden.com
Fri Jun 10 09:30:58 -05 2016
On Fri, 10 Jun 2016, "Meaulnes Legler"@MailList wrote:
> Since the senders differ, I cannot use the apf firewall, or can I?
The senders may vary, but the IP very likely will be all the same or
within a network block. That should be easily filtered by iptables.
>From your sample, 138.185.239.223 in Brazil appears to be the source.
Check your mail logs for IPs in the same network range as the sample:
grep 138.185.239. /var/log/maillog|less
If there's lots of entries, then just firewall the source network
iptables -A INPUT -s 138.185.239.223/24 -j DROP
Adjust the netmask for larger or smaller numbers of blocked IPs.
>I think I could use SpamAssasin to filter out those mails, but I don't
> know how to configure it.
SA takes some time to 'learn' the nature of a spam before it will filter
new things, so not really a good tool for stopping a sudden flood.
> Any ideas?
Use SpamHaus. The BX GUI for mail should have a choice to to enable DNS
blocklists (DNSBL) with SpamHaus blocking. SpamHaus usually are quick to
spot sources of floods and blocks the source IPs. It works by having
sendmail do a DNS lookup to SpamHaus when there's incoming mail, and the
results that is returned determines if mail is accepted or, if it's a
known spammer source, stopped immediately.
More information about the Blueonyx
mailing list