I would like to stop all mail from going to one of my domains. This domain is purely a website and has no MX record. The problem is that spammers are sending mail to the domain and it causes Spamassassin and Clamav to use system resources. Sometimes the spam makes it through and I get it via my catchall account. Is there a way to quietly discard all mail sent to a domain or maybe block ports 25, 110 & 143 for a single domain? Another option would be if I could block all incoming mail except from specific IP addresses. We have a external service that filters all of our incoming mail. We use their domain in our MX record already but it does not cover all of my domains. Today my Postfix mailqueue went up to levels I have never seen and both Spamassassin and Clamav are going crazy using resources. It appears I am under some sort of DDOS attack via mail.
How do I do this? Ok, I contacted my email filtering company and they told me what to do but, I don't know exactly how to implement their recommendations. I assume I need to change something in the iptables configuration but I'm not sure. Here's what they told me to do: ------------------------------- Locking Down your Mail Servers In order to prevent senders from bypassing filtering by connecting directly to yoursite.com mail servers, it is recommended that the yoursite.com mail servers be locked down so that they only accept SMTP traffic from the filtering service mail servers. For your reference, the IP subnets currently hosting filtering service mail servers are listed below. Filtering Service IP Subnets Use One of the Approved Settings Preferred Firewall IP Setting 208.65.144.0/21
I'm not aware how you can block smtp for only one domain in ISPconfig. SPAM is a big issue with us also, what we do is run a mailproxy using qpsmptd and point all of our MX records to it. We've worked on it's configuration over the last year and have it blocking almost 98% of the spam before it hits our smtp server. Right now it is blocking about 40,000 spam messages a day. Another idea would be if this domain is to truly not to get ANY email, add a MX record for it and point it to one of your servers that has the SMTP port blocked.
Ok, here's what I have done: I added an MX record in the domain that should not be receiving mail. That MX record points to my mail filtering service who only accept mail for one of my other domains. The mail attack has stopped. I don't know if the MX record fixed the problem or the attackers just gave up!
The mail server is only used for email and nothing else. So we only have to tell the proxy server and internal servers that need to use it, are the only ones that know the location of the mailserver. SO I have one ISP config server for hosting some of my small domains and a separate one which hosts just email for my larger sites. And by publishing a MX record for every domain and having them all point to the proxy, the spammers have a target which can handle them. qpsmtpd is VERY configurable, and very resource light, and I keep it pretty simple. Running on a celeron 700Mhz, 256MB ram, it never uses more then 70% CPU or uses swap. I don't do any user account validation, I let the smtpd server handle what gets through. I limit the number of connections from a single ip to 1, limit the number of concurrent connections to 20, a bunch or Perl pluggins that do the RBL lookups and other filtering, then spamassassin annd clamav. What makes it through gets forwarded to the smtpd server and it likes it that way.
So it sounds like the only thing you had to do on your ISPConfig server was to create an MX record that points to your mail proxy? That sounds like the same thing I just did a few moments ago. We use a company, MX Logic, to filter all of our incoming mail for viruses. They will only pass "clean" mail to our ISPConfig server that is addressed to specific email addresses. Everything else is filtered out and never reaches us. It does basically the same thing your proxy does.
If you look at the attached picture you can see the affect of the mail attack on my server load. (circled in red). The attack lasted from about 3pm to 5pm today. The spikes between 4am and 5am are from my normal cron backup procedures.
