A few weeks ago I started doing some work on geo specific filtering, where email is treated very differently depending on the sending IP.
Since implementing this we have been very happy with the results.
I also run a UML for my personal usage and for a couple of my pet projects. It’s a nice place to try things out.
Needless to say the domains hosted on it do get sent a lot of spam, however the main filters usually block most of it.
Unfortunately spammers really do not care about respecting DNS “rules” and instead of mail being sent to the domains’ MX an increasing amount of junk is hitting the A records.
The obvious option would be to firewall off the IP entirely and only allow mail to be sent to it from the mail gateway, however that would also enforce certain restrictions on usage of the SMTP which I did not want to have to implement.
To make it slightly more complicated I also host a mailing list directly on the UML, so mail needs to be sent directly to it.
After analysing our internal data on spam it became very clear that I could safely implement a complete block on certain countries without affecting any of my users (me, my mother, the mailing list and a stray dog).
Both my mail and that of my mother’s is protected by the gateway, so any mail being sent directly at the A records is spam.
The mailing list has a membership of about 10 people who all live and work in Ireland. There is no reason why anybody outside Ireland would be sending to this list.
With these criteria in mind I went about implementing some form of UCE/spam protection at the MTA level (postfix on debian).
Postfix does provide some documentation on setting up UCE blocks but I read it when I was extremely tired, so it didn’t make too much sense to me 🙂 (NB: Do not go messing with MTA configuration when you haven’t slept properly for 4 days – it hurts)
A slightly clearer set of examples was to be found on Babak’s blog, aptly called “Geek Style”. His article gave me a nice clear example on how to set it up.
NB:Babak refers to a proxies.relays.monkeys.com which is now defunct.
Needless to say I did not “go mad” and put in some of the more “liberal” DNSBLs, but restricted myself to the following setup:
reject_rbl_client relays.ordb.org
reject_rbl_client kr.countries.nerd.dk
reject_rbl_client cn.countries.nerd.dk
reject_rbl_client sbl.spamhaus.org
reject_rbl_client kp.countries.nerd.dk
reject_rbl_client ng.countries.nerd.dk
reject_rbl_client tw.countries.nerd.dk
reject_rbl_client th.countries.nerd.dk
Basically if the IP connecting to the MTA is listed in any of those DNSBLs they will get an error message:
Feb 5 11:02:27 tristan postfix/smtpd[22676]: NOQUEUE: reject: RCPT from unknown[218.156.170.80]: 554 Service unavailable; Client host [218.156.170.80] blocked using kr.countries.nerd.dk; Your IP is in kr, rejected based on geographical location; from=
I’ll have to wait a couple of days to see how much it stops and if necessary add more blocks in.
Leave a Reply