This is a neat enhancement to postfix for reducing spam by attacking its economics: making sure it speaks SMTP properly.
A spammer gets paid by the message delivered. So, it’s in his interest to flood them out as quickly as possible. Because of this, they rarely implement mailers which negotiate the SMTP connection politely – they simply open the TCP connection and start sending.
When an SMTP client doesn’t respect the proper-back-and forth postfix expects, it’ll flag it as unauthorized ‘pipelining’ – for example when multiple messages are sent in succession, but which would otherwise be OK.
We can take advantage of this by forcing the issue, and increasing the odds a spammer will make this mistake by waiting just a second between establishing the TCP connection and telling the spammer we’re ready to take mail. A loaded mail server may behave this way anyway, so it’s not outside the norm and the resource consumption is minimal, but it attacks the economics of spamming.
In your main.cf file, you would add to smtpd_client_restrictions something like this:
smtpd_client_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
check_client_access hash:/etc/postfix/access-client,
sleep 1,
reject_unauth_pipelining
We accept all of our own users’ connections (interactive ones, perhaps) right away, and if the sender is totally unknown to us, we wait for just a second. Then we reject any unauthorized pipelining. The log will show something like this:
May 6 10:49:00 mailhub postfix/smtpd[8965]: NOQUEUE: reject: RCPT from unknown[10.1.2.3]: 403 4.5.0 spamtarget@example.com: Recipient address rejected: Improper use of SMTP command pipelining
when the spammer attempts to just send.
It’s worth noting that this method may not scale to very large installations, as those one second delays may be too much. But for the average-sized postfix install, it can make yet another dent in the spam deluge. Where it does consume ‘too many’ resources, one must weight the cost of computing resources vs. the time cost of dealing with yet another spam.
‘Large’ is probably north of 10 messages a second.
Comments are closed.