SPF & spamming clients
SPF (Sender Policy Framework) helps to prevent spoofing of e-mails and is a method to prevent SPAM. SPF determines whether or not a sender is permitted to send on behalf of a domain. If the sender is not permitted to do so, that is, if the email fails the SPF check on the receiving mail server, the spam policy configured on that mail server determines what to do with the message. Senders with repeating SPF-fails can be considered SPAMmers (or compromised computers in a botnet). The e-mails are handled by the anti-SPAM software on the mailserver, but these trail and error mails use capacity, so why not block the sending client!?
Implementation
On my Ubuntu Postfix mailserver with Fail2Ban I made a filter to do exactly this. Analysing the mail.log file I found many lines like:
May 3 14:22:19 mailserver policyd-spf[113272]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=This email address is being protected from spambots. You need JavaScript enabled to view it. ;ip=5.188.206.164;r=
May 3 14:22:19 mailserver postfix/smtpd[113267]: NOQUEUE: reject: RCPT from unknown[5.188.206.164]: 550 5.7.23 <This email address is being protected from spambots. You need JavaScript enabled to view it. >: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=This email address is being protected from spambots. You need JavaScript enabled to view it. ;ip=5.188.206.164;r=; from=<This email address is being protected from spambots. You need JavaScript enabled to view it. > to=<This email address is being protected from spambots. You need JavaScript enabled to view it. > proto=ESMTP helo=<[5.188.206.171]>
The corresponding regex is
failregex = SPF fail - not authorized.*ip=<HOST>.*
So I made a postfix-spf.conf file in the /etc/fail2ban/filter.d directory.
[Definition]# Option: failregex# Notes.: matches something like# May 3 14:22:19 mailserver policy-spf[113272]: 550 5.7.23 Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;id=This email address is being protected from spambots. You need JavaScript enabled to view it. ;ip=5.188.206.164;r=# Values: TEXTfailregex = SPF fail - not authorized.*ip=<HOST>.*# Option: ignoreregex# Notes.: regex to ignore. If this regex matches, the line is ignored.# Values: TEXT# ignoreregex =
In jail.local add
[postfix-spf]enabled = trueport = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s,465filter = postfix-spflogpath = /var/log/mail.logmaxretry = 3