Detect spammers on my server

Solution 1:

Before I get to my suggestion, I want to comment a bit on something your provider said to you:

 Received: from mail.com ([94.130.34.42])
        by smtp-27.iol.local with SMTP
        id itOWeYZ6O42IFitOWe35TR; Tue, 13 Feb 2018 03:54:09 +0100

This does not indicate that the reverse DNS for 94.130.34.42 is (or was) mail.com. Rather, it indicates that the SMTP client sent mail.com in its HELO (or EHLO) line. (A well-configured mail server would have rejected this connection entirely, but that's on Swisscom, not you...) This line does not indicate any reverse DNS entry. If it did, it would have appeared within the parentheses. For example:

Received: from mail-io0-f197.google.com (mail-io0-f197.google.com [209.85.223.197])

In this case, the first hostname is what the mail server identified itself as in its EHLO. The second hostname is the reverse DNS recorded at the time the connection was made.

RFC 5321 section 4.4 explains the format of the Received: line, with a formal grammar.

In your case, no reverse DNS was recorded. Since your IP address has a PTR record, this may be because they didn't look it up, or there was a temporary DNS failure.


Now, it appears you run a web hosting service and have numerous web apps. If one of these is compromised, it may begin sending spam. These often make direct connections to remote mail servers by looking up their MX records and connecting to port 25, as if they were actually a mail server themselves, rather than delivering mail to the local mail spool or an authenticated mail service on ports 587 or 465 as legitimate web apps do.

One way I stop this is by implementing a firewall rule that prevents outgoing connections on port 25 unless the user is the mail server user. For example:

iptables -I OUTPUT -m owner ! --uid-owner postfix -m tcp -p tcp --dport 25 -j REJECT

Web apps can no longer deliver mail directly to remote SMTP servers, but must use the local mail spool or an authenticated mail service.

Solution 2:

In this day and age, trying to do your own mail server is, for the most part, a loosing battle and you are better off finding an affordable service. Having said that..

  • Look at your logs going to the provider that blocked you and see if you can find anything suspicious. It is possible, and happens often, that someone forgets they subscribed to your newsletter and marks you as spam. Then depending on the provider you can get on the provider's blacklist even though you have done nothing wrong.

  • Separate mass mailings from all your other email into two servers.

  • Keep logs for weeks at a minimum and better months. So anytime something happens you research.

  • Check your logs daily for similar situations from any provider and look into it daily, or faster.. The second you get blocked and if you keep trying to send it can get worse. You can go from a temporary block to a permanent block.. to getting reported to a blacklist.

  • Not sure how they implement it, but one thing I know many providers do for outbound mail services is that the second a provider/IP blocks an email then no other emails get tried to be sent. Ideally you want something like that. Because the second one gets blocked, sending more will just aggravate the issue.