Filtering/Rate-limiting Outgoing SPAM

Dec 15, 2015
76
2
8
www.belcloud.net
Recently we've had issues with some spammers in our network and i am looking for solutions.
Unfortunately, i haven't found much information regarding this subject, but i would like to share what i have found and to hope you can also share other solutions.

We are selling both containers and KVM, using bridged network interfaces.

1. The brute approach - Blocking Port 25
While this is the safest and easiest to implement solution, by using the Proxmox firewall, it's not really an option as there are many legitimate customers requiring email services. As most customers host their own sites, the email server is necessary.

2. Monitoring Connections
The idea here would be to monitor and count the outgoing port 25 connections in a time interval. That's easily done via tcpdump.
For openvz, there's also nodewatch, a highly acclaimed solution for monitoring the containers against spam and other abuse. I do not generally like it it's not officially supported on debian, rather bulky, and it's closed-source.
I'm considering building a small script to handle this, seems one of the best approaches at this moment.

3. Rate-limiting port 25
This would imply limiting the number of connections done in a time interval, at the firewall level, to a normal value, let's say 10 per minute.
This would be a great solution, but i am not sure if it's possible or how to to implement it on the proxmox cluster for both KVM and containers.

4. Transparent SMTP Proxy

The idea here would be to route all smtp traffic via a transparent SMTP proxy like ASSP, and use it to filter the email.
I am however afraid, that it would block legitimate email or that the spam will pass-through and look as originating from the proxy's IP.
There is also a privacy problem here, as you would actually scan through your customer's outgoing emails.

I'm looking forward for your additions and concerns regarding this topic.
 
Dec 15, 2015
76
2
8
www.belcloud.net
The simplest solution is this:
Code:
iptables -A FORWARD -m physdev --physdev-out bond0.+ -p tcp -m tcp --syn --dport 25 -m hashlimit --hashlimit-above 10/min --hashlimit-mode srcip --hashlimit-name smtp-limit -j DROP
Not perfect, but stops the massive spam.
Replace bond0 with your physical interface.

The only solutions i've found with mail-proxy are very expensive.
 
  • Like
Reactions: EuroDomenii

guletz

Well-Known Member
Apr 19, 2017
1,018
144
63
Brasov, Romania
Hi,

Some other dummy/stupid ideeas ;)

- use at least 2 smtp servers, one we can call it green-smtp(for good clients = no spam problems from them) and red-smtp(for spam-lovers clients)
- so all your good clients will use green-smtp, and they will not be disturb by others bad clients
- when a good client will be bad, you can move him to the red-smtp
- use a dedicated router, who will run your main firewall, outside of proxmox(on this router you will put your connection limit filters) + OSPFD
- any spam IP that your filters can catch will feed the ospf(with a null route), so any smtp-server will be protected by such IPs(spam sources)
- also you can feed in the same way your ospf with many others black-lists sources
- GeoIP filtering could reduce a lot of SPAM(20-40 % from my own experience) - could also feed your ospf

The idea with ospf have the advantage of minimal resurce usage, and the ospf routing table(with bad guys) can be very easy distributed to N of your clients/hosts. It is like, black-list once in one place(you can have many places), and share this info with ALL your systems. Routing table is much more faster compared with any ip-filter system(any new connection will be checked), but a routing table have a cache system .... ;)
 
Last edited:
  • Like
Reactions: EuroDomenii

guletz

Well-Known Member
Apr 19, 2017
1,018
144
63
Brasov, Romania
3. Rate-limiting port 25
This would imply limiting the number of connections done in a time interval, at the firewall level, to a normal value, let's say 10 per minute.
This would be a great solution, but i am not sure if it's possible or how to to implement it on the proxmox cluster for both KVM and containers.
Postfix can do this very easy:

Code:
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 60
 
  • Like
Reactions: EuroDomenii

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!