Step-By-Step: Eliminate spam from forged sender addresses

Learn how to set up Postfix to block forged e-mails.

Originally, people tried to stop spam by blocking all e-mail from the domains from which the e-mail appeared to originate. To get around this defense, spammers used a return address nobody was willing to block. This method wasn’t very effective because the address services the spammers were using wouldn’t allow people to send bulk mail through them.

So now many spammers just tack on a bogus e-mail address as the return address to bypass the simple spam filters. Often, the bogus e-mail address really exists, and the poor user who actually owns it finds his or her e-mail box filled with complaints from people who think he or she is the one that sent the spam.

If you have been following along with the series on creating a budget e-mail system using Postfix as the MTA, you will note that this system is susceptible to this type of spammer. However, there is a fix. In this article, I will show you how to set up Postfix to block these types of forged e-mails.

Read the series
If you missed earlier installments in this series, you can check them out at the following links:

Create a free-mail access database
I'm going to call these rules “free-mail access,” since many of these services are from free e-mail ISPs, such as Yahoo, AOL, MSN, and Earthlink. First, you will need to create a hash (a type of database file) to tell Postfix which domains to check for the correct e-mail host. As root, create the file /etc/postfix/free-mail_access and add the contents of Listing A.

Add any domain from which you see a lot of other invalid e-mail originate. Any e-mail that comes from a domain specified in this file will be checked against the free-mail host database to determine whether it was sent through an appropriate server. To generate the actual hash, use the Postmap command:
# postmap /etc/postfix/free-mail_access

Create a free-mail hosts database
Now you will need to create another hash listing for valid hosts that may relay mail from these domains. Note that if you have any backup mail servers, you will need to list them here, or legitimate mail that comes through them may bounce. Also note that this system does not match domains directly to these hosts—it matches the mail to this group of hosts. So somebody could send an e-mail with an return address through an Earthlink server, and it would come through, but if this person sent it through a TechRepublic server, TechRepublic’s Postfix mail server would bounce it. Listing B illustrates the /etc/postfix/free-mail_hosts file.

Check your e-mail logs frequently, and if you find someone sending legitimate e-mail from one of the free-mail domains through a different server, add the server to the free-mail_hosts file to stop bouncing mail from that user. Again, make the actual hash with the Postmap command:
# postmap /etc/postfix/free-mail_hosts

Create a custom bounce message
Most people who have a legitimate message bounce because of this rule will probably know they're not using the real e-mail server to send the mail, and will try again through the correct server. Nonetheless, you will probably bounce a few valid messages using this rule. You'll need to create an error message that explains why the message was bounced. Use a regular expression-matching file that matches everything, and sends your custom error message back to the sender. Listing C shows what's in the /etc/postfix/reject_free-mail file.

This file is not a hash, so you don't need to do anything more to it.

Configure Postfix to use the free-mail access rules
To get this to work, you're going to check the domain for the incoming mail using a Sender restriction. All of the limits in the Sender restrictions are checked until Postfix reaches a reject code or an OK. If it runs out of rules or gets an OK, it goes on to process the Recipient restrictions.

The way you're going to set this up is to have Postfix check the domain of the sender. If it's a free-mail host, then you’ll need to apply the rules in the from_free-mail_host class, which you need to define. In the from_free-mail_host class, you need to tell it to check the free-mail_access database, which, if it finds a match, returns an OK. If it's not found in the free-mail_access database, the program goes on to the reject_free-mail regular expression file, which bounces the message with its custom error. Listing D has the appropriate directives for the main Postfix configuration file.

After adding these lines to the file, you will need to reload the Postfix configuration:
# postfix reload

Watch those logs
While no e-mail system is foolproof from the nuisance of spam, after completing the steps above you should notice a substantial decrease in the amount of unwanted e-mails your users receive. Simply watch the logs to make sure you're not bouncing valid e-mail and enjoy the satisfaction of seeing hundreds of e-mails blocked before they ever get delivered.

Editor's Picks