Blocking spam and hack attacks by TLD

Much of the email spam and hack attacks I see against my servers can be blocked up-front by using Postfix and modsecurity filters. NOTE: Your use case may vary, so these suggestions may or may not be practical based on your business needs!

First, in modsecurity I block problematic country .TLDs, which I know is anti-social, but it prevents lots of headaches for my current business use case. This doesn't prevent a determined hacker from using a VPN for attacks in another country (like US), but it does cut down on much of the noise so that the system administrator can focus on actual hack attacks.

In the crs-setup.conf file I block the problematic TLDs:

SecAction \
 "id:[your rule ID may vary!],\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.high_risk_country_codes=RU CN RO UA ID YU LT EG BG TR PK MY AF IQ IR KP SA SC SY VA AE IL IN'"

 

And for spam control, in my postfix main.cf file, my configuration for the smtpd_sender_restrictions line looks like this (the last part is what is relevant by adding a PCRE list of domains):

smtpd_sender_restrictions  = permit_mynetworks, permit_sasl_authenticated, reject_unauthenticated_sender_login_mismatch, check_sender_access pcre:/etc/postfix/reject_domains

And in the /etc/postfix/reject_domains file I block each of the domains that are most likely to produce spam:

/\.xyz$/ REJECT We reject all .xyz domains due to spam
 

Note: Since the /etc/postfix/reject_domains file is not hashed, there's no need to run the postmap command after changes (unlike helo_access and other hashed files).

Once your Postfix changes are complete, you need to restart or reload Postfix with a command similar to:

sudo service postfix reload

Since Postfix is technically an MTA, you shouldn't really use it as your primary spam-fighting solution. I use many other tools such as SpamAssassin as Bayesian milters to fight spam, but you can head much of it off from the start by blocking domains and TLDs that are problematic for you!

Notice

Commenting only available for logged-in users.