Last night I upgraded the mail transport software to Postfix 2.1.1 and added a couple of new filtering rules from Jim Seymour’s list of ideas.
I now require that mail with freemail sender addresses arrive from freemail peer addresses (e.g. mail from “foo@yahoo.com” is only accepted from a *.yahoo.com peer). This has already blocked lots of mail from e.g. *.netikka.fi and *.surfer.at from machines that HELO with things like “msn.com” and use *@yahoo.com sender addresses.
I also added a check for bad MX records. I’m now blocking domains with MX records pointing to any private or reserved networks (i.e. that cannot be used for public connectivity):
0.0.0.0/8 REJECT Domain MX in broadcast network 10.0.0.0/8 REJECT Domain MX in RFC-1918 private network 127.0.0.0/8 REJECT Domain MX in loopback network 169.254.0.0/16 REJECT Domain MX in link local network 172.16.0.0/12 REJECT Domain MX in RFC-1918 private network 192.0.2.0/24 REJECT Domain MX in TEST-NET network 192.168.0.0/16 REJECT Domain MX in RFC-1918 private network 224.0.0.0/4 REJECT Domain MX in class D multicast network 240.0.0.0/5 REJECT Domain MX in class E reserved network 248.0.0.0/5 REJECT Domain MX in IANA reserved network
I thought I’d see results from this rule right away, but nothing yet…
Update (6/4/2004): It looks like not that many spammers are using “bad” IP’s for their MX hosts. However, there are a few hits, and this prevents unnecessary bounces to the local postmaster, so I’m certainly keeping these rules.