Mr. Fubar

Q: Blocking IP addresses

So I've asked this before with nary a response. Figure I'll keep asking and maybe I'll get lucky.

 

Everyone gets spam from overseas. I'd like to prevent large blocks of IP addresses from being able to send mail through my Mail Server (v4.1). This was incredibly easy to do with software that was built 15 years ago (Eudora Internet Mail Server). I can't find documentation or any information on how to do this with Mail Server.

 

Please, anyone, for the love of sanity, help me make the spam stop. I have the spam blocking set at 2 and it still gets through. I'm afraid I'm probably blocking legit mail. If I can block IPs somehow, I can loosen up the pipe a bit.

 

Thank you.

Mac mini, OS X Yosemite (10.10.3)

Posted on Apr 12, 2016 5:27 AM

Close

Q: Blocking IP addresses

  • All replies
  • Helpful answers

  • by John Lockwood,

    John Lockwood John Lockwood Apr 12, 2016 6:41 AM in response to Mr. Fubar
    Level 6 (9,225 points)
    Servers Enterprise
    Apr 12, 2016 6:41 AM in response to Mr. Fubar

    Blocking a large range of IP addresses e.g. 10.0.0.1 to 10.10.10.255 is not going to be effective even if you find a way to do it. These days and in fact for many years the way spammers work is they use thousands or even tens of thousands of individual computers each of which has their own different IP address and maybe not only using different ISP providers but even be in many different countries. This is what is called a 'bot-net', a group of PCs - generally it is Windows PCs but these days there are also an increasing number of Macs infected with malware and being remotely controlled via a Command & Control Server.

     

    The spammer 'rents' the services of a bot-net the controller of the bot-net then sends a task to each member of the bot-net which in this case is to send out vast quantities of spam.

     

    So, there is generally few instances of large blocks of IP addresses worth blocking.

     

    The second problem is most of these affected PCs being used as part of a bot-net are often home PCs or in smaller businesses and therefore have dynamic IP addresses meaning they change frequently. So there is no fixed IP address to block as it changes.

     

    You need to consider the following options and could use several of them.

     

    1. Use the built-in spam filter like you are
    2. Optionally add an additional spam filter on your server, there are some free ones and some paid for ones, e.g. https://sourceforge.net/projects/assp/ and http://www.vicomsoft.com/services/email-security/
    3. Optionally subscribe to an external spam filter service like MimeSweeper - see https://www.clearswift.com/solutions/email-security
    4. Use a spam filter at the user end as well the server end, e.g. the built-in Apple Mail spam filter and SpamSieve - see http://c-command.com/spamsieve/
    5. Setup DKIM and SPF to help verify whether email is genuine, this is free and is possible on a Mac server
  • by pterobyte,

    pterobyte pterobyte Apr 12, 2016 6:45 AM in response to Mr. Fubar
    Level 6 (11,101 points)
    Servers Enterprise
    Apr 12, 2016 6:45 AM in response to Mr. Fubar

    It is certainly possible to block IPs. Personally I find this to be the very last resort and usually not too effective. Compromised servers and clients keep popping up all over the place continuously, you so just end up chasing ghosts most of the time.

     

    That said...

     

    Create a file called

    /Library/Server/Mail/Config/postfix/client_access
    

     

    Add your IPs to client_access in the following format:

    123.123.123.123 REJECT Your server is a spam relay. Fix it and we'll remove the restriction.
    

     

    Add as many single IPs or IP blocks as needed.

    Save and issue:

    sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/postmap /Library/Server/Mail/Config/postfix/client_access 
    

     

    Edit

    /Library/Server/Mail/Config/postfix/main.cf
    

    and add:

    check_client_access hash:/Library/Server/Mail/Config/postfix/client_access
    

    to the parameters present in smtpd_client_restrictions

    For example:

    smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated check_client_access hash:/Library/Server/Mail/Config/postfix/client_access reject_rbl_client zen.spamhaus.org reject_rhsbl_client dbl.spamhaus.org permit
    

     

    When done, issue:

    sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/postfix reload 
    

     

    See also here: http://www.postfix.org/postconf.5.html#check_client_access

     

    Regarding Postfix Paths in Server 5, see here: https://topicdesk.com/faqs/why-do-postconf-n-and-postfix-reload-produce-unexpect ed-output-on-os-x-server-5/

     

    HTH,

    Alex

  • by Mr. Fubar,

    Mr. Fubar Mr. Fubar Apr 12, 2016 6:59 AM in response to John Lockwood
    Level 1 (4 points)
    Servers Enterprise
    Apr 12, 2016 6:59 AM in response to John Lockwood

    Thanks John. Actually, my blocks are more like 95.0.0.0 to 97.255.255.255. I block an entire Class A, not just a Class C, which I agree would be near useless. My intent is to block most places outside the USA. This isn't some USA-centric thought pattern, rather, it has just been every effective in the past. I will take a look at some of your suggestions, though.

  • by Mr. Fubar,

    Mr. Fubar Mr. Fubar Apr 12, 2016 7:02 AM in response to pterobyte
    Level 1 (4 points)
    Servers Enterprise
    Apr 12, 2016 7:02 AM in response to pterobyte

    Thank you! May I ask, how would I do the above for a block of IPs? For example, if I wanted to block 95.0.0.0 to 97.255.255.255? I want to make sure I get the formatting correct so that I do NOT blow up things in a bad way!

     

    You've been very helpful. Hopefully I'll be able to follow all of that and get things under control.

     

    THANK YOU!

  • by pterobyte,

    pterobyte pterobyte Apr 12, 2016 7:10 AM in response to Mr. Fubar
    Level 6 (11,101 points)
    Servers Enterprise
    Apr 12, 2016 7:10 AM in response to Mr. Fubar

    You are welcome. :-)

     

    95.0.0.0/8

    96.0.0.0/8

    97.0.0.0/8

     

    would probably be the cleanest way to minimise entries while keeping visual control.

     

    Still think you should go differently about reducing spam though ;-) :-)