I have been using centos 6 in a virtualized system for a few months now.
Took a while to batten down the hatches with postfix, rbls, and to use
fail2ban correctly.
The mailserver for my website(s) are located on the http server as
well..an 'all in one' server.
DNS servers are separated.
My two sites, and their emails addresses (1 for each) have been around
for 10 and 15 years respectively.
One site was a business site, one was news and politics...both were very
busy at one point, thus 'on the radar'
of hackers and spammers.
I decided to see what I could do with my system to prevent hacks and
spams in regards to email and brute force attacks
on all systems except for my web apps (which are down right now and in
development).
Fail2ban is really good at the brute force, assuming it is just one ip
and not all attempts are at once. Thus it works on script kiddies
but I do not think it would work well on a dedicated hack attempt by a
serious individual or group.
But I am using fail2ban to auto ban ips regarding spam.
As far as spam, very little gets through now. A few a day. Between
blacklists, my own blacklist of commercial spammers, stringent
settings of postfix the actual spam that gets through is small. But it
still gets through.
I was using fail2ban on attempts that numbered 3 or more that ended in
5xx replies from my server. I would block for 10 minutes.
I found I was blocking about 800 ips a day on one server, half that on
the other.
I did notice that there were a ton of attempts that were under 3. Lots
of 2's and a ton of 1's.
So a couple weeks ago (not sure when I started) I decided to try
blocking any 5xx reply by IP.
This is a private server and just my own mail comes to it, so I am not
worried too much about false positives or other effects.
------------------------------------------------
So what happened?
The ips jumped up considerably, to 1,500 to 1,700 a day banned on one
server, about 1000 on the other.
What is interesting in those numbers is they are constant. Every week
day I can count on about 1500 banned ips on one, 1000 on
the other, give or take.
What really changed was the mail servers sending mail that got through
the restrictions, but were sending to non existent addresses.
A majority (like 80%) were from yahoo. This was a sudden change. It was
not like this before.
Yahoo spammed like crazy. And they got the mailserver ip banned.
10 to 20 emails a day from yahoo mail servers, going to non existent
emails. Where before it would be one or two.
The yahoo mails got bigger every day until they started waning (probably
due to ip banning).
The mail that actually got through all of this was 50% free mail (yahoo,
msn/live, some aol, etc) Yahoo being the biggest.
Another thing I noticed. When I started adding domains to my 'blacklist
of commercial senders', legitimate or not, I started to get yahoo
mails with references inside the mails to many of the illegitimate sites
that were coming from the UCE's I had blocked.
It is quite interesting to watch this process. More interesting that no
matter how strict or lax I make the system there will be the same
number of attempted mails sent to my server. (give or take a few hundred).
If I unban all the ips, which I did once, there was a one day bump up,
then it leveled off to the same amount of individual attemtps
(not counting the same attempt being tried again).
I have 35,000 ips blocked right now and nothing changed...except yahoo spam.
Spamassassin I use, but only for level 10 or more spam...it is deleted.
I found all of these over the last few months to be the kind
with attachments, probably viruses.
-------------------------------------------------------------------------
What Have I learned?
I have learned a large number of attempts are from ISP's and not websites.
I have learned that ISP's will not do anything at all, ever, about this.
(someone trying to send 1 million mails a day might be suspicious,
but they ignore it)
I have learned a large majority of 'hosts' are technically challenged
small business owners who have no sys admin knowledge.
Those hosts spew spam bots
I have learned the chinese have really taken a liking to play with my
server, possibly for training purposes. My server is a hit in beijing
and some other province I cannot spell.
----------------------------------------------------------
What can be done?
Not much. If the isp's do nothing, and the technology is not available
to datacenters and hosts, there is not much I can do at all.
Complaining to an isp or host would take 24 hours a day of messages, 99%
which would be ignored.
There is a consideration for the scumbags that call themselves
legitimate mailers, like vocus.com. They are in the US, as I am.
I am considering going to small claims for some of these spam attempts.
I cannot use the can-spam act, since they are technically
not in violation.
However, I could use the logs and attempts, copies of emails and phone
calls telling them to stop, and sue them
for a small dedicated denial of service attack, use of my bandwidth,
harassment of my server and business.
Would I win? Probably. Would I ever get money from them? Most likely not.