Too Much Email

Defeating the Horde

The image above is a small sample of the current onslaught facing the email servers at $dayjob. As of this writing the ~24 hour mark has these numbers approaching 250000. All from a single source. Why, you ask? Well, someone’s test got away from them and it would seem they are having difficulty reigning it back in.

For a number of reasons it wasn’t possible to bin this stuff at various points along the route and blocking the sender IP was not going to work either as other legitimate traffic could still be coming from that orgin.

I did have one thing at my disposal though, a Postfix relay that all the emails must traverse between point A and B. So I have the tool, but how do I wield it?

Header Check Magic

Postfix supports all kinds of body and header checks, for this in particular I needed a PCRE check to match with the similar, but slightly varying subject header.

To make this work, you need to make sure you have this line in main.cf

header_checks = pcre:/usr/local/etc/postfix/header_checks.pcre

Once that is in place, all you need is the following in header_checks.pcre:

/^Subject: ERROR \[\w{10}\]/
        DISCARD

Of course, that regex works for my purposes, but you will need something else, and if you need a little sandbox for crafting your regex I find regexr.com to be very useful.

With that in place, execute a postfix reload and all the unwanted garbage disappears quietly into the great bit bucket in the sky.