08 04 | 2014

Disable your spammed addresses with Postfix

Written by Tanguy

Classified in : Homepage, Debian, Command line, To remember

Using address extension

Postfix (and many other mail servers) offers one nice address extension feature: addresses like <user+whaterver@> are implicit aliases to <user@>. This allows users to implement a simple measure to fight spam:

  1. when SomeCompany® or whatever asks for your email address, give them <user+somecompany@>;
  2. if you start receiving spam at that address, you know who sold or was stolen your address;
  3. finally, you will be able to disable that address so messages are simply refused with a permanent error code.
Road sign “you shall not pass“ with Gandalf

Disabling an extended address

So, here is how to implement that last step with Postfix, when you detect that your extended address <user+evilcorp@> is being spammed. In /etc/postfix/main.cf:

smtpd_recipient_restrictions =
    check_recipient_access hash:/etc/postfix/recipients,

Then, create /etc/postfix/recipients containing the addresses to disable:

user+evilcorp@example.com   553 5.7.1 I did not subscribe to receive spam, go away

Of course, the error codes and message can be freely configured, just make sure you are using a permanent error code so senders do not retry. Hash that table, reload Postfix and it is done:

# postmap /etc/postfix/recipients
# service postfix reload

After that, your mail server will reject messages sent to these addresses. And it will do so at the RCPT TO step, saving your bandwidth for more useful things.


wednesday 09 april 2014 à 08:09 Alberto Luaces said : #1

I wonder what will happen if the spammer gets the pattern and decides to discard anything after the plus sign...

After all, this is very popular for auto-filtering, so discarding the postfix of the address might target the main inbox directly.

wednesday 09 april 2014 à 10:36 Tanguy said : #2

@Alberto Luaces : I would not exactly call that popular. Among people this know that possibility, yes, it is popular, but that is only a fraction of the people that have some knowledge about the Internet, and since most users are basically computer illiterate anyway… For that reason, I do not expect spammers to care much about that. But if they do, then this measure falls apart indeed.

wednesday 09 april 2014 à 12:11 Erbureth said : #3

@Tanguy, @Alberto Luaces: You can still blacklist emails coming to the address without the +xyz part.

wednesday 09 april 2014 à 14:36 Marcos Dione said : #4

@Tanguy: you're assuming that you don't even want mail from evilcorp, that might as well be you insurance company or something like that. would it be possible to make it user+insurance.com and then answer like that for any domain!=insurance.com?

wednesday 09 april 2014 à 15:36 Tim said : #5

@Marcos: do you need something like "reject_unlisted_recipient"? See <http://www.postfix.org/postconf.5.html#smtpd_reject_unlisted_recipient>.

wednesday 09 april 2014 à 16:21 Tanguy said : #6

@Marcos Dione : Personally, if that was my bank or my insurance company, that kind of information leakage would be reason enough to change to another one. I already did for other reasons and I can do it again. But the easiest way without leaving your untrustworthy bank would be to tell them you have changed your email address, and give them another one while disabling the old one.

@Tim : I do not see how reject_unlisted_recipient would be related to that, it is meant to refuse messages to addresses your server know that they do not exist, such as non-existent users in the local domain.

wednesday 09 april 2014 à 16:39 Tim said : #7

@#6: I misread Marcos's reaction. I thought he asked for a solution where he wanted to reject every e-mail except for the e-mails to <user+insurance.com@example.com>.

thursday 10 april 2014 à 15:53 Jacques said : #8

many sites refuse the "+" character in mail address. I prefere to use another character (_for example).
In main.cf:
recipient_delimiter = _

thursday 10 april 2014 à 15:59 Jacques said : #9

if you chnage the recipient_delimiter in postfix, don't forget to change it in your lda:
for dovecot don't forget to change all occurences of:
recipient_delimiter = + with
recipient_delimiter = _
in your dovecot configuration

thursday 10 april 2014 à 16:04 Tanguy said : #10

@Jacques : Yes, unfortunately some websites coded by lamers refuse it indeed. For those cases, I simply use manually defined addresses, which I delete after one year: user-year@. I prefer that to using - or _ as a delimiter, because there are use cases for these characters in the user name (- between the two parts of composed first names, and _ between first and second names of users for which the first name is not enough).

Write a comment

What is the second letter of the word uaohnc? :