i have a problem with SPAM. One account that doesn’t exists enymore receives hundreds to thousands of mails daily. Although they are all rejected, i would rather not have my logs filled with all this junk.
Since there is no option for the mail system, i would like to block those emails upfront at the router.
First i just blocked the IP addresses from which most of the SPAM comes. But almost immediately they came from differnt addresses.
So i tried the contet filter with “evil@mydomain.tld” and it worked sometimes.
Of course i don’t want to block mails that have this mail address in the body, just the ones that are addressed to that account.
So i tried L7 protocol filter: “.To:.<evil@mydomain.tld>.*”
This also seems to work sometimes.
I’d rather look for smtp’s “RCPT TO:<evil@mydomain.tld>” lines, there’s less room for variations. But all this will only work if there’s no encryption, and it would be strange if your server didn’t support it in 2019. So maybe some simple spambots skip it to save resources, but others that do use it can’t be caught with L7.