I can block it all. It is just that they keep hammering and have been doing so for about a month now. They are all from random {a_random_set_of_digits}@qq.com and to {different_random_digits}@mydomain.com. None can be delivered as they never go to a real mailbox, so, in reality, I don't have to do anything.

What I have done is:
1 - use postfix/access to block qq.com
2 - I reject anything coming from a host without a reverse DNS anyway
3 - many come from dynamic IP's with a reverse dns of {something}dynamic.163data.com.cn
4 - 2 and 3 are variant of dynamic IP's so I use fail2ban with a home grown filter to block the /24 subnet of the incoming IP, assuming that if one IP address in a /24 block is dynamic, then they all are.

This last one has had a big impact as the spam does not even get as far as my system.

The main problem I have is that I was using the Clearcenter MX backup, so I could not do anything about 2,3 or 4 as nearly all mail was coming through the MX backup so, as far as my logs were concerned, from a good IP. 4 only works if the mail is sent directly to me.

I wish someone could solve my storm > 1000 spam/day but easy to block.

You could run mail through a google account. Man, Google's got some fantastic filtering. We've been running our business emails through Google for a few years now, albeit with some MX records and a CNAME record (allowing for an alias of gmail.ourdomain.com) in our DNS settings, for $5/user per month, and our junk mail is down to nil. Google's spam filtering is fantastic. I've rarely, if ever, caught any valid email in the SPAM folder of my gmail. I rarely, if ever, have junk mail in my inbox. In fact, I rarely visit my gmail. I just let it do its thing. Of course, this makes it so your mail winds up in a gmail inbox for your user, but so what. Mail is still sent and received under the guise of our domain.

You have pretty much the same risk using subject or sender. Doing either, I think you can cause it to log with a message of your choice. Then you can remove the block as soon as the storm stops.

I wish someone could solve my storm > 1000 spam/day but easy to block.

Hi

Mail AntiSpam and Mail Antivirus is enabled as shown in the image.




I have thought about discarding the messages based on subject line, but like Nick said I will also be discarding legitimate Mailer Daemon message.

I will have to try what Nick suggested and see if it helps any.

Thanks.

@Dirk, This is backscatter of undeliverable e-mails and not the SPAM directly so technically it is legitimate mail coming from ISP's/postmasters and won't get picked up by the usual spam filters. I don't think there is much you can do except block on the subject or possibly the sender "mailer-daemon". I would suggest you only do this temporarily, because if you send something to an incorrect recipient, you may want to see these messages to tell you your legitimate mail has failed.

To block on sender, have a look at /etc/postfix/access. Discard rather than reject. To block on subject, have a look at /etc/postfix/header_checks. You can also block on sender with header_checks but using access is preferable as it is less expensive with processing.

So are the recipients always different on the returned emails? Did you peruse your maillog for any indicators? Do you have the mail anti-spam app installed from the marketplace? It's like Nick said, start filtering some commonalities, blacklisting some domains, etc. Enabling the discard policy might prevent your inbox from filling up.

I can't help much unless you can see something to commonly identify these mails. It is possible to set up a generic filter just to kill these based on the subject or some other feature. You could do that temporarily.

Here you go

Return-Path: <mailer-daemon@server.rel-tek.com>
Received: from localhost (localhost [127.0.0.1])
by server.rel-tek.com (Cyrus v2.4.17-Fedora-RPM-2.4.17-8.v7.1) with LMTPA;
Mon, 18 Feb 2019 09:21:22 -0500
X-Sieve: CMU Sieve 2.4
Received: by mail.rel-tek.com (Postfix)
id 1B85A80439773; Mon, 18 Feb 2019 09:21:19 -0500 (EST)
Date: Mon, 18 Feb 2019 09:21:19 -0500 (EST)
From: MAILER-DAEMON@rel-tek.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: sales@rel-tek.com
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="F237580473A51.1550499679/mail.rel-tek.com"
Content-Transfer-Encoding: 7bit
Message-Id: <20190218142120.1B85A80439773@mail.rel-tek.com>


This is a MIME-encapsulated message.

--F237580473A51.1550499679/mail.rel-tek.com
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host mail.rel-tek.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<tdragon@concordwell.com>: connect to concordwell.com[184.168.131.241]:25:
Connection timed out

--F237580473A51.1550499679/mail.rel-tek.com
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; mail.rel-tek.com
X-Postfix-Queue-ID: F237580473A51
X-Postfix-Sender: rfc822; sales@rel-tek.com
Arrival-Date: Wed, 13 Feb 2019 08:26:12 -0500 (EST)

Final-Recipient: rfc822; tdragon@concordwell.com
Original-Recipient: rfc822;tdragon@concordwell.com
Action: failed
Status: 4.4.1
Diagnostic-Code: X-Postfix; connect to concordwell.com[184.168.131.241]:25:
Connection timed out

--F237580473A51.1550499679/mail.rel-tek.com
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Return-Path: <sales@rel-tek.com>
Received: from localhost (localhost [127.0.0.1])
by mail.rel-tek.com (Postfix) with ESMTP id F237580473A51
for <tdragon@concordwell.com>; Wed, 13 Feb 2019 08:26:12 -0500 (EST)
X-Virus-Scanned: amavisd-new at rel-tek.com
Received: from mail.rel-tek.com ([127.0.0.1])
by localhost (server.rel-tek.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id L6fJXnbBUVPM for <tdragon@concordwell.com>;
Wed, 13 Feb 2019 08:26:12 -0500 (EST)
Received: from localhost (localhost [127.0.0.1])
by mail.rel-tek.com (Postfix) with ESMTP id 477DE80473A50
for <tdragon@concordwell.com>; Wed, 13 Feb 2019 08:26:12 -0500 (EST)
Received: from WIN-AUDMJQU1G3S (unknown [109.202.107.147])
by mail.rel-tek.com (Postfix) with ESMTPA id E007480473A4E
for <tdragon@concordwell.com>; Wed, 13 Feb 2019 08:26:11 -0500 (EST)

If you're in luck the storm will die away again. Please can you post a couple of the mail headers?