Hello soporteseguridad, I have had quite a few questions on this topic recently and have tried lots of things. Unfortunately none have been very helpful. The problem with most spam is that it is valid email (not malware), just lots of it, and unsolicited. Here are a few options that may or may not help. 1.) The answer given by HITSSEC was one that it thought would be a great idea, though I tried it, and had very weak results. The problem was, that even when metering SMTP traffic down to something like 2pps, I was still able to pass out 80+ emails out of 100 in a couple of seconds..Not very helpful. In addition, if your spamming from an SMTP(postfix) type server, the server will just keep trying to deliver the messages. It will eventually succeed after your DoS rule timeout happens. I tested this with a postfix server running on my Mac (and a handy spam script), behind my PA-200 with a DoS policy. It didn't matter how much I decreased the allowed pps, the policy did not prevent spamming - just slowed it down some. 2.) Dynamic block lists. This is an option available in 5.x and could be useful if you are trying to block email being sent to known relay servers, or from known IPs. If you were so inclined, I imagine you could pull a list with a script (curl or wget) from a site that tracks spammers and make that file available on a webserver that your firewall has access to. Then, add that path to your security rule as a dynamic block list. This will of course not be helpful if the spam is being sent from dynamic (changing) IPs. See KB here: 3.) Dynamic address objects. Also in 5.x, you can have a dynamic address object in your security rule which can be updated via a script using the XML API on the firewall. This could be an option if you had a method (external to the firewall) to detect and identify spammer IPs. I have seen people use this feature to great success in conjunction with Splunk and the PaloAlto app for splunk (which contains a python script for updating dynamic address objects). See KB here for info on dynamic address objects: Dynamic Address Objects Hope this helps, -chadd.
... View more