On Wed, 30 Dec 2009 17:11:59 +0000 Carlo Rodrigues <[email protected]> wrote:
> > >> >> I'm using dspam and I'm very happy with it, except for this new wave of > >> >> mp3 / gif viagra spam. > >> >> > >> >> The mp3 spam emails had only the attachment, no subject and no body > >> text. > >> >> The gif spam emails that I'm seeing now have random pieces of english > >> >> text (from books?) on the subject and body, and the attachment. > >> >> > >> >> dspam is proving very ineffective stopping these spams. Especially the > >> >> gif ones. > >> >> > >> >> How are you all fighting and stopping these spams? > >> >> > >> >one way would be to use ClamAV to stop them. Do you use ClamAV? > >> > >> Yes I do. But ClamAV doesn't recognize these emails as viruses. > >> > >> > > You should consider adding additional signatures to ClamAV. Read more here > > about some of them: > > http://www.oitc.com/winnow/clamsigs/index.html > > http://www.msrbl.com/ > > http://www.securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml > > http://malwarepatrol.com.br/ > > > > There is even a nice script helping you to download and deploy them > > automatically: > > http://www.sanesecurity.co.uk/databases.htm > > > > > Nice!!!! I didn't know of the existence of these signatures. > Thank you very much! > You have just to ask :) > >> >> I'm thinking of adding a layer before dspam with spamassassin/pyzor, > >> but > >> >> I tried spampd yesterday and was not satisfied with it. Some emails > >> took > >> >> over 10 seconds to get scanned, > >> >> > >> >That is normal with SpamAssassin. > >> > >> >> even removing the dnsbl tests from > >> >> spamhaus, are other emails took about 30 minutes or more to get > >> >> delivered. > >> >> > >> >The DNSBL tests are probably not the reason to have a 30 minutes delay. > >> > >> Yes, they're not. But as I did the test on a production server, I had to > >> rollback to my previous configuration. > >> In test servers, under low/no volume, everything was working ok. > >> > >> > > For SpamAssassin you need to have a lot of CPU and especially memory on > > your server. SA is a huge memory user. If you are open minded about your > > setup then we could discus other spam fighting methods that are less > > memory/cpu hungry. Is there any one here on the list using something that > > has a great efficency and uses low cpu/memory? > > > > > > > >> >> I run busy ISP mail servers so I had to remove spampd and I'm > >> >> using only dspam. > >> >> > >> >I run a cluster of mail servers in a ISP setup as well. My setup uses > >> more then > >> >just DSPAM. But I try to avoid anything that can not be clustered and > >> I try to > >> >avoid everything that uses just to much cpu/memory without being > >> effective. > >> > >> Since the building of these servers I tried to do everything always with > >> that in mind. To be as much efficient as possible. > >> It's just that these evil viagras are really bugging me and I have to do > >> something to get rid of them. > >> > >> > > I understand. I have +/- around 2% to 3% spam volume. But I have a > > gazillion of tools/methods implemented to block as much as possible. If you > > are open minded then we could talk here what other methods exist to fight > > spam. > > > > > > > Yes I am open-minded. What methods are you talking about? > I start with the cheep solutions. I don't mean cheep in terms that they are bad. I mean cheep in terms: easy to implement, easy to manage, low in using memory/cpu, effective. Don't look at this list to be complete. I just will start to write about some solutions and add more later if you are interested. Okay? postfwd -> Postfix firewall daemon => http://www.postfwd.org/ That thing is written in Perl (well... so it uses some memory but still... it's not that much) and allows you to write complex rules for Postfix. You can look at it as being a firewall for Postfix. policyd-weight - Policy daemon for Postfix => http://www.policyd-weight.org/ This thing as well is written in Perl but properly configured policyd-weight is able to easy prevent over 80% of all of your Spam even entering your system. I have policyd-weight on my system and I use it since it's public available. Robert has stopped developing it but a bunch of people have continued on SourceForge to develop for policyd-weight. To be honest: That thing it's okay and can be used on a Postfix MTA and does not need any future developend. It could profit from someone coding future functions into it but it is already today very valuable and even if no one would develop for it in the future it would be still very, very usable. I have however added a bunch of functions for my self. I have added p0f (http://lcamtuf.coredump.cx/p0f.shtml) integration, GeoIP (http://www.maxmind.com/) integration, S25R (http://gabacho.reto.jp/en/anti-spam/anti-spam-system.html) integration, computing of the distance between sender and recipient (done that after reading about SNARE: http://www.technologyreview.com/communications/23086/), and, and, and... I have many things implemented into policyd-weight and tweakted that thing to block as much as possible while still allowing to pass legitime mails to my Postfix. I use it for years and my high block rate with policyd-weight is the result of using it for many years. But installed out of the box policyd-weight is already able to block a huge amount of Spam even without tweaking it. If you want I could help to tailor policyd-weight for your setup and send you my patches for it and my settings. Spamassassin Blacklists => http://www.sa-blacklist.stearns.org/sa-blacklist/ I know, I know. It says SpamAssassin but you can use it with Postfix. And the good thing is that it's easy to install and to keep up to date and you don't need to invest much time for maintenance (if at all). Fail2Ban => http://www.fail2ban.org/ This is a little tool that is parsing logs and can do actions depending on rules you write. I use it to stop those idiots trying to do directory attacs against Postfix, send a gazillion Spam mails at once, etc... I don't just use it for Anti-Spam. I use it as well against SSH attacks, FTP attacks, etc... It does not prevent spammers sending Spam mail to me but it makes their life damn hard if they send Spam to my server and try to DoS my server with Spam or try to do directory attacks against Postfix, IMAP server, other services.... And then you should consider hardening Postfix. Postfix is easy to make a hard nut to crack. I use Postfix since ages and have implemented a lot of things that help preventing Spam. Just for example: I used to have a gazillion of mails claiming to come from users under my control. So I implemented reject_sender_login_mismatch (http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch) in a restriction class and since then no one from outside can forge senders. Look at this here: ---------------------------------------- netbox / # telnet mail.bajic.name 25 Trying 62.12.131.155... Connected to mail.bajic.name. Escape character is '^]'. 220 theia.bajic.name ESMTP Postfix (2.6.5) [NO UCE, NO UBE, C=CH, L=ZU] ehlo xxxxxxxxxx.xxxxxx.xxx 250-theia.bajic.name 250-PIPELINING 250-SIZE 52428800 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:<[email protected]> 553 5.7.1 <[email protected]>: Sender address rejected: not logged in rset 250 2.0.0 Ok quit 221 2.0.0 Bye Connection closed by foreign host. netbox / # ---------------------------------------- I don't need to tell you that a bunch of failures in a certain time range do trigger fail2ban and the sender is blocked for a bunch of minutes. The spammer get's his IP address blocked and he can try as hard as he likes but he will not be able to connect to port 25 on my system. Your box for example allows me to forge the sender: ---------------------------------------- netbox / # telnet smtp.net4b.pt 25 Trying 195.245.176.7... Connected to smtp.net4b.pt. Escape character is '^]'. 220 smtp.net4b.pt ESMTP smtp-4.lx.esp - OniTelecom's mail scanning server. Unauthorized usage can and will be prosecuted to the full extent of the law. ehlo xxxxxxxxxx.xxxxxx.xxx 250-smtp.net4b.pt smtp-4.lx.esp - OniTelecom's mail scanning server. Unauthorized usage can and will be prosecuted to the full extent of the law. 250-PIPELINING 250-AUTH LOGIN PLAIN 250 8BITMIME mail from:<[email protected]> 250 ok rcpt to:<[email protected]> 250 ok rset 250 flushed quit 221 smtp.net4b.pt Goodbye. Connection closed by foreign host. netbox / # ---------------------------------------- I would not allow that! In no way! This was just an example. I could probably write a book about what to do in Postfix to prevent Spam. It would overblow to write all that in a mail. But maybe step after step I could help you to get the best out of your setup? Today has been a quite day on my system. But just to give you a outlook how it might look if you have a well configured system, here my numbers for today (combined numbers from MX1 and MX2): inbound mails: 22.92% (100% = rejected mails + inbound mails) rejected mails: 77.08% (100% = rejected mails + inbound mails) virus mails: 0% spam: 5.45% (100% = inbound mails) I usualy have around 3% to 6% of all inbound mails being Spam. The number is so high because I have some customers turning off other Anti-Spam prevention systems that I offer them. I know, I know. They are crazy but it's their wish. And my Spam-Honeypot is as well responsable for the high number. Most users on my setup have no Spam mails for weeks. I even have users having 0% Spam for months. The last 4 weeks looked like this: inbound mails: 51.3% (100% = rejected mails + inbound mails) rejected mails: 48.7% (100% = rejected mails + inbound mails) virus mails: 0.15% (100% = inbound mails) spam: 8.08% (100% = inbound mails) I have yet to see a Spam ratio over 10% per month. I think I only had that once in the last 4 or 5 years. > >> >Might I ask you what MTA you are using? Do you really just run DSPAM > >> without > >> >any other additional tools? > >> > >> I have 2 postfix servers with gps(greylisting) and policyd-spf-fs as > >> policies, rbl and header checks in postfix, and dspam+clamav as a > >> content_filter. > >> > >> > > I don't use RBL checks in Postfix since I can't use them on a global scale. > > The problem I (my customers) have with them is that they are black or > > white. And I have customers dealing with senders that are always some where > > on some black list (yeah, yeah. Try to deal with senders from Russia or > > Asia. Most of them are always on one or a bunch of black lists and I have > > customers that WANT those mails). I am forced to use some think that alows > > me to have a weightening and influence the whole processing. I know that I > > could influence the RBL in Postfix but I need something more flexible. > > > > > I see. There is always that problem, when you start having complaints > from people who don't receive mail. > > And the customer is KING! I am not a dictator to tell them what they should get and what not. I am just the enabler. I build things that they can use but are not forced to use. I however don't allow certain things to happen on my infrastructure. For example I don't allow them to send Spam and I don't allow them to send Virus infected mails/files. And I force SPF, Sender-ID, DKIM and other stuff on their domain. They can't say no to that. They must follow those rules and if they don't want then they are free to get some one else (another ISP/ESP/whatever) doing that for them. I have a reputation and I don't want them to mess up my reputation. > >> I'm sharing the dspam home via nfs, and using a remote mysql server for > >> gps and dspam. > >> > >> > > I share my DSPAM home over GlusterFS and MySQL in Master / Master mode for > > DSPAM and a bunch of other tools. > > > > > > > >> Yesterday I tried spampd, a perl application which is a transparent > >> lmtp/smtp proxy that uses spamassassin to tag mail. > >> It didn't work too well, so I'm trying amavisd-new today. > >> > >> > > I use Amavisd-New. It's okay. A memory eater but I can handle it. I have > > integrated it into MySQL and connected with Postfix.Admin and, and, and... > > > > > > > >> Is there anything I can tune in dspam so that it would be more effective > >> in recognizing these emails as spam? I'm using > >> 'Algorithm graham burton' and 'Tokenizer osb'. > >> > >> > > For the moment: NO > > The problem is that DSPAM is stripping those attachments out of the > > calculation. So no mater what Tokenizer or Algorithm you use, the > > attachments are not tokenized. > > I could implement other stuff into DSPAM to block those attachments. But > > that would require some work on the DSPAM base. > > > > > I see. Attachments never get tokenized, so it doesn't matter if I stay > hours a day marking every one of this kind of spam and training dspam. > It has an effect. I can't tell you if it is bad or good. It all depends on the amout of training. In generall training is good. It helps DSPAM. You should however use TOE mode if you can. That delivers better value in your situation. > Perhaps it's even worse, as the random citations of text being tokenized > will help to block legitimate email. > NO! You use OSB and OSB is hard to mess up with those random text. > >> >> Thanks for your time. > >> >> > >> >> Carlo Rodrigues > >> >> > >> >-- > >> >Kind Regards from Switzerland, > >> > > >> >Stevan Bajić > >> > >> -- Kind Regards from Switzerland, Stevan Bajić ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Dspam-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dspam-user
