Yes I am open-minded. What methods are you talking about?
I start with the cheep solutions. I don't mean cheep in terms that they are
bad. I mean cheep in terms: easy to implement, easy to manage, low in using
memory/cpu, effective.
Don't look at this list to be complete. I just will start to write about some
solutions and add more later if you are interested. Okay?
postfwd -> Postfix firewall daemon => http://www.postfwd.org/
That thing is written in Perl (well... so it uses some memory but still... it's
not that much) and allows you to write complex rules for Postfix. You can look
at it as being a firewall for Postfix.
policyd-weight - Policy daemon for Postfix => http://www.policyd-weight.org/
This thing as well is written in Perl but properly configured policyd-weight is
able to easy prevent over 80% of all of your Spam even entering your system. I
have policyd-weight on my system and I use it since it's public available.
Robert has stopped developing it but a bunch of people have continued on
SourceForge to develop for policyd-weight. To be honest: That thing it's okay
and can be used on a Postfix MTA and does not need any future developend. It
could profit from someone coding future functions into it but it is already
today very valuable and even if no one would develop for it in the future it
would be still very, very usable.
I have however added a bunch of functions for my self. I have added p0f
(http://lcamtuf.coredump.cx/p0f.shtml) integration, GeoIP
(http://www.maxmind.com/) integration, S25R
(http://gabacho.reto.jp/en/anti-spam/anti-spam-system.html) integration,
computing of the distance between sender and recipient (done that after reading
about SNARE: http://www.technologyreview.com/communications/23086/), and, and,
and...
I have many things implemented into policyd-weight and tweakted that thing to
block as much as possible while still allowing to pass legitime mails to my
Postfix. I use it for years and my high block rate with policyd-weight is the
result of using it for many years. But installed out of the box policyd-weight
is already able to block a huge amount of Spam even without tweaking it. If you
want I could help to tailor policyd-weight for your setup and send you my
patches for it and my settings.
Spamassassin Blacklists => http://www.sa-blacklist.stearns.org/sa-blacklist/
I know, I know. It says SpamAssassin but you can use it with Postfix. And the
good thing is that it's easy to install and to keep up to date and you don't
need to invest much time for maintenance (if at all).
Fail2Ban => http://www.fail2ban.org/
This is a little tool that is parsing logs and can do actions depending on
rules you write. I use it to stop those idiots trying to do directory attacs
against Postfix, send a gazillion Spam mails at once, etc... I don't just use
it for Anti-Spam. I use it as well against SSH attacks, FTP attacks, etc... It
does not prevent spammers sending Spam mail to me but it makes their life damn
hard if they send Spam to my server and try to DoS my server with Spam or try
to do directory attacks against Postfix, IMAP server, other services....
And then you should consider hardening Postfix. Postfix is easy to make a hard
nut to crack. I use Postfix since ages and have implemented a lot of things
that help preventing Spam. Just for example: I used to have a gazillion of
mails claiming to come from users under my control. So I implemented
reject_sender_login_mismatch
(http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch) in a
restriction class and since then no one from outside can forge senders. Look at
this here:
----------------------------------------
netbox / # telnet mail.bajic.name 25
Trying 62.12.131.155...
Connected to mail.bajic.name.
Escape character is '^]'.
220 theia.bajic.name ESMTP Postfix (2.6.5) [NO UCE, NO UBE, C=CH, L=ZU]
ehlo xxxxxxxxxx.xxxxxx.xxx
250-theia.bajic.name
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<[email protected]>
553 5.7.1 <[email protected]>: Sender address rejected: not logged in
rset
250 2.0.0 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
netbox / #
----------------------------------------
I don't need to tell you that a bunch of failures in a certain time range do
trigger fail2ban and the sender is blocked for a bunch of minutes. The spammer
get's his IP address blocked and he can try as hard as he likes but he will not
be able to connect to port 25 on my system.
This is enough software to keep me busy for a few weeks :) I'll check
all this stuff.
Your box for example allows me to forge the sender:
----------------------------------------
netbox / # telnet smtp.net4b.pt 25
Trying 195.245.176.7...
Connected to smtp.net4b.pt.
Escape character is '^]'.
220 smtp.net4b.pt ESMTP smtp-4.lx.esp - OniTelecom's mail scanning server.
Unauthorized usage can and will be prosecuted to the full extent of the law.
ehlo xxxxxxxxxx.xxxxxx.xxx
250-smtp.net4b.pt smtp-4.lx.esp - OniTelecom's mail scanning server.
Unauthorized usage can and will be prosecuted to the full extent of the law.
250-PIPELINING
250-AUTH LOGIN PLAIN
250 8BITMIME
mail from:<[email protected]>
250 ok
rcpt to:<[email protected]>
250 ok
rset
250 flushed
quit
221 smtp.net4b.pt Goodbye.
Connection closed by foreign host.
netbox / #
----------------------------------------
I would not allow that! In no way!
smtp.net4b.pt is running qmail-ldap + simscan + spamassassin + clamav.
I'm hoping to replace these systems soon.
But I cannot implement that feature because all my public IP servers are
relay-only servers. I relay mail for certain domains, some of which have
mailboxes on servers that I administer, and others are managed by the
customers' own servers. And I relay mail from all those systems to the
outside world. I don't have a clue about how many mailboxes or which
addresses exist for most domains I relay mail to.
That is the reason I use dspam with SHARED,MANAGED groups. So each
domain is considered an independent entity managed by someone from the
customer's company. Right now I'm only using relay.onicommunications.pt
(the systems with postfix/dspam) for one inbound domain, and for
outbound mail, but I plan to migrate all the domains on the old servers
to these ones.
This was just an example. I could probably write a book about what to do in
Postfix to prevent Spam. It would overblow to write all that in a mail. But
maybe step after step I could help you to get the best out of your setup?
Today has been a quite day on my system. But just to give you a outlook how it
might look if you have a well configured system, here my numbers for today
(combined numbers from MX1 and MX2):
inbound mails: 22.92% (100% = rejected mails + inbound mails)
rejected mails: 77.08% (100% = rejected mails + inbound mails)
virus mails: 0%
spam: 5.45% (100% = inbound mails)
I usualy have around 3% to 6% of all inbound mails being Spam. The number is so
high because I have some customers turning off other Anti-Spam prevention
systems that I offer them. I know, I know. They are crazy but it's their wish.
And my Spam-Honeypot is as well responsable for the high number. Most users on
my setup have no Spam mails for weeks. I even have users having 0% Spam for
months.
The last 4 weeks looked like this:
inbound mails: 51.3% (100% = rejected mails + inbound mails)
rejected mails: 48.7% (100% = rejected mails + inbound mails)
virus mails: 0.15% (100% = inbound mails)
spam: 8.08% (100% = inbound mails)
I have yet to see a Spam ratio over 10% per month. I think I only had that once
in the last 4 or 5 years.
>Might I ask you what MTA you are using? Do you really just run DSPAM
without
>any other additional tools?
I have 2 postfix servers with gps(greylisting) and policyd-spf-fs as
policies, rbl and header checks in postfix, and dspam+clamav as a
content_filter.
I don't use RBL checks in Postfix since I can't use them on a global scale. The
problem I (my customers) have with them is that they are black or white. And I
have customers dealing with senders that are always some where on some black
list (yeah, yeah. Try to deal with senders from Russia or Asia. Most of them
are always on one or a bunch of black lists and I have customers that WANT
those mails). I am forced to use some think that alows me to have a weightening
and influence the whole processing. I know that I could influence the RBL in
Postfix but I need something more flexible.
I see. There is always that problem, when you start having complaints
from people who don't receive mail.
And the customer is KING! I am not a dictator to tell them what they should get
and what not. I am just the enabler. I build things that they can use but are
not forced to use. I however don't allow certain things to happen on my
infrastructure. For example I don't allow them to send Spam and I don't allow
them to send Virus infected mails/files. And I force SPF, Sender-ID, DKIM and
other stuff on their domain. They can't say no to that. They must follow those
rules and if they don't want then they are free to get some one else (another
ISP/ESP/whatever) doing that for them. I have a reputation and I don't want
them to mess up my reputation.
I'm sharing the dspam home via nfs, and using a remote mysql server for
gps and dspam.
I share my DSPAM home over GlusterFS and MySQL in Master / Master mode for
DSPAM and a bunch of other tools.
I do not know GlusterFS, but I tried OCFS2 and was happy about it. I
only tried it on test systems, though, because the production machines
didn't come with fiber channel. That is why I'm currently using nfs. For
the bandwidth that is being used, it's enough.
Yesterday I tried spampd, a perl application which is a transparent
lmtp/smtp proxy that uses spamassassin to tag mail.
It didn't work too well, so I'm trying amavisd-new today.
I use Amavisd-New. It's okay. A memory eater but I can handle it. I have
integrated it into MySQL and connected with Postfix.Admin and, and, and...
Is there anything I can tune in dspam so that it would be more effective
in recognizing these emails as spam? I'm using
'Algorithm graham burton' and 'Tokenizer osb'.
For the moment: NO
The problem is that DSPAM is stripping those attachments out of the
calculation. So no mater what Tokenizer or Algorithm you use, the attachments
are not tokenized.
I could implement other stuff into DSPAM to block those attachments. But that
would require some work on the DSPAM base.
I see. Attachments never get tokenized, so it doesn't matter if I stay
hours a day marking every one of this kind of spam and training dspam.
It has an effect. I can't tell you if it is bad or good. It all depends on the
amout of training. In generall training is good. It helps DSPAM. You should
however use TOE mode if you can. That delivers better value in your situation.
Yep, I was using TUM before, but I changed to TOE when this wave of spam
appeared.
Perhaps it's even worse, as the random citations of text being tokenized
will help to block legitimate email.
NO! You use OSB and OSB is hard to mess up with those random text.
Good ;)
>> Thanks for your time.
>>
>> Carlo Rodrigues
>>
>--
>Kind Regards from Switzerland,
>
>Stevan Bajić
------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________
Dspam-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspam-user
