On Mon, Jan 18, 2010 at 04:28:37PM +0100, Michael Reck wrote: > Anyway, our customers complaining the usual way ( to much spam in > my inbox...) and are not getting smarter (i don`t want to train > SA...) so i must bear the challenge :)
Such is the story with content filtering for spam control. It's a never-ending (nonwinnable) struggle to stay ahead of the spammers. Fortunately there are some observations which apply: 1. Most hosts which emit spam, emit ONLY spam 2. Those few which emit some spam need to be fixed Therefore it is reasonable to reject spamming hosts in the SMTP connection, before DATA. Are you using DNSBLs in your strategy? http://www.spamhaus.org/zen/ is very effective. Being that you said you're working on a large scale, you might have to sign up for the data feed, but it will be money well spent. And they do offer a free trial, IIRC. You can use this restriction during the trial period: warn_if_reject reject_rbl_client zen.spamhaus.org then take a sample and compare against the content filter results. reject_non_fqdn_helo_hostname is another very safe and effective restriction. I have never personally known a true false positive, only some reports of sites who used it wrong (applied it to their relaying users.) My results in the past showed that it takes out around 25% of all connections. I take mine a bit farther, and block any HELO with no alpha characters, including the syntactically valid bracketed IP address HELO. A MUA might use such a HELO, so I don't apply it against my own relaying clients. But there is no reason for a legitimate mail server to use such a HELO; if they don't have a domain name, why are they using email at all? Under development in Postfix 2.7 is a new postscreen(8) daemon (the name might change before final release), which will perform "triage" for your real smtpd(8) processes, and will help protect against spamming DoS. All this stuff would be on-topic at the Spam-L list. Find out more: http://spam-l.com/ and consider joining us. To reply to someone else in another thread, no, we (TINW[1]) do not claim authority nor do we act as Internet police, but we do discuss effective strategies for spam abatement. There are strong opinions and many experienced mail administrators and industry representatives on the list, but we do manage to keep the discussions mostly clean and collegial. [1] "There Is No 'We'", a nice way of saying that your server is under your rules, and that what works well for one site might be (and often is) totally inappropriate for another site. -- Offlist mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
