Am 15.09.2014 um 18:19 schrieb Andrew J. Schorr: > Wietse Venema wrote: >> As long as the SMTP session still exists, the client may still make >> a mistake, and postscreen will not whitelist it. > > Thanks for the explanation. I am surprised that Amazon's mailservers are so > stupid. > >> Don't use deep protocol tests if they cause problems. These tests >> are off by default for a good reason. > > Sigh. Without the deep protocol tests (and the implicit greylisting), my > systems are inundated with spam. We find that spamassassin is missing far too > many spam messages. With the deep protocol tests enabled, our spam has been > reduced to almost zero. So I don't think turning them off is a realistic > option for us. Thanks for implementing this feature; it really helps
you could try some other postscren features especially combine blacklists with different weights to prevent false positives the DNSBL/DNSWL mix below blocks 90% of junk without ever touch the smtpd process and turned out to prevent false positives like as example the linuc foundation NL would have been blocked by "b.barracudacentral.org" but not listed on any other RBL, so it missed one score point the response filter is very helpful because "dnsbl.sorbs.net" as example with one DNS requests asks different lists and so "dnsbl.sorbs.net=127.0.0.10" is dialup, the same for "zen.spamhaus.org" with the response "127.0.0.[10;11]" hence both have the reject score of 8 while any other RBL needs in this setup confirmation by a second one and in doubt some you can not serious use for blocking throw a few points in the mix _________________________________________________ what i recently implemented was * give thx MX a second IP * add it everywehere as backup-mx * disable postcreen WL on that IP it turns out that a lot of zombies try only the backup MX and i found also some trying later on the primary while in the meantime they where on blacklists, see some stats Default-MX: 5954 Honeypot-MX: 2684 Honeypot-Only: 2455 _________________________________________________ postscreen_dnsbl_ttl = 30m postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_greet_wait = ${stress?2}${stress:10}s postscreen_whitelist_interfaces = !<second-ip-for-backup-mx>, static:all postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.10*8 zen.spamhaus.org=127.0.0.[10;11]*8 b.barracudacentral.org*7 dnsbl.inps.de*7 dnsbl.sorbs.net=127.0.0.5*6 zen.spamhaus.org=127.0.0.[4..7]*6 bl.mailspike.net*4 bl.spamcop.net*4 bl.spameatingmonkey.net*4 ix.dnsbl.manitu.net*4 dnsrbl.swinog.ch*4 zen.spamhaus.org=127.0.0.3*4 psbl.surriel.com*3 dnsbl-1.uceprotect.net*3 zen.spamhaus.org=127.0.0.2*3 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 ips.backscatterer.org*1 list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 _________________________________________________ Spamassassin: you need to adjust some rules in "local.cf", my setup is running as milter where above a mail get rejected and there are too high scored whitelists and other rules too low - recently a new "money" wave made it to 3 of my addresses and after adjust some scores and feed the bayes with 2 examples the following where blocked with a score of 10 you can find the default scores with a command similar to that (depending where your files are installed) - just grep for tags a definite spam message got cat /var/lib/spamassassin/3.004000/updates_spamassassin_org/*.cf | grep score | grep MONEY | grep -v '#' # adjust IADB scoring (way too high defaults) score RCVD_IN_IADB_VOUCHED -0.4 score RCVD_IN_IADB_DOPTIN -0.6 score RCVD_IN_IADB_ML_DOPTIN -0.8 # mailspike whitelist-scores score RCVD_IN_MSPIKE_H2 -0.3 score RCVD_IN_MSPIKE_H3 -0.5 score RCVD_IN_MSPIKE_H4 -0.7 score RCVD_IN_MSPIKE_H5 -0.9 # adjust misc scores score LOCALPART_IN_SUBJECT 1.5 score URIBL_AB_SURBL 4.5 score URIBL_DBL_SPAM 3.5 score URIBL_DBL_PHISH 4.0 score URIBL_DBL_MALWARE 4.0 score URIBL_DBL_ABUSE_SPAM 3.5 score URIBL_DBL_ABUSE_PHISH 4.0 score URIBL_DBL_ABUSE_MALW 4.0 score URIBL_JP_SURBL 2.5 score URIBL_BLACK 2.5 score URI_PHISH 4.0 score URI_WP_HACKED 3.5 score LOTS_OF_MONEY 1.5 score MONEY_FORM_SHORT 1.0 score MONEY_FROM_41 2.5 score MONEY_LOTTERY 2.5 score MONEY_FRAUD_3 3.5 score MONEY_FRAUD_5 2.5 score MONEY_FROM_MISSP 2.5 score MONEY_ATM_CARD 3.5 score UNCLAIMED_MONEY 3.0 score ADVANCE_FEE_2_NEW_MONEY 2.5 score ADVANCE_FEE_3_NEW_MONEY 0.5 score ADVANCE_FEE_4_NEW_MONEY 0.5 score ADVANCE_FEE_5_NEW_MONEY 0.5 score FBI_MONEY 2.5 score US_DOLLARS_3 3.0 score BILLION_DOLLARS 2.5 score SUSPICIOUS_RECIPS 3.0 score BODY_URI_ONLY 2.0 score SPF_SOFTFAIL 1.2 score RP_MATCHES_RCVD -0.5