Am 15.09.2014 um 18:19 schrieb Andrew J. Schorr:
> Wietse Venema wrote:
>> As long as the SMTP session still exists, the client may still make
>> a mistake, and postscreen will not whitelist it.
>
> Thanks for the explanation. I am surprised that Amazon's mailservers are so
> stupid.
>
>> Don't use deep protocol tests if they cause problems. These tests
>> are off by default for a good reason.
>
> Sigh. Without the deep protocol tests (and the implicit greylisting), my
> systems are inundated with spam. We find that spamassassin is missing far too
> many spam messages. With the deep protocol tests enabled, our spam has been
> reduced to almost zero. So I don't think turning them off is a realistic
> option for us. Thanks for implementing this feature; it really helps
you could try some other postscren features especially combine
blacklists with different weights to prevent false positives
the DNSBL/DNSWL mix below blocks 90% of junk without ever
touch the smtpd process and turned out to prevent false
positives like as example the linuc foundation NL would
have been blocked by "b.barracudacentral.org" but not
listed on any other RBL, so it missed one score point
the response filter is very helpful because "dnsbl.sorbs.net"
as example with one DNS requests asks different lists and
so "dnsbl.sorbs.net=127.0.0.10" is dialup, the same for
"zen.spamhaus.org" with the response "127.0.0.[10;11]"
hence both have the reject score of 8 while any other
RBL needs in this setup confirmation by a second one
and in doubt some you can not serious use for blocking
throw a few points in the mix
_________________________________________________
what i recently implemented was
* give thx MX a second IP
* add it everywehere as backup-mx
* disable postcreen WL on that IP
it turns out that a lot of zombies try only the backup MX
and i found also some trying later on the primary while in
the meantime they where on blacklists, see some stats
Default-MX: 5954
Honeypot-MX: 2684
Honeypot-Only: 2455
_________________________________________________
postscreen_dnsbl_ttl = 30m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?2}${stress:10}s
postscreen_whitelist_interfaces = !<second-ip-for-backup-mx>, static:all
postscreen_dnsbl_sites =
dnsbl.sorbs.net=127.0.0.10*8
zen.spamhaus.org=127.0.0.[10;11]*8
b.barracudacentral.org*7
dnsbl.inps.de*7
dnsbl.sorbs.net=127.0.0.5*6
zen.spamhaus.org=127.0.0.[4..7]*6
bl.mailspike.net*4
bl.spamcop.net*4
bl.spameatingmonkey.net*4
ix.dnsbl.manitu.net*4
dnsrbl.swinog.ch*4
zen.spamhaus.org=127.0.0.3*4
psbl.surriel.com*3
dnsbl-1.uceprotect.net*3
zen.spamhaus.org=127.0.0.2*3
dnsbl.sorbs.net=127.0.0.6*2
dnsbl.sorbs.net=127.0.0.9*2
ips.backscatterer.org*1
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].2*-4
list.dnswl.org=127.0.[0..255].3*-5
_________________________________________________
Spamassassin:
you need to adjust some rules in "local.cf", my setup is running as
milter where above a mail get rejected and there are too high scored
whitelists and other rules too low - recently a new "money" wave made
it to 3 of my addresses and after adjust some scores and feed the
bayes with 2 examples the following where blocked with a score of 10
you can find the default scores with a command similar to that (depending where
your files are installed) - just grep for tags a definite spam message got
cat /var/lib/spamassassin/3.004000/updates_spamassassin_org/*.cf | grep score |
grep MONEY | grep -v '#'
# adjust IADB scoring (way too high defaults)
score RCVD_IN_IADB_VOUCHED -0.4
score RCVD_IN_IADB_DOPTIN -0.6
score RCVD_IN_IADB_ML_DOPTIN -0.8
# mailspike whitelist-scores
score RCVD_IN_MSPIKE_H2 -0.3
score RCVD_IN_MSPIKE_H3 -0.5
score RCVD_IN_MSPIKE_H4 -0.7
score RCVD_IN_MSPIKE_H5 -0.9
# adjust misc scores
score LOCALPART_IN_SUBJECT 1.5
score URIBL_AB_SURBL 4.5
score URIBL_DBL_SPAM 3.5
score URIBL_DBL_PHISH 4.0
score URIBL_DBL_MALWARE 4.0
score URIBL_DBL_ABUSE_SPAM 3.5
score URIBL_DBL_ABUSE_PHISH 4.0
score URIBL_DBL_ABUSE_MALW 4.0
score URIBL_JP_SURBL 2.5
score URIBL_BLACK 2.5
score URI_PHISH 4.0
score URI_WP_HACKED 3.5
score LOTS_OF_MONEY 1.5
score MONEY_FORM_SHORT 1.0
score MONEY_FROM_41 2.5
score MONEY_LOTTERY 2.5
score MONEY_FRAUD_3 3.5
score MONEY_FRAUD_5 2.5
score MONEY_FROM_MISSP 2.5
score MONEY_ATM_CARD 3.5
score UNCLAIMED_MONEY 3.0
score ADVANCE_FEE_2_NEW_MONEY 2.5
score ADVANCE_FEE_3_NEW_MONEY 0.5
score ADVANCE_FEE_4_NEW_MONEY 0.5
score ADVANCE_FEE_5_NEW_MONEY 0.5
score FBI_MONEY 2.5
score US_DOLLARS_3 3.0
score BILLION_DOLLARS 2.5
score SUSPICIOUS_RECIPS 3.0
score BODY_URI_ONLY 2.0
score SPF_SOFTFAIL 1.2
score RP_MATCHES_RCVD -0.5
