We use Spamassassin, Exim, and Exim-sa to reject spam at SMTP DATA time. THis has the advantage that if there is a false positive, the sender knows that the message did not go through.

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA

On Tue, 11 Feb 2014, James Rogers wrote:

I've always wanted to deploy DCC:

I haven't gotten around to it yet, but it's always struck me as a great idea.

On Tue, Feb 11, 2014 at 10:57 AM, David Sommerseth
<sl+us...@lists.topphemmelig.net> wrote:
      On 11/02/14 02:13, Yasha Karant wrote:
      > Our site has been edicted to Microsoft Exchange server with a
      > spam filter.  There are numerous difficulties, one of which is
      spam not
      > being filtered and non-spam being so filtered (significant
      increase in
      > mission critical false positives).  At present, the
      > authorities (all of whom appear to be management professionals,
      > internals nor systems folks) insist on Exchange, allowing open
      > standards compliant end-users to have IMAP service.  Given
      this, what
      > are the best server-side spam filters, either hardware or
      > "Best" should be based upon current field-deployed experience
      > unsolicited external reviews (not vendor-supported
      "independent" reviews).

I've put up a fairly simple Postfix + Amavis-new + SpamAssasin server
front of some of my Zimbra servers to get rid of the "worst" trash (we
also had some other requirements too, but that's not important in this
thread).  I configured Postfix with several RBLs, SPF and postgrey.  In
addition I added these smtpd_recipient_restrictions:


The RBLs I have had great success with are:

        reject_rbl_client bl.spamcop.net,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.blocklist.de,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client bl.spamcannibal.org,
        reject_rbl_client cidr.bl.mcafee.com,

The two first ones and barracudacentral.org seems to be those being
triggered most.  Barracudacentral requires a registration (they want
IP of your DNS resolver doing the queries).

With all this in place, I reduced the spam which SpamAssassin filtered
out from 75-80% to ~20-25%.

I had to remove SORBS, as they actually listed a lot of valid SMTP
relays ... and for those companies being hit here, it was just a too
costly operation to fix each time it happened.  On the other hand, the
other RBLs catch quite fine what SORBS blocked correctly.

In regards to SPF, that works pretty well.  I did it even stricter than
the default configuration (I use python-policyd-spf), where I set
PermError_reject = True.  That enforces that SPF rules which are
explicit much harder.

And with postgrey, I learned that you need at least a 10 minutes
threshold.  For one of the servers I maintain, postgrey blocks ~25% of
all mail attempts.  On antoher one (low traffic), the hit rate was so
low I actually removed.  So you need to test and see if it can match
your needs.

kind regards,

David Sommerseth

Reply via email to