Ariën Huisken, 09.11.2006 13:03: > Hello list, > > I have several boxes running TSL2.2 with postfix/amavis/spamasassin/clamav. > > In the last months the amount of received spam is very very high. So > high, everyone is complaning about it.
> Now I was playing with the settings (tag levels) in amavisd.conf, but > setting the kill level below 4 causes normal email to go in to the > filter, while a lot of spam still comes through. Hard to give specific advise without knowing your setup in detail so I'll just describe my setup: * Well trained bayes with over 30k spam and 60k ham active * I upgraded amavisd-new to latest version and added p0f-support * Added extra score to messages coming from Korea and China * Added RBL checks against Intersil, uribl blacklist and uribl greylist * Greylisting for 10 minutes, as some bots started resending after 5 minutes P0f support means passively checking the senders packets to determine OS. I then score Windows 2000 and XP host a little since there ought to be no SMTP-server on XP. p0f also tries to determine how many hops away the sender is and I can subtract a small amount of points of the sender is close. The next step I see is new postfix to get greet-pause, something I did experiements with a year ago and shows same potential as greylisting. I guess I will be filing a bug-request to have amavisd-new upgraded and postfix. I just have to take a little closer look at the implications first. Upgrading amavisd-new using the TSL srpm was a bit tricky, but not much. Matthias mentions primary/secondary MX'es. Most spammers hits the MX with highest priority-value in hopes of that server having less spamchecks. This makes sense where companies have commercial solutions and has to pay per server for their antispam... Some suggest a fake tertiary MX which do not respond at all, another suggestion is to give a slighte increase in the score if message was delivered through a tertiary MX. But bayes ought to be very effective for you seeing that you (apparantly) are Dutch. Most spam is English. This makes at least bayes extremely accurate in Norway. I have this on 2 servers. My personal, which is the volunteer tester, and my company MX. The company MX has a kill-threshold of 9 points and we have very little, if any, spam coming through. I go through the quarantine with some regexes and similar to try to catch false positives but haven't found any yet (after 2 years). Home server kills at 4.21 points. I reached that value after grep'ing and analyzing the average scores I was seeing. My biggest advise is greylisting, to be honest: http://www.tyldum.com/spam-year.png This is my home server. Blue is total emails, green is the number of spam detected. Guess when I started greylisting? _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
