On Jun 9, 2015, at 12:29 PM, John Hardin <jhar...@impsec.org> wrote:
> On Tue, 9 Jun 2015, David Jones wrote: > >> Some of the best and easiest things you can enable to block spam are >> outside of SpamAssassin at your MTA (sendmail, postfix, etc.). > >> - Enable greylisting. This is just about the only way you can block >> zero-hour spam from compromised accounts that come from legit mail >> servers before they get listed in RBLs. > > Just bear in mind some commercial organizations may be very hostile to > anything that delays delivery of mail, regardless of how much it would reduce > spam. > > Two things that I have found very useful at the MTA level are: > > (1) Delay sending your SMTP banner a second or two and reject any sender that > starts sending information before that. This is a built-in option in > Sendmail, google "greet_pause". > > (2) Check the HELO the other guy sends and reject if it's not a FQDN (i.e. > it's not got any periods at all). This probably shouldn't be done on mail > originating locally, but for mail coming in from the Internet the other MTA > should always be sending a FQDN in the HELO. A non-FQDN HELO is a pretty good > sign of a spambot sending from a compromised workstation or PC directly to > your MTA. > > I have some other MTA checks in place, but these two block the most. We use MimeDefang and it actually calls SpamAssassin. But before we accept connections (or email), we make a bunch of tests. We use Geo::IP to block a bunch of ISP’s and countries that are hostile in filter_relay(). These include ColoCrossing, Enzu, Datashack, Proxad, WholesaleInternet, etc. Then we apply more tests in filter_helo(). Note, these are only for connections that arrive on port 25, not on port 587 (which is for local clients to submit, and is authenticated with a username/password pair). We accept connections from 127.0.0.1 with no further checks. We block anyone saying HELO \d+\.\d+\.\d+\.\d+ because it’s missing the required brackets. We block any bracketed dotted quads that have an invalid quad (i.e. 300.300.300.300) or where the address they claim to be from is different from the actual address we’re seeing (no one behind a NATting firewall should be connecting to us unless they know their [static] external address). We block anyone listed by ZenBL. We block (a) anyone claiming to be us, (b) anyone claiming to be “localhost” or “localhost.localdomain”. We block a list of names that are always fraudulent, like “paypal.com” (without any subdomains), or “smtp.communitel.net” which seems to get spoofed a LOT, or “mail.com” or “mail.ru”. We block hostnames that don’t have a domain (no dots). Lastly, we TEMPFAIL hosts that don’t have valid rDNS mappings (including the A and PTR records not agreeing). With this, we avoid ever accepting about 98% of the SPAM that we’d otherwise receive. -Philip
