On 07/07/2017 11:04 AM, Charles Amstutz wrote:
Thank you everyone for the suggestions, I will look into it. One thing I've noticed is
that sometimes it takes a day for any *BL's to pick up some of the spam, and by that
time, the run could be done. Greylisting isn't an option. It sometimes feels like always
reactive vs pro-active in filtering. For example, I try to block the old runs of
"Ford Warranties", write a few rules, then never receive them again :)
This is a slight over exaggeration, but close.
No. I completely understand. A couple of years ago I was doing the same
thing always reacting to new spam campaigns. It took a lot of my time
and I never felt like I was winning those one-day battles.
Now I have tuned my MTA (Postfix with postscreen) to reject the majority
of junk before it ever reaches SA. See the archives for these
Postscreen weighted RBLs if you are running Postfix. With about 24 RBLs
including invaluement, I am able to be aggressive with many RBLs adding
up to a block threshold of 8 in postscreen.
On the other side of this, you have to setup postwhite to whitelist
major mail providers like comcast.net, aol, google, yahoo.com, etc. and
let SA score them.
Now I rarely get any reports of spam getting through unless it's from a
compromised account. These will always be difficult to block for
zero-hour spam campaigns from botnets.
Also, setup the KAM.cf rules and extra signatures for ClamAV from
Sanesecurity. These often help with new spam campaigns. I can post
which signature DBs I am using if that would be helpful.
--
Dave
