--On Monday, October 20, 2008 10:24:28 -0500 "Michael K. Smith - Adhost"
<[EMAIL PROTECTED]> wrote:
Let me know if you do find a reliable, decent solution that does not
involve SPF or postfix header_checks or body_checks.
The following doesn't fix the problem but it does help mitigate the deluge.
We use a PERL script to tail our maillogs looking for any source IP that
tries to send mail to more than 4 invalid addresses. When flagged, that IP
is then added to a PF table that blocks the address and issues RST's for 12
hours. Of course, we also have a whitelist for "valid" SMTP servers. Like I
said, it doesn't catch it all, but it catches *a lot* and generates almost no
complaints. This does help obfuscate the valid/invalid addresses because all
mail is accepted as far as the sender is concerned until the IP is blocked at
the network layer.
The usual complaint is from an remote office that has 12 real estate agents
behind a single IP, all with Outlook set to check mail "sooner than now." :-)
The best solution *by far* that I have found for spam (using Postfix) is
mail/postfix-policyd-weight. It routinely rejects 50 to 70% of incoming mail
with no false positives. It took *very* little tweaking to get it to this
point, and it rejects the mail before postfix even deals with it. I use
spamassassin as well, but policyd-weight does the heavy lifting.
Here's one example of a rejected email:
Oct 20 11:11:16 mail postfix/policyd-weight[77973]: weighted check:
IN_DYN_PBL_SPAMHAUS=3.25 NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
NOT_IN_BL_NJABL=-1.5 CL_IP_NE_HELO=4.75 REV_IP_EQ_HELO=-1.25
NOK_HELO_SEEMS_DIALUP=5 (check from: .hinet. - helo:
.dsl.dynamic8121373125.ttnet. - helo-domain: .ttnet.)
FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=4.85 CLIENT_NOT_MX/A_FROM_DOMAIN=4.75
CLIENT/24_NOT_MX/A_FROM_DOMAIN=4.75; <client=81.213.73.125>
<helo=dsl.dynamic8121373125.ttnet.net.tr> <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>; rate: 21.6
Oct 20 11:11:16 mail postfix/policyd-weight[77973]: decided action=550 Mail
appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO
and DNS MX settings or to get removed from DNSBLs; please relay via your ISP
(ms35.hinet.net); Please use DynDNS; <client=81.213.73.125>
<helo=dsl.dynamic8121373125.ttnet.net.tr> <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>; delay: 8s
Anything above 1 is rejected. This email scored 21.6, which is off the charts.
It even does greylisting.
Oct 20 10:45:47 mail postfix/policyd-weight[28339]: decided action=550
temporarily blocked because of previous errors - retrying too fast. penalty: 30
seconds x 0 retries.; <client=189.141.58.189>
<helo=dsl-189-141-58-189.prod-infinitum.com.mx> <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>; delay: 0s
Oct 20 10:46:51 mail postfix/policyd-weight[28339]: decided action=550
temporarily blocked because of previous errors - retrying too fast. penalty: 30
seconds x 0 retries.; <client=65.110.50.188> <helo=boomfm.dnsalias.com>
<[EMAIL PROTECTED]> <[EMAIL PROTECTED]>; delay: 0s
It does let some spam through, which spamassassin catches, but it rejects all
the bogus stuff (fake hostnames, bogus MTAs, forged from addresses, etc., etc.)
--
Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
