On Mon, 13 Oct 2008, Joey wrote:
-----Original Message-----
From: Justin Piszcz [mailto:[EMAIL PROTECTED]
Sent: Monday, October 13, 2008 6:06 PM
To: Joey
Cc: postfix-users@postfix.org
Subject: RE: Finally blocking some spam
On Mon, 13 Oct 2008, Joey wrote:
-----Original Message-----
From: Justin Piszcz [mailto:[EMAIL PROTECTED]
Sent: Monday, October 13, 2008 5:37 PM
To: Joey
Subject: RE: Finally blocking some spam
What anti-spam measurements do you currently use?
What does your main.cf look like?
(Snip)
reject_rbl_client dul.dnsbl.sorbs.net, reject_rbl_client
psbl.surriel.com, reject_rbl_client ix.dnsbl.manitu.net,
check_recipient_access hash:/etc/postfix/filtered_domains
smtpd_restriction_classes = from_freemail_host
soft_bounce = no
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport,
hash:/etc/postfix/transport_bounce
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550
1. You are not using rhsbls, which can be HIGHLY valuable, at the helo,
sender
and client level.
2. Where are your spf checks?
check_policy_service unix:private/policy,
3. Do you use greylisting? It can help significantly!
I used to use check_policy_service unix:private/tumgreyspf and this worked
GREAT, it really reduced the spam, HOWEVER clients complained about the
delays and we also had issues when solving a problem for a client with
someone on the phone and they said I'm sending you something in an email
and then having to wait anywhere from 5-45 minutes depending on the sending
server so we had to drop it.
Ah, understood..
4. Do you use the SBL DROP list as part of a CIDR reject list? Look it up
on google.
Will research this! Looked beifly at http://www.spamhaus.org/drop/
5. Do you perform backscatter checks for email from <>, MAIL-DAEMON, etc?
check the archives of this list:
Something like this:
file: check_backscatter
entry: <> reject_rbl_client ips.backscatterer.org
We don't see a lot of backscatter, however do you have a reference, I have
no problem looking into this.
6. You should also look into www.policyd-weight.org, a great anti-spam
policy server!
7. You can also use SAV but look/read around there is a specific list of
domains out there that you can use it for that is relatively safe.
8. Install fail2ban, you can add regexp to block (firewall) automatically
on X number of blocks by a certain IP address via rbl, rhsbl, etc.
In reading this site they talk about password failure and updating firewall
rules.
Do you have a ruleset for too many connections for port 25, or how are you
implementing this?
Not so much that but if you have an IP hitting you so many times and it
gets rejected X number of times (you define X) then you can have it
automatically block the IP in iptables/ipfilter/etc and then unban it
300 seconds, an hour later (or a time of your choosing).
This sounds like a potentially helpful tool. I just don't see an example
for what we would try to do.
Example:
failregex = reject: RCPT from (.*)\[<HOST>\]: 5[0-9][0-9] (.*) blocked using
If this occurs 3 times in a row, block the IP for 5 minutes via the firewall.
Or longer, your choice.
I think you can do a lot better if you implement these suggestions vs.
blocking
by country.
Justin.
