Justin C. Le Grice a écrit : > I'm sorry if this has already been done to death but I have searched > high and low and have found scant discussion of this. > > I have been running Postfix for three weeks now and have reduced spam to > just one or two messages getting through a day. > I have implemented recommended anti spam settings from a number of sites > which include HELO, RBL and DNS checks. > > I am running Postfix 2.5.5 with Amavis-New on Ubuntu Server 9.04 > My main.cf contains the following; > > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > check_client_access hash:/etc/postfix/mywhitelist, > reject_rbl_client bl.spamcop.net, > reject_rbl_client dnsbl-1.uceprotect.net, > reject_rbl_client dnsbl-2.uceprotect.net,
uceprotect is considered too aggressive by some of us. but it's your mail.... > reject_rbl_client sbl-xbl.spamhaus.org, replace this with zen.spamhaus.org. and while you are at it, move it up... > reject_rbl_client dnsbl.njabl.org, > reject_invalid_hostname, > reject_non_fqdn_hostname, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_unauth_destination, move reject_unauth_destination above and above. don't lose your resources and those of DNSBLs with mail that has no reason to come. > permit > > smtpd_data_restrictions = > reject_unauth_pipelining, > permit > > # Strange Syntax / Strict syntax > smtpd_helo_required = yes > strict_rfc821_envelopes = yes > > #No VRFY command > disable_vrfy_command = yes > > content_filter = smtp-amavis:[127.0.0.1]:10024 > receive_override_options = no_address_mappings > > Note: I have the RBL's first to see how effective they are. I'll > probably drop them down before the permit line at some stage. > > While I am more than happy with the reduction in spam I would like to > use my log files to be proactive in letting ISPs know that they have > bots in their networks. I am presuming that most of the attempts to > connect are from bot infected home computers, judging from the FQDN that > is used in the connection. forget about this. If ISPs wanted to detect botnets, they have a lot more infos than you. given how they ignore our manual complaints (and I don't compplain for "simple" spam, I only complain for "illegal" activity, such as phishing, ...), there's no hope to see them accept your automated ones. > > I have been trying to find something that will do the following. > > Analyse my mail.log file looking for occurances of rejected attempts to > connect to my mail server. > At some user defined threshold it would then do a whois query looking > for an abuse@<<originating ISP>> email address. You're not supposed to query whois automatically. please reread whois access policy. Fighting abuse doesn't justify your own abuse. whatever you have in mind: whois is what whois is, not what you think it should be. > It would the send a nicely worded message detailing the attempt to use > my mail server for spamming and request that the connection be > terminated until the user fixes their compromised machine. Boy, get back with us. those who care implement proactive measures and don't generally need our feedback (they notice the problem because their MTAs get a lot more junk than every recipient). the others don't really care. they may have a "we should fix this problem before august" project, but it doesn't say which year... > > Am I just being wishful here?? yes. > > Cheers > > Justin
