Justin C. Le Grice a écrit :
I'm sorry if this has already been done to death but I have searched
high and low and have found scant discussion of this.
I have been running Postfix for three weeks now and have reduced spam to
just one or two messages getting through a day.
I have implemented recommended anti spam settings from a number of sites
which include HELO, RBL and DNS checks.
I am running Postfix 2.5.5 with Amavis-New on Ubuntu Server 9.04
My main.cf contains the following;
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_client_access hash:/etc/postfix/mywhitelist,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl-1.uceprotect.net,
reject_rbl_client dnsbl-2.uceprotect.net,
uceprotect is considered too aggressive by some of us. but it's your
mail....
reject_rbl_client sbl-xbl.spamhaus.org,
replace this with zen.spamhaus.org. and while you are at it, move it up...
reject_rbl_client dnsbl.njabl.org,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
move reject_unauth_destination above and above. don't lose your
resources and those of DNSBLs with mail that has no reason to come.
permit
smtpd_data_restrictions =
reject_unauth_pipelining,
permit
# Strange Syntax / Strict syntax
smtpd_helo_required = yes
strict_rfc821_envelopes = yes
#No VRFY command
disable_vrfy_command = yes
content_filter = smtp-amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
Note: I have the RBL's first to see how effective they are. I'll
probably drop them down before the permit line at some stage.
While I am more than happy with the reduction in spam I would like to
use my log files to be proactive in letting ISPs know that they have
bots in their networks. I am presuming that most of the attempts to
connect are from bot infected home computers, judging from the FQDN that
is used in the connection.
forget about this. If ISPs wanted to detect botnets, they have a lot
more infos than you. given how they ignore our manual complaints (and I
don't compplain for "simple" spam, I only complain for "illegal"
activity, such as phishing, ...), there's no hope to see them accept
your automated ones.
I have been trying to find something that will do the following.
Analyse my mail.log file looking for occurances of rejected attempts to
connect to my mail server.
At some user defined threshold it would then do a whois query looking
for an abuse@<<originating ISP>> email address.
You're not supposed to query whois automatically. please reread whois
access policy. Fighting abuse doesn't justify your own abuse. whatever
you have in mind: whois is what whois is, not what you think it should be.
It would the send a nicely worded message detailing the attempt to use
my mail server for spamming and request that the connection be
terminated until the user fixes their compromised machine.
Boy, get back with us. those who care implement proactive measures and
don't generally need our feedback (they notice the problem because their
MTAs get a lot more junk than every recipient). the others don't really
care. they may have a "we should fix this problem before august"
project, but it doesn't say which year...
Am I just being wishful here??
yes.
Cheers
Justin
