Spam has many sources, as we all know.  Mr. Verma stated earlier this
month that header_checks should not be used for spam filtering...and I
found that my mine was out of control, particularly with Subjects, for
just that purpose.  Not to mention that the effectiveness of the many,
many checks has dropped, and many of the blocks had outlived their
usefulness.

I run a fairly large number of mailboxes of my own on my PostFix server,
some of which have for one reason or another turned into spam-traps.  So
I decided to utilize these bits of flypaper and start shutting off the
worst of these spammers at my edge router, instead of letting them in
the front door.  Also, I'm working on the theory that "people who let
out organized spam most likely have other bad habits."

Why?  I started noticing that the majority of spam that was getting past
Spamhaus and my Subject Sieve came from small sub-nets.  In addition to
the ssh abusers and ShellShock attackers, I started adding these
spamming sub-nets to my ACLs.  As the list grew, the volume of spam
dropped like crazy.

But wait!  As I said, I had this insane header_checks file.  All kinds
of weird regular expressions to try to catch these spammers...and the
spammers did what spammer do, regularly change their subject lines and
do interesting subtle substitutions to get past content filters.  (I
won't catalog the substitutions here.)

So I started to remove subject-field checks, little by little. After I
dropped about 130 subject checks early on in the process, I didn't
noticed any significant increase in spam volume.  The process continues;
I'm now down to a 126-line header_checks file, and dropping.

What will I keep:
  *  To: fields that are nonsense
  *  From: fields like FBI, CIA, IRS, t...@live.com, my PTR
  *  Subjects:  excessive spaces, ESC. certain keywords, phrases
  *  Subject: still popular with web-form abusers
  *  Certain checks that block web-form abuse effectively

For what it's worth, my daily log-check shows that PostFix is blocking a
moderate number of mail messages via SpamHaus, but header_check blocking
has dropped considerably.  How effective has this process been?  For the
past four days, I've had five (5) spam messages.  Before I started
aggressively blocking mail-abuse subnets, I was getting about 150 per day.

Reply via email to