Spam has many sources, as we all know. Mr. Verma stated earlier this month that header_checks should not be used for spam filtering...and I found that my mine was out of control, particularly with Subjects, for just that purpose. Not to mention that the effectiveness of the many, many checks has dropped, and many of the blocks had outlived their usefulness.
I run a fairly large number of mailboxes of my own on my PostFix server, some of which have for one reason or another turned into spam-traps. So I decided to utilize these bits of flypaper and start shutting off the worst of these spammers at my edge router, instead of letting them in the front door. Also, I'm working on the theory that "people who let out organized spam most likely have other bad habits." Why? I started noticing that the majority of spam that was getting past Spamhaus and my Subject Sieve came from small sub-nets. In addition to the ssh abusers and ShellShock attackers, I started adding these spamming sub-nets to my ACLs. As the list grew, the volume of spam dropped like crazy. But wait! As I said, I had this insane header_checks file. All kinds of weird regular expressions to try to catch these spammers...and the spammers did what spammer do, regularly change their subject lines and do interesting subtle substitutions to get past content filters. (I won't catalog the substitutions here.) So I started to remove subject-field checks, little by little. After I dropped about 130 subject checks early on in the process, I didn't noticed any significant increase in spam volume. The process continues; I'm now down to a 126-line header_checks file, and dropping. What will I keep: * To: fields that are nonsense * From: fields like FBI, CIA, IRS, t...@live.com, my PTR * Subjects: excessive spaces, ESC. certain keywords, phrases * Subject: still popular with web-form abusers * Certain checks that block web-form abuse effectively For what it's worth, my daily log-check shows that PostFix is blocking a moderate number of mail messages via SpamHaus, but header_check blocking has dropped considerably. How effective has this process been? For the past four days, I've had five (5) spam messages. Before I started aggressively blocking mail-abuse subnets, I was getting about 150 per day.