oh and don't forget URIBL scores for SpamAssassin URIBL_BLACK has a zero-false-positive policy
as said, sapmass-milter runs with block above 8.0 here and the default max-message size which is scanned is *way* too low, spammers know that
/usr/sbin/spamass-milter -p /run/spamass-milter/spamass-milter.sock -g sa-milt -r 8.0 -- -s 5242880 --port=10028
score URIBL_AB_SURBL 4.5 score URIBL_JP_SURBL 4.5 score URIBL_MW_SURBL 5.0 score URIBL_PH_SURBL 5.0 score URIBL_WS_SURBL 3.5 score URIBL_SC_SURBL 0.5 score URIBL_SBL 1.5 score URIBL_SBL_A 1.5 score URIBL_DBL_SPAM 3.0 score URIBL_DBL_BOTNETCC 3.0 score URIBL_DBL_PHISH 3.5 score URIBL_DBL_MALWARE 3.5 score URIBL_DBL_ABUSE_SPAM 3.0 score URIBL_DBL_ABUSE_BOTCC 3.0 score URIBL_DBL_ABUSE_PHISH 5.0 score URIBL_DBL_ABUSE_MALW 5.0 score URIBL_BLACK 7.0 score URIBL_GREY 0.5 score URIBL_RED 0.5 score URIBL_DBL_REDIR 0.1 score URIBL_DBL_ABUSE_REDIR 0.3 score URIBL_BLOCKED 0 score URIBL_DBL_ERROR 0 score URI_PHISH 3.5 score URI_TRY_3LD 0.5 score URI_WP_HACKED 3.5 Am 26.12.2014 um 03:15 schrieb li...@rhsoft.net:
make them hate you by more aggresive RBL scoring and *slow down them* as well as consider a manual trained global bayes with at least 1000 ham and 1000 spam messages * find common tags in the maillog * adjust scores in SA local.cf for them * adjust the scores for bayes after it si well trained * consider global hashing services like IXHASH for SpamAssassin * whatever you setup - be careful about non-scored decisions our incoming spam *attempts* dopped down from 293 per minute to 20 per minute and even the last two days the highest peak was 50 per minute and we are talking here about rejections before the SA milter below some key configs of our inbound-only filter, i avoid detail configs because i am happy about some common senders, HELO's and a lot of PTR's catched with regex and would like them not to change by bot-developers monitoring public mailing lists :-) since i trust my bayes with 15000 hand-trained messages that's the scoring in context of 8.0 = milter reject # adjust bayes scoring ifplugin Mail::SpamAssassin::Plugin::Bayes score BAYES_00 -3.5 score BAYES_05 -1.5 score BAYES_20 -0.5 score BAYES_40 -0.2 score BAYES_50 2.5 score BAYES_60 3.0 score BAYES_80 5.0 score BAYES_95 6.5 score BAYES_99 7.5 score BAYES_999 0.4 endif here some real numbers of the current month Connections: 210100 Delivered: 58351 Blocked: 151749 Invalid User: 6639 Disallowed User: 11 Reject Postscreen: 121348 Reject Postfix: 14346 Reject Milter: 5263 Reject Temporary: 3706 Blacklist: 113766 Pregreet: 15197 Hangup: 50176 Protocol Error: 3876 Illegal Syntax: 8 SpamAssassin: 5158 Virus: 99 Helo: 1669 Subject: 241 Attachment: 13 Sender Regex: 297 Sender Blocked: 573 Sender Verify: 15 Sender Invalid: 1888 Sender Spoofed: 14 Sender Parked: 21 PTR Missing: 1592 PTR Generic: 970 SPF: 569 ______________________________________________________________ bots don't like to wait, that's 5 seoconds penalty even after somebody passed postscreen until the server is under load or the client is on any DNSWL smtpd_client_restrictions = reject_unlisted_recipient permit_dnswl_client list.dnswl.org permit_dnswl_client wl.mailspike.net permit_dnswl_client iadb.isipp.com permit_dnswl_client sa-accredit.habeas.com permit_dnswl_client dnswl.inps.de permit_dnswl_client swl.spamhaus.org permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1 ${stress?sleep 0}${stress: sleep 5} ______________________________________________________________ some ideas for a restriction order, the thoughts behind the config files should be clear by their names smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender reject_unauth_destination reject_unlisted_recipient check_helo_access regexp:/etc/postfix/blacklist_helo_uncond.cf reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_sender_domain check_recipient_access hash:/etc/postfix/blacklist_rcpt.cf check_sender_access hash:/etc/postfix/whitelist_sender.cf check_sender_access hash:/etc/postfix/blacklist_sender.cf check_sender_access hash:/etc/postfix/spoofing_protection.cf check_sender_access regexp:/etc/postfix/blacklist_sender_regex.cf reject_unknown_reverse_client_hostname check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf permit_dnswl_client wl.mailspike.net=127.0.0.[19;20] permit_dnswl_client list.dnswl.org=127.0.[0..255].[2;3] check_policy_service unix:private/spf-policy check_recipient_access hash:/etc/postfix/skip_ptr_check.cf permit_dnswl_client wl.mailspike.net permit_dnswl_client list.dnswl.org permit_dnswl_client iadb.isipp.com permit_dnswl_client sa-accredit.habeas.com permit_dnswl_client dnswl.inps.de permit_dnswl_client swl.spamhaus.org permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1 check_helo_access regexp:/etc/postfix/blacklist_helo.cf check_reverse_client_hostname_access regexp:/etc/postfix/generic_ptr.cf reject_unverified_sender ______________________________________________________________ lower the RBL TTL of postscreen to catch new blacklisted clients faster and consider setup a unbound dns-cache on localhost with tuned caching the min-TTL lowers the network costs for DNSBL/DNSWL with a very low origin TTL after postscreen as well a prevents exceed limits of some lists cache-min-ttl: 270 cache-max-ttl: 7200 postscreen can be much more aggressive by slow down new clients for 10 seconds, use a lot of more RBL's but back them up also with DNSWL to avoid false positives and i have not seen any FP with that setup, look also at the spamassassin config and consider raise up the scores for RBL's to give more penalty if as example someone is on the barracuda RBL but you really don't want to reject because any single RBL postscreen_dnsbl_ttl = 5m postscreen_dnsbl_threshold = 8 postscreen_dnsbl_action = enforce postscreen_greet_action = enforce postscreen_greet_wait = ${stress?3}${stress:10}s postscreen_dnsbl_sites = dnsbl.sorbs.net=127.0.0.10*8 zen.spamhaus.org=127.0.0.[10;11]*8 b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 dnsbl.sorbs.net=127.0.0.5*7 zen.spamhaus.org=127.0.0.[4..7]*7 zen.spamhaus.org=127.0.0.3*5 bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 bl.spamcop.net=127.0.0.2*4 bl.spameatingmonkey.net=127.0.0.[2;3]*4 dnsrbl.swinog.ch=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 wl.mailspike.net=127.0.0.[18;19;20]*-2 list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].2*-4 list.dnswl.org=127.0.[0..255].3*-5 Am 25.12.2014 um 23:24 schrieb Asai:We have a real spam problem for some users, and this seems to be really tough spam to block. I have postscreen set up which blocks a lot of spam, of the spam that does get through, Spamassassin catches about 200 spams a day, but we have about a dozen users that get 20 - 30 spams a day, so I ask if anyone can give me some advice about my configs here. This is what I have had thus far, postscreen's deep protocol tests have been turned on a turned off at different times due to troubleshooting a particular user's iPhone connection, and they are off at this time: postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr postscreen_dnsbl_threshold = 3 postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2;3;4;5;6;7]*4 #l2.apews.org*3, ##I've used this with variable successs dbl.spamhaus.org*2 cbl.abuseat.org*2 zen.spamhaus.org*1 bl.spamcop.net*1 b.barracudacentral.org*1 bl.spameatingmonkey.net*1 dnsbl.sorbs.net*1 psbl.surriel.com bl.mailspike.net zen.spamhaus.org=127.0.0.11*-3 swl.spamhaus.org*-5 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 postscreen_dnsbl_whitelist_threshold = -1 postscreen_dnsbl_action = enforce postscreen_blacklist_action = drop postscreen_greet_banner = postscreen_greet_action = drop I'm wondering about turning this back on under smtpd_recipient_restrictions which has been turned off since I started using postscreen: smtpd_recipient_restrictions = permit_mynetworks, ... reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_sender rhsbl.sorbs.net, permit I would be grateful for any advice here and if anyone could share their experience
