I don't know about others, but Pyzor is quite accurate in my experience. I think I will increase its score because, for example, most Russian spam don't include links. Pyzor is generating a digest key based on the content which is checked against a database. In return, it gets two values: positive and negative reports/complaints. Based on that, Pyzor decides the likelihood of spam, but the default score in SA is low, between 0.5 - 1.5 (aprox.), not a decisive one. You can install your own local Pyzor and RBL servers (package rbldnsd), but you'll need ... data. I use the second one to manually block or whitelist certain Domains, IPs and Name Servers (mostly private).
-----Original Message----- From: Terry Barnum [mailto:te...@dop.com] Sent: Tuesday, April 28, 2015 11:08 PM To: Marius Gologan Cc: postfix users Subject: Re: spam fighting > On Apr 28, 2015, at 12:33 PM, Marius Gologan <marius.golo...@gmail.com> wrote: > > Shared DNS as Google's 8.8.8.8 is not accepted by some RBLs such as > spamhaus. They have an ACL in place. > You will lose about 2 points from Spam scoring when you use a public > DNS causing some spam to pass. Thank you Marius! I did not know that using Google's DNS would reduce or remove the points scoring for postscreen RBLs. I now see this small blurb on the spamhaus faq: <http://www.spamhaus.org/faq/section/DNSBL%20Usage#261> This is likely a huge contributor to our spam increase since spamhaus return a "not listed" when using a public DNS. > Spamassassin (SA) uses many RBL services checking Domain & IP of the > Sender; Domains, IPs and Name Servers in URLs. One email may generate > even more than > 10 RBL queries. Due that, SA has a protection in order to prevent > flooding those service providers. You may consider reducing the amavis > throttle from Postfix's master.cf, by reducing the no of processes. > In addition, network tests such as Pyzor, Razor2 and DCC require these > ports to be opened: out 6277 UDP - DCC service, out 2703 TCP - Razor2 > service, out > 24441 UDP - Pyzor service. Do most who use postfix/amavisd-new/spamassassin also use shared services like pyzor? > I heard many saying that Spamassassin is weak, while they don't > understand how it works. > > Bottom line, a machine with 2 GB of RAM can easily handle 10k-15k > messages a day. Good info to hear. Thanks, -Terry > -----Original Message----- > From: Terry Barnum [mailto:te...@dop.com] > Sent: Tuesday, April 28, 2015 8:04 PM > To: Marius Gologan > Cc: postfix users > Subject: Re: spam fighting > > >> On Apr 28, 2015, at 1:47 AM, Marius Gologan >> <marius.golo...@gmail.com> > wrote: >> >> Hi Terry, >> >> I use amavisd-new/spamassassin in post-queue configuration with few >> adjustments: increased score for SPF_FAIL, DKIM_ADSP_DISCARD, >> Bayes_80, Bayes_95, Bayes_99, Bayes_999 and few others. >> Local DNS server - critical for RBL queries. >> As for postscreen, I preffer "postscreen_greet_action = enforce" only > which >> doesn't require the client to retry (as opposite to greylist >> behavior), while is pretty effective against bots. >> >> Marius. > > Thank you for the reply Marius. Do the RBL queries from > amavisd-new/spamassassin require a local DNS because they're more > resource intensive than postscreen_dnsbl_sites or reject_rhsbl_* queries? > > I've received 16 UCE emails in the last hour--weight loss, wrinkle > creams, bird feeders, pharmacies. More pointers (favorite postfix > techniques and/or add-ons, sites to read, etc.) from those who've been > successful in reducing spam load are greatly appreciated. > > Thanks, > -Terry > >> -----Original Message----- >> From: owner-postfix-us...@postfix.org >> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Terry Barnum >> Sent: Tuesday, April 28, 2015 1:15 AM >> To: postfix users >> Subject: spam fighting >> >> We've been using postscreen and dspam for quite some time but in the >> past couple months more spam is making it through. I realize there's >> no one-size-fits-all approach but because dspam isn't actively >> developed anymore I've started looking around and am curious what others are using. > Is >> amavisd-new/spamassassin the preferred solution? My company is small >> with >> <30 users. >> >> Perhaps my postscreen settings could be improved? >> postscreen_access.cidr > is >> a small file with 4 entries to whitelist customers that aren't >> implicated > in >> the increase in spam. >> >> $ postconf -n >> broken_sasl_auth_clients = yes >> command_directory = /opt/local/sbin >> daemon_directory = /opt/local/libexec/postfix data_directory = >> /opt/local/var/lib/postfix debugger_command = >> PATH=/opt/local/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd >> $daemon_directory/$process_name $process_id & sleep 5 default_privs = >> nobody delay_warning_time = 4h dovecot_destination_recipient_limit = >> 1 dspam-lmtp_destination_recipient_limit = 1 home_mailbox = Maildir/ >> html_directory = no inet_protocols = ipv4 mail_owner = _postfix >> mailq_path = /opt/local/bin/mailq manpage_directory = >> /opt/local/share/man message_size_limit = 51200000 mydestination = >> $myhostname, localhost.$mydomain, localhost myhostname = >> mailbox.dop.com mynetworks = 192.168.0.0/23, 127.0.0.0/8 myorigin = >> $mydomain newaliases_path = /opt/local/bin/newaliases >> postscreen_access_list = permit_mynetworks, >> cidr:/opt/local/etc/postfix/postscreen_access.cidr >> postscreen_bare_newline_action = enforce >> postscreen_bare_newline_enable = yes postscreen_blacklist_action = >> drop postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = >> b.barracudacentral.org=127.0.0.2*7 >> dnsbl.inps.de=127.0.0.2*7 >> bl.mailspike.net=127.0.0.2*5 >> bl.mailspike.net=127.0.0.[10;11;12]*4 >> dnsbl.sorbs.net=127.0.0.10*8 >> dnsbl.sorbs.net=127.0.0.5*6 >> dnsbl.sorbs.net=127.0.0.7*3 >> dnsbl.sorbs.net=127.0.0.8*2 >> dnsbl.sorbs.net=127.0.0.6*2 >> dnsbl.sorbs.net=127.0.0.9*2 >> zen.spamhaus.org=127.0.0.[10;11]*8 >> zen.spamhaus.org=127.0.0.[4..7]*6 >> zen.spamhaus.org=127.0.0.3*4 >> zen.spamhaus.org=127.0.0.2*3 >> hostkarma.junkemailfilter.com=127.0.0.2*3 >> hostkarma.junkemailfilter.com=127.0.0.4*1 >> hostkarma.junkemailfilter.com=127.0.1.2*1 >> wl.mailspike.net=127.0.0.[18;19;20]*-2 >> list.dnswl.org=127.0.[0..255].0*-2 >> list.dnswl.org=127.0.[0..255].1*-3 >> list.dnswl.org=127.0.[0..255].2*-4 >> list.dnswl.org=127.0.[0..255].3*-5 >> hostkarma.junkemailfilter.com=127.0.0.1*-2 >> postscreen_dnsbl_threshold = 3 >> postscreen_dnsbl_ttl = 5m >> postscreen_greet_action = enforce >> postscreen_non_smtp_command_enable = yes postscreen_pipelining_action >> = enforce postscreen_pipelining_enable = yes proxy_interfaces = >> 70.167.15.110 queue_directory = /opt/local/var/spool/postfix >> readme_directory = /opt/local/share/postfix/readme sample_directory = >> /opt/local/share/postfix/sample sendmail_path = >> /opt/local/sbin/sendmail setgid_group = _postdrop smtpd_banner = >> $myhostname ESMTP $mail_name smtpd_helo_required = yes >> smtpd_helo_restrictions = permit_mynetworks, >> permit_sasl_authenticated, reject_non_fqdn_helo_hostname >> smtpd_recipient_restrictions = permit_mynetworks, >> permit_sasl_authenticated, reject_non_fqdn_sender, >> reject_non_fqdn_recipient, reject_unknown_sender_domain, >> reject_unknown_recipient_domain, reject_unauth_pipelining, >> reject_unauth_destination, reject_unlisted_recipient, >> check_recipient_access >> pcre:/opt/local/etc/postfix/recipient_checks.pcre, >> check_helo_access hash:/opt/local/etc/postfix/helo_checks, >> check_sender_access hash:/opt/local/etc/postfix/sender_checks, >> check_client_access hash:/opt/local/etc/postfix/client_checks, >> check_client_access pcre:/opt/local/etc/postfix/fqrdns.pcre, >> reject_rhsbl_client dbl.spamhaus.org, reject_rhsbl_sender >> dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, >> check_client_access pcre:/opt/local/etc/postfix/dspam_filter_access >> smtpd_reject_unlisted_sender = yes >> smtpd_sasl_auth_enable = yes >> smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = private/auth >> smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot >> smtpd_sender_restrictions = permit_mynetworks, reject_unknown_address >> smtpd_tls_auth_only = yes smtpd_tls_cert_file = >> /opt/local/etc/postfix/ssl/certs/postfix.cert >> smtpd_tls_key_file = /opt/local/etc/postfix/ssl/private/postfix.key >> smtpd_tls_loglevel = 1 >> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 >> smtpd_tls_security_level = may smtpd_tls_session_cache_database = >> btree:/opt/local/var/lib/postfix/smtpd_tls_cache >> smtpd_tls_session_cache_timeout = 3600s tls_random_source = >> dev:/dev/urandom transport_maps = >> hash:/opt/local/etc/postfix/transport >> unknown_local_recipient_reject_code = 550 >> vacation_destination_recipient_limit = 1 virtual_alias_maps = >> proxy:mysql:/opt/local/etc/postfix/mysql_virtual_alias_maps.cf >> virtual_gid_maps = static:_vmail >> virtual_mailbox_base = /Volumes/mail/vmail/ virtual_mailbox_domains = >> proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_domains.cf >> virtual_mailbox_maps = >> proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_maps.cf >> virtual_minimum_uid = _vmail >> virtual_transport = dovecot >> virtual_uid_maps = static:_vmail >> >> Thanks, >> -Terry >> >> Terry Barnum >> digital OutPost >> http://www.dop.com >> >> >> > > Terry Barnum > digital OutPost > http://www.dop.com > > > Terry Barnum digital OutPost http://www.dop.com
