(postfix) SPAM filter?

Jorn Argelo jorn at wcborstel.com
Mon Dec 17 00:36:23 PST 2007

On Mon, 17 Dec 2007 00:20:50 +0530, Girish Venkatachalam <girishvenkatachalam at gmail.com> wrote:
> On 14:48:35 Dec 15, Jorn Argelo wrote:
>> Greylisting only works so-so nowadays. There was a couple of months it
> was
>> very effective, but that is long gone. Spammers aren't stupid, and they
>> follow the development of anti-spam techniques as much as e-mail admins
> do.
>> Greylisting is a start, but from my experience it is not nearly enough.
> I have heard this said elsewhere too.

Yes don't rely solely on greylisting unless you're a lucky guy and don't get a lot of spam.

>> Also I believe that rejecting e-mail is a big point of discussion. We
> had
>> an internet e-mail environment built about 3 years ago, and there the
> users
>> were terrorized by spam. We had some users getting 30 spam mails a day
> at
>> least. This setup was running amavis, spamassassin, postfix, postgrey,
> dcc
>> and razor. Unfortunately, over time the bayes filter got incorrectly
>> trained, and it sometimes rejected valid e-mails. If there's something
> you
>> DON'T want to happen it's that. And also troubleshooting those kind of
>> things can be quite hard ...
> What about CRM114 and dspam?

I played with dspam at home but I didn't really got it running as I wanted to. I didn't invest an awful lot of time in it though, so I cannot properly judge it. I never heard of CRM114, so I cannot say anything from that.

> Have you ever tried statistical filtering instead of heuristics with
> spamassassin?
>> We rebuilt the environment from scratch. Right now we are running
> OpenBSD
>> spamd + OpenBSD Packetfilter. This functions as greylisting /
> greptrapping
>> in combination with the PF firewall. We made a couple of scripts to trap
>> invalid / forged e-mail addresses that are greylisted. Also we make use
> of
>> the uatraps / nixspam traplists, and our own generated blacklist
> generated
>> from spam being sent to the postmaster. We had some problems with
>> blacklisted entries in the past, but we worked around that. It goes
> further
>> then that, but I will spare you all the details.
> pf(4) has some amazing features that come in handy for spam control. I
> guess it forms a key component of any spam blocking architecture. And it
> works in concert with the other OpenBSD niceties you point out like
> populating the tables with blacklists and whitelists, greytrapping and
> using the pf(4) anchor mechanism to automate stuff.

Indeed. PF is very powerful and uses very little resources. Hats off to the OpenBSD guys for this.

And indeed, I can recommend every e-mail admin to use a pf and spamd combination. It's awesome and you can do a lot with it. Check out the OpenBSD website for more info. 

> The probability and state tracking options in pf(4) are pretty
> interesting too if used creatively.

Very much so, it opens a lot of new options for you to handle blacklisted entries.

>> On the second line we run Postfix / ClamSMTP / Clamd / Spamassassin. We
>> removed Amavis because it was annoying to upgrade and we wanted to get
> rid
>> of it, as we had problems with it in the past. With SpamAssassin we use
>> sa-update and sa-learn to keep the rules up-to-date and make sure bayes
>> gets properly trained. So we are marking e-mail as spam and no longer
> block
>> it. Why? Simple ... we no longer want to block false positives. Again,
>> there is more to this, but I will spare you all the details.
> But if you don't update virus signatures wouldn't that cause worms and
> malware propagation?
> I know I am digressing but I thought signature updation was critical to
> malware control...

Well of course, but with clamd I also ment using freshclam :) So we keep our signature database up-to-date as well.

>> Right now we have 2500 happy users. Their local helpdesks helped them
> with
>> getting an Outlook rule in place to automatically move tagged e-mails to
> a
>> spam folder. Just like their gmail, hotmail or Yahoo account does at
> home.
> Wow, this is great. I am not surprised to hear this. ;)
>> The environment we have is certainly not the easiest one, but we
> automated
>> many things, leaving us with practically no work on it. All the updating
> of
>> rulesets / blacklists / whitelists /whatever goes by itself. Downside of
> an
>> environment like this is that you will need quite some knowledge of all
> the
>> components and how they work together. But hey, I got it running at home
> as
>> well (a bit simpler though) and didn't had a single spam mail in my
> mailbox
>> the last 4 months. Sure, the ones I do get are getting tagged and moved
> to
>> my spam folder automatically, which I do with maildrop (though procmail
>> does the job nicely too). All in all it works like a charm.
> Using the X-foobar headers I suppose?

I just check the Subject header to see if it starts with *****SPAM*****. So yes, using the mail headers :)

>> Well a long story, but maybe it is of use for someone else. As always,
>> YMMV.
> Yes, very enlightening, many thanks.

Glad to hear.


More information about the freebsd-questions mailing list