(postfix) SPAM filter?
jorn at wcborstel.com
Mon Dec 17 00:36:23 PST 2007
On Mon, 17 Dec 2007 00:20:50 +0530, Girish Venkatachalam <girishvenkatachalam at gmail.com> wrote:
> On 14:48:35 Dec 15, Jorn Argelo wrote:
>> Greylisting only works so-so nowadays. There was a couple of months it
>> very effective, but that is long gone. Spammers aren't stupid, and they
>> follow the development of anti-spam techniques as much as e-mail admins
>> Greylisting is a start, but from my experience it is not nearly enough.
> I have heard this said elsewhere too.
Yes don't rely solely on greylisting unless you're a lucky guy and don't get a lot of spam.
>> Also I believe that rejecting e-mail is a big point of discussion. We
>> an internet e-mail environment built about 3 years ago, and there the
>> were terrorized by spam. We had some users getting 30 spam mails a day
>> least. This setup was running amavis, spamassassin, postfix, postgrey,
>> and razor. Unfortunately, over time the bayes filter got incorrectly
>> trained, and it sometimes rejected valid e-mails. If there's something
>> DON'T want to happen it's that. And also troubleshooting those kind of
>> things can be quite hard ...
> What about CRM114 and dspam?
I played with dspam at home but I didn't really got it running as I wanted to. I didn't invest an awful lot of time in it though, so I cannot properly judge it. I never heard of CRM114, so I cannot say anything from that.
> Have you ever tried statistical filtering instead of heuristics with
>> We rebuilt the environment from scratch. Right now we are running
>> spamd + OpenBSD Packetfilter. This functions as greylisting /
>> in combination with the PF firewall. We made a couple of scripts to trap
>> invalid / forged e-mail addresses that are greylisted. Also we make use
>> the uatraps / nixspam traplists, and our own generated blacklist
>> from spam being sent to the postmaster. We had some problems with
>> blacklisted entries in the past, but we worked around that. It goes
>> then that, but I will spare you all the details.
> pf(4) has some amazing features that come in handy for spam control. I
> guess it forms a key component of any spam blocking architecture. And it
> works in concert with the other OpenBSD niceties you point out like
> populating the tables with blacklists and whitelists, greytrapping and
> using the pf(4) anchor mechanism to automate stuff.
Indeed. PF is very powerful and uses very little resources. Hats off to the OpenBSD guys for this.
And indeed, I can recommend every e-mail admin to use a pf and spamd combination. It's awesome and you can do a lot with it. Check out the OpenBSD website for more info.
> The probability and state tracking options in pf(4) are pretty
> interesting too if used creatively.
Very much so, it opens a lot of new options for you to handle blacklisted entries.
>> On the second line we run Postfix / ClamSMTP / Clamd / Spamassassin. We
>> removed Amavis because it was annoying to upgrade and we wanted to get
>> of it, as we had problems with it in the past. With SpamAssassin we use
>> sa-update and sa-learn to keep the rules up-to-date and make sure bayes
>> gets properly trained. So we are marking e-mail as spam and no longer
>> it. Why? Simple ... we no longer want to block false positives. Again,
>> there is more to this, but I will spare you all the details.
> But if you don't update virus signatures wouldn't that cause worms and
> malware propagation?
> I know I am digressing but I thought signature updation was critical to
> malware control...
Well of course, but with clamd I also ment using freshclam :) So we keep our signature database up-to-date as well.
>> Right now we have 2500 happy users. Their local helpdesks helped them
>> getting an Outlook rule in place to automatically move tagged e-mails to
>> spam folder. Just like their gmail, hotmail or Yahoo account does at
> Wow, this is great. I am not surprised to hear this. ;)
>> The environment we have is certainly not the easiest one, but we
>> many things, leaving us with practically no work on it. All the updating
>> rulesets / blacklists / whitelists /whatever goes by itself. Downside of
>> environment like this is that you will need quite some knowledge of all
>> components and how they work together. But hey, I got it running at home
>> well (a bit simpler though) and didn't had a single spam mail in my
>> the last 4 months. Sure, the ones I do get are getting tagged and moved
>> my spam folder automatically, which I do with maildrop (though procmail
>> does the job nicely too). All in all it works like a charm.
> Using the X-foobar headers I suppose?
I just check the Subject header to see if it starts with *****SPAM*****. So yes, using the mail headers :)
>> Well a long story, but maybe it is of use for someone else. As always,
> Yes, very enlightening, many thanks.
Glad to hear.
More information about the freebsd-questions