Anti Spam Solution

bloodhound · Feb 13, 2009

Hello

Can anyone give me a good anti-spam solution?

At the moment i am using qmail as MTA but since it is getting old and is no longer maintained it got cranky and hard to handle.

As a anti-spam solution i am using atm TMDA and it is working well on my group adresses, but the problem with it is that alot of mails r in queue due to spams that got stopped. I cannot use it with postfix, wasn't able to configure it to work.

I want to move to postfix (tested it on my private server and works great) but i don't know what solution to adopt:

Spamassassin is ok, but alot of spams get past it from what i've seen.
I never tried MaiaMailguard and Mailscanner - r those any good?
I never tried also postgrey on a busy server to see how much of the spam it will block - is a greylist solution enough to stop spam?
I tried also ASSP and it seams likea very good candidate, but on the long run with xxx accounts is enough to stop the spams?

Can someone please point me in the right direction with what solution they tried and worked? My mail server only has a couple of hundreds of mailboxes so it is not something huge.

hydra · Feb 13, 2009

Try postfix + amavisd-new

vivek · Feb 13, 2009

Mailscanner is the best. It has lots of plugins and configuration options. We use Mailscanner with proprietary anti-virus for over 5000+ email boxes. We have postfix with virtual email box i.e no real user account created on FreeBSD server.

tingo · Feb 13, 2009

If you can spare the time / cpu you can always use more than one anti-spam filtering mechanism.

fonz · Feb 14, 2009

bloodhound said:
Can anyone give me a good anti-spam solution?

Unfortunately, spammers seem to get smarter all the time. One's gotta wonder what possesses those people to bother others with their useless crap at all costs, but hey.

Anyway, in my experience SpamAssassin tends to be a bit too eager/rigid and generates too many false positives (i.e. mail being marked as spam when it is in fact legitimate but just somwhat badly formatted (think clueless but good-intentiond Windoze users)). So far I've stuck to one gun which is: using procmail and writing/editing rules as I go along and spamming trends evolve. But I'll be the first to admit that this is a labour intensitive method.

In short: there's a correlation between the quality/quantity/accuracy of your spam filtering and the amount of time/effort you're willing to invest in it. You'll need to somehow find your own sweet spot in this matter. There's no definitively(sp?) perfect solution. If you do find one, be sure to tell me so we can both get rich

Alphons

bloodhound · Feb 16, 2009

I was thinking at something like:

A smtp gateway with greylisting on it -> and mailscanner or maia-mailguard or something on the servers behind. (it is not needed atm for the few users i have but in the future will prolly be good), but i donno which to take... maia or mailscanner, since both have insane amount of requirements + configs.

trev · Feb 16, 2009

I use sendmail, milter-greylist, milterregex, clamav, dnsrbl and custom regex scripts in sendmail against which to test the relay domain.

This setup eliminated all but 25 spams from a total of just under 70,000 spams last year. (I could probably ditch the dsnrbl lists as they caught just 7 spams.)

Alas, I also had 6 false positives which were rejected from incorrectly/badly setup, non-standards compliant mail servers for which I had to add exceptions.

Note: I also host my secondary mail server on another machine on another DSL line - if someone else hosts it, you're pretty much sunk as the spammers just send everything there.

hydra · Feb 16, 2009

Trev, which DNSRBL lists are you using ? They are helping me a lot (spamcot, abuseat, spamhaus).

danger@ · Feb 16, 2009

I'm using

Code:

                reject_rbl_client rbl.maps.vix.com
                reject_rbl_client bl.spamcop.net
                reject_rbl_client dnsbl.sorbs.net
                reject_rbl_client rhsbl.sorbs.net
                reject_rbl_client dnsbl.njabl.org
                reject_rbl_client cbl.abuseat.org
                reject_rbl_client sbl-xbl.spamhaus.org

trev · Feb 17, 2009

hydra said:
Trev, which DNSRBL lists are you using ? They are helping me a lot (spamcot, abuseat, spamhaus).

zen.spamhaus.org
combined.njabl.org

I suspect my sendmail mail relay domain regex claims all the spam before it gets to the DNSRBL lookup which is why they're hardly worth it.

Here's the regex:

Code:

Ktestrelay regex -a@MATCH (^[0-9]*[.][0-9]*[.][0-9]*[.][0-9]*[.]|[0-9]{1,3}-[0-9]{3,10}\.|^[0-9]*[-][0-9]*[-.][0-9a-z]|^[0-9]{1,7}hfc[0-9]{1,3}[-.]|[0-9]{5,13}[-.][0-9]{5,13}[-.]|-[0-9]{1,3}-[0-9]{1,3}\.|[0-9]{12}[-.]|^[a-z][-0-9]{3,8}[-.][a-z][-0-9]{3,6}[-.]|[a-z]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}|[0-9]{1,3}[a-z]-[a-z][0-9]{1,3}-[a-z][0-9]{1,3}\.|^[ip][cd][0-9]{1,8}\.|\.acc[0-9]{2}-[a-z]{4}-[a-z]{3}\.|[-.]*[asx]{0,1}dsl[-.]*[0-9]{0,3}|^ip[0-9]{1,3}\.|^d[0-9]{3,6}[-.]|^ip[0-9]{1,6}[a-z][0-9][-.]|\.bb\.|\.bredband\.|[-.]broadband[0-9]{0,3}[-.]|[-.]cable[-.]|\.catv[0-9]*\.|cgi[0-9]{1,3}-|^cliente-|\.client[0-9]*\.|^cm[0-9]{4,6}[-.]|[-.]{0,1}cpe[-.]|^cp[0-9]{1,7}-|\.cust\.|\.customer\.|^cust[-0-9]*\.|\.dclient\.|[-.]dial[-.]*[upin]{0,2}[-.]*|[-.]*dhcp[0-9]*[-.]|\.dr\.|dslpool|[-.]*dynamic[IP]*[-.]|\.dip[0-9]*[-.]|\.dyn[0-9]*[-.]|^dyn[-.]|^h[o]*st-|^host[0-9]{1,9}[-.]|-host-[0-9]{1,3}-[0-9]{1,3}[-.]|^i[0-9a-f]{7,8}[-.]|[-.]ip[-.]|[-.]in-addr[-.]|^modemcable|net[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}\.|\.net[0-9]{3}\.|\.ns\.|^pc-[0-9]{1,3}-|^ppp-|\.ppp\.|^ppp[0-9]{0,3}[-.]|[-.]ppp[0-9]{6}[-.]|[-.]personal[-.]|[-.]pool[es]{0,2}[-.]|[-.]pool[0-9]{1,5}[-.]|^port[0-9]{1,4}|\.ptr\.|pppo[ae]-|\.pppo[ae]\.|\.pppool\.|-p[0-9]{2,3}[-.]|\.range[0-9]{1,3}-[0-9]{1,3}\.|\.rev\.|\.reverse\.|^rtc[0-9]{1,3}-[0-9]{1,3}\.|^[0-9]{1,3}sdl[0-9]|\.static\.|^user[0-9]*[-.]|[-.]us[e]{0,1}r[-.]|^[a-z]{1,2}[0-9]{1,2}[-.][0-9]{1,3}[-.]|\.[a-z]{3,6}\.adelphia|\.[a-z]{3}\.bellsouth|\.[a-z]{4}\.cox-internet|\.[a-z]{2}\.comcast|\.[a-z]{2}\.charter|\.[a-z]{4}\.qwest|\.[a-z][a-z]\.shawcable|\.[a-z]{3}\.wideopenwest|\.upc-[a-z]\.chello|^udp[0-9]{1,8}uds\.)

paulfrottawa · Feb 17, 2009

danger@ said:

I'm using

Code:

                reject_rbl_client rbl.maps.vix.com
                reject_rbl_client bl.spamcop.net
                reject_rbl_client dnsbl.sorbs.net
                reject_rbl_client rhsbl.sorbs.net
                reject_rbl_client dnsbl.njabl.org
                reject_rbl_client cbl.abuseat.org
                reject_rbl_client sbl-xbl.spamhaus.org

Where do you put that in.

I just got my sendmail working but havn't done anything about spam yet. I probably won't get any for a long time. But I would set it up anyways.

DutchDaemon · Feb 17, 2009

Those rules are for Postfix. For sendmail, you will have to look into the dnsbl feature of sendmail.mc. See /usr/src/contrib/sendmail/cf/README, and look for 'dnsbl' and 'enhdnsbl'.

I'm using customized rules like these:

Code:

FEATURE(`dnsbl', `virbl.dnsbl.bit.nl', `"550 5.7.1 ACCESS DENIED to <"$&f"> thru "$&{client_name}" by VIRBL.DNSBL.BIT.NL virus/worm infection dnsbl (http://virbl.bit.nl/)"', `')dnl
FEATURE(`enhdnsbl', `zen.spamhaus.org', `"550 5.7.1 ACCESS DENIED to <"$&f"> thru "$&{client_name}" by ZEN.SPAMHAUS.ORG PBL dynamic/residential ip dnsbl (http://www.spamhaus.org/PBL/)"', `', `127.0.0.10.', `127.0.0.11.')dnl
FEATURE(`enhdnsbl', `zen.spamhaus.org', `"550 5.7.1 ACCESS DENIED to <"$&f"> thru "$&{client_name}" by ZEN.SPAMHAUS.ORG XBL spam exploits dnsbl (http://www.spamhaus.org/XBL/)"', `', `127.0.0.4.', `127.0.0.5.', `127.0.0.6.', `127.0.0.7.', `127.0.0.8.')dnl
FEATURE(`dnsbl', `list.dsbl.org', `"550 5.7.1 ACCESS DENIED to <"$&f"> thru "$&{client_name}" by LIST.DSBL.ORG insecure server dnsbl (http://dsbl.org/listing?"$&{client_addr}")"', `')dnl
FEATURE(`enhdnsbl', `zen.spamhaus.org', `"550 5.7.1 ACCESS DENIED to <"$&f"> thru "$&{client_name}" by ZEN.SPAMHAUS.ORG SBL spam sources dnsbl (http://www.spamhaus.org/SBL/)"', `', `127.0.0.2.')dnl
FEATURE(`enhdnsbl', `dnsbl.njabl.org', `"550 5.7.1 ACCESS DENIED to <"$&f"> thru "$&{client_name}" by DNSBL.NJABL.ORG spam sources dnsbl (http://dnsbl.njabl.org/cgi-bin/lookup.cgi?query="$&{client_addr}")"', `', `127.0.0.4.')dnl
FEATURE(`enhdnsbl', `dnsbl.njabl.org', `"550 5.7.1 ACCESS DENIED to <"$&f"> thru "$&{client_name}" by DNSBL.NJABL.ORG open relay dnsbl (http://dnsbl.njabl.org/cgi-bin/lookup.cgi?query="$&{client_addr}")"', `', `127.0.0.2.')dnl

hydra · Feb 17, 2009

trev, you are the regex master

bloodhound · Feb 18, 2009

trev said:

zen.spamhaus.org
combined.njabl.org

I suspect my sendmail mail relay domain regex claims all the spam before it gets to the DNSRBL lookup which is why they're hardly worth it.

Here's the regex:

Code:

Ktestrelay regex -a@MATCH (^[0-9]*[.][0-9]*[.][0-9]*[.][0-9]*[.]|[0-9]{1,3}-[0-9]{3,10}\.|^[0-9]*[-][0-9]*[-.][0-9a-z]|^[0-9]{1,7}hfc[0-9]{1,3}[-.]|[0-9]{5,13}[-.][0-9]{5,13}[-.]|-[0-9]{1,3}-[0-9]{1,3}\.|[0-9]{12}[-.]|^[a-z][-0-9]{3,8}[-.][a-z][-0-9]{3,6}[-.]|[a-z]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}|[0-9]{1,3}[a-z]-[a-z][0-9]{1,3}-[a-z][0-9]{1,3}\.|^[ip][cd][0-9]{1,8}\.|\.acc[0-9]{2}-[a-z]{4}-[a-z]{3}\.|[-.]*[asx]{0,1}dsl[-.]*[0-9]{0,3}|^ip[0-9]{1,3}\.|^d[0-9]{3,6}[-.]|^ip[0-9]{1,6}[a-z][0-9][-.]|\.bb\.|\.bredband\.|[-.]broadband[0-9]{0,3}[-.]|[-.]cable[-.]|\.catv[0-9]*\.|cgi[0-9]{1,3}-|^cliente-|\.client[0-9]*\.|^cm[0-9]{4,6}[-.]|[-.]{0,1}cpe[-.]|^cp[0-9]{1,7}-|\.cust\.|\.customer\.|^cust[-0-9]*\.|\.dclient\.|[-.]dial[-.]*[upin]{0,2}[-.]*|[-.]*dhcp[0-9]*[-.]|\.dr\.|dslpool|[-.]*dynamic[IP]*[-.]|\.dip[0-9]*[-.]|\.dyn[0-9]*[-.]|^dyn[-.]|^h[o]*st-|^host[0-9]{1,9}[-.]|-host-[0-9]{1,3}-[0-9]{1,3}[-.]|^i[0-9a-f]{7,8}[-.]|[-.]ip[-.]|[-.]in-addr[-.]|^modemcable|net[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}\.|\.net[0-9]{3}\.|\.ns\.|^pc-[0-9]{1,3}-|^ppp-|\.ppp\.|^ppp[0-9]{0,3}[-.]|[-.]ppp[0-9]{6}[-.]|[-.]personal[-.]|[-.]pool[es]{0,2}[-.]|[-.]pool[0-9]{1,5}[-.]|^port[0-9]{1,4}|\.ptr\.|pppo[ae]-|\.pppo[ae]\.|\.pppool\.|-p[0-9]{2,3}[-.]|\.range[0-9]{1,3}-[0-9]{1,3}\.|\.rev\.|\.reverse\.|^rtc[0-9]{1,3}-[0-9]{1,3}\.|^[0-9]{1,3}sdl[0-9]|\.static\.|^user[0-9]*[-.]|[-.]us[e]{0,1}r[-.]|^[a-z]{1,2}[0-9]{1,2}[-.][0-9]{1,3}[-.]|\.[a-z]{3,6}\.adelphia|\.[a-z]{3}\.bellsouth|\.[a-z]{4}\.cox-internet|\.[a-z]{2}\.comcast|\.[a-z]{2}\.charter|\.[a-z]{4}\.qwest|\.[a-z][a-z]\.shawcable|\.[a-z]{3}\.wideopenwest|\.upc-[a-z]\.chello|^udp[0-9]{1,8}uds\.)

Can this regex be used with postfix too ? or only works written like that for sendmail? -this might be a stupid question but i never studied regex syntax

Mel_Flynn · Feb 18, 2009

Interestingly no one mentions dspam. Any reason for that?

Also: any bayesian filter will have to be trained, dspam and spamassassin both fall in this category.

r-c-e · Feb 18, 2009

postfix+spamassassin+rules_du_jour has always worked well for me. currently looking at a dspam+qmail implementation though, will report results (if i remember)

trev · Feb 20, 2009

hydra said:
trev, you are the regex master

That's what happens when you spend your days doing automated mass text conversion of legislation with sed and purpose written C filters using the regex (3) library.

The sendmail macro is pretty simple in comparison if you break it down pattern by pattern; it's just grown incrementally over the last 5 or so years with a few spring cleans to collapse patterns

[@ Bloodhound: Sorry, no idea about Postfix.]

bloodhound · Feb 28, 2009

Well atm my final solution is: -it is just on a test mode for a domain (an old company domain not really used anymore) with like 10 mail accounts left and like 400-1000 spams/day

smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
# check_helo_access
# hash:/usr/local/etc/postfix/helo_access
reject_non_fqdn_hostname
reject_invalid_hostname
at least 5%-10% o the spam seems to die at the helo

RBL checks
reject_rbl_client list.dsbl.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client rbl.maps.vix.com,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client rhsbl.sorbs.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client cbl.abuseat.org,

like 20% of the spam died here

Then SPF - really useful if u do not want to get spammed from x@mydomain.com/or helo mydomain.com and the likes

killed some with U are not me go die message

Then greylist (some domains will be whitelisted ofc)
Well it seems that the rest died here

Then maia (amavisd + spamassassin + clamav) - i am testing maia since i might be able to convince the ppl from my network to actually click on a few buttons and mark spam/not spam.

Nothing got here yet except for legitimate mail and 1 badly formated.

This is going on for like 2 days now ... i wanna test some more in order to see if it is good or not before i move the official domain on the server.

Best of luck (fingers crossed)

DutchDaemon · Feb 28, 2009

Just a reminder:

list.dsbl.org is dead, and MAPS is by subscription only.

hydra · Feb 28, 2009

I only suggest using smtpd_recipient_restrictions (not any smtpd_client_restrictions, smtpd_helo_restrictions or smtpd_sender_restrictions). The reason is that smtpd_recipient_restrictions log the sender and the recipient (along with the IP and HELO/EHLO), so if some legal mail is accidentally blocked, you can always check in the logs. With smtpd_helo_restrictions you only see the IP address and the HELO/EHLO string, you cannot determine who was the mail aimed for (unless you have smtpd_delay_reject set).

I also recommend using URIBL in amavisd-new. Read more here:
http://www.spamhaus.org/whitepapers/effective_filtering.html

francisco · Jun 7, 2010

Hi.

Did anybody try ASSP ?

http://assp.sourceforge.net/

Anti Spam Solution

bloodhound

hydra

vivek

tingo

fonz

bloodhound

trev

hydra

danger@

Administrator

trev

paulfrottawa

DutchDaemon

Administrator

hydra

bloodhound

Mel_Flynn

r-c-e

trev

bloodhound

DutchDaemon

Administrator

hydra

francisco