John Heim wrote:
----- Original Message ----- From: "Jorey Bump" <[EMAIL PROTECTED]>
Don't rely solely on SpamAssassin. There are other techniques that are
less expensive and can eliminate obvious spam with virtually no false
positives (and others that may have an acceptable level of false
positives, though YMMV).
Note, however, that there may be equivalents available in
SpamAssassin, where you can tweak the scores to a degree you find
acceptable. If you already have the hardware to run SA in a
before-queue filter, this may be worth investigating. On the other
hand, if you're under heavy load, the other techniques can help reduce
SA's overhead.
In setting up the pre-queue spam filter, I followed the instructions here:
http://www.postfix.org/SMTPD_PROXY_README.html
What are you using as your smtpd_proxy_filter? Seems it could
do better...
ISTM that "reject_rbl_client zen.spamhaus.org" will reject
about 50% of spam all by itself with very low probability of
false positives. Spamhaus is not free for everyone, check
their usage policy:
http://www.spamhaus.org/organization/dnsblusage.html
This list is good enough that I would recommend buying their
service if you don't qualify for the free deal.
Some free access RBLs to consider are cbl.abuseat.org
(excellent; included in zen.spamhaus.org so don't bother using
them both), bl.spamcop.net (used to have too many false
positives, but seems better now), and dul.dnsbl.sorbs.net
(possibly some real MTAs running on dynamic IPs listed).
Check their web sites for listing policy.
"reject_unknown_reverse_client_hostname" may be safe for you
to use. Use it with warn_if_reject for a while to see what
would be rejected by this rule.
Also safe is a check_helo_access map that rejects your own
domain or a bare IP address. Make sure to put this somewhere
after permit_mynetworks, permit_sasl_authenticated.
--
Noel Jones
