Awesome, thanks for everyone's advice.
On 12/25/14 7:19 PM, li...@rhsoft.net wrote:
oh and don't forget URIBL scores for SpamAssassin
URIBL_BLACK has a zero-false-positive policy
as said, sapmass-milter runs with block above 8.0 here and the default
max-message size which is scanned is *way* too low, spammers know that
/usr/sbin/spamass-milter -p /run/spamass-milter/spamass-milter.sock -g
sa-milt -r 8.0 -- -s 5242880 --port=10028
score URIBL_AB_SURBL 4.5
score URIBL_JP_SURBL 4.5
score URIBL_MW_SURBL 5.0
score URIBL_PH_SURBL 5.0
score URIBL_WS_SURBL 3.5
score URIBL_SC_SURBL 0.5
score URIBL_SBL 1.5
score URIBL_SBL_A 1.5
score URIBL_DBL_SPAM 3.0
score URIBL_DBL_BOTNETCC 3.0
score URIBL_DBL_PHISH 3.5
score URIBL_DBL_MALWARE 3.5
score URIBL_DBL_ABUSE_SPAM 3.0
score URIBL_DBL_ABUSE_BOTCC 3.0
score URIBL_DBL_ABUSE_PHISH 5.0
score URIBL_DBL_ABUSE_MALW 5.0
score URIBL_BLACK 7.0
score URIBL_GREY 0.5
score URIBL_RED 0.5
score URIBL_DBL_REDIR 0.1
score URIBL_DBL_ABUSE_REDIR 0.3
score URIBL_BLOCKED 0
score URIBL_DBL_ERROR 0
score URI_PHISH 3.5
score URI_TRY_3LD 0.5
score URI_WP_HACKED 3.5
Am 26.12.2014 um 03:15 schrieb li...@rhsoft.net:
make them hate you by more aggresive RBL scoring and *slow down them* as
well as consider a manual trained global bayes with at least 1000 ham
and 1000 spam messages
* find common tags in the maillog
* adjust scores in SA local.cf for them
* adjust the scores for bayes after it si well trained
* consider global hashing services like IXHASH for SpamAssassin
* whatever you setup - be careful about non-scored decisions
our incoming spam *attempts* dopped down from 293 per minute to 20 per
minute and even the last two days the highest peak was 50 per minute and
we are talking here about rejections before the SA milter
below some key configs of our inbound-only filter, i avoid detail
configs because i am happy about some common senders, HELO's and a lot
of PTR's catched with regex and would like them not to change by
bot-developers monitoring public mailing lists :-)
since i trust my bayes with 15000 hand-trained messages that's the
scoring in context of 8.0 = milter reject
# adjust bayes scoring
ifplugin Mail::SpamAssassin::Plugin::Bayes
score BAYES_00 -3.5
score BAYES_05 -1.5
score BAYES_20 -0.5
score BAYES_40 -0.2
score BAYES_50 2.5
score BAYES_60 3.0
score BAYES_80 5.0
score BAYES_95 6.5
score BAYES_99 7.5
score BAYES_999 0.4
endif
here some real numbers of the current month
Connections: 210100
Delivered: 58351
Blocked: 151749
Invalid User: 6639
Disallowed User: 11
Reject Postscreen: 121348
Reject Postfix: 14346
Reject Milter: 5263
Reject Temporary: 3706
Blacklist: 113766
Pregreet: 15197
Hangup: 50176
Protocol Error: 3876
Illegal Syntax: 8
SpamAssassin: 5158
Virus: 99
Helo: 1669
Subject: 241
Attachment: 13
Sender Regex: 297
Sender Blocked: 573
Sender Verify: 15
Sender Invalid: 1888
Sender Spoofed: 14
Sender Parked: 21
PTR Missing: 1592
PTR Generic: 970
SPF: 569
______________________________________________________________
bots don't like to wait, that's 5 seoconds penalty even after somebody
passed postscreen until the server is under load or the client is on any
DNSWL
smtpd_client_restrictions =
reject_unlisted_recipient
permit_dnswl_client list.dnswl.org
permit_dnswl_client wl.mailspike.net
permit_dnswl_client iadb.isipp.com
permit_dnswl_client sa-accredit.habeas.com
permit_dnswl_client dnswl.inps.de
permit_dnswl_client swl.spamhaus.org
permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1
${stress?sleep 0}${stress: sleep 5}
______________________________________________________________
some ideas for a restriction order, the thoughts behind the config files
should be clear by their names
smtpd_recipient_restrictions =
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unauth_destination
reject_unlisted_recipient
check_helo_access regexp:/etc/postfix/blacklist_helo_uncond.cf
reject_non_fqdn_helo_hostname
reject_invalid_helo_hostname
reject_unknown_sender_domain
check_recipient_access hash:/etc/postfix/blacklist_rcpt.cf
check_sender_access hash:/etc/postfix/whitelist_sender.cf
check_sender_access hash:/etc/postfix/blacklist_sender.cf
check_sender_access hash:/etc/postfix/spoofing_protection.cf
check_sender_access regexp:/etc/postfix/blacklist_sender_regex.cf
reject_unknown_reverse_client_hostname
check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf
permit_dnswl_client wl.mailspike.net=127.0.0.[19;20]
permit_dnswl_client list.dnswl.org=127.0.[0..255].[2;3]
check_policy_service unix:private/spf-policy
check_recipient_access hash:/etc/postfix/skip_ptr_check.cf
permit_dnswl_client wl.mailspike.net
permit_dnswl_client list.dnswl.org
permit_dnswl_client iadb.isipp.com
permit_dnswl_client sa-accredit.habeas.com
permit_dnswl_client dnswl.inps.de
permit_dnswl_client swl.spamhaus.org
permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1
check_helo_access regexp:/etc/postfix/blacklist_helo.cf
check_reverse_client_hostname_access
regexp:/etc/postfix/generic_ptr.cf
reject_unverified_sender
______________________________________________________________
lower the RBL TTL of postscreen to catch new blacklisted clients faster
and consider setup a unbound dns-cache on localhost with tuned caching
the min-TTL lowers the network costs for DNSBL/DNSWL with a very low
origin TTL after postscreen as well a prevents exceed limits of some
lists
cache-min-ttl: 270
cache-max-ttl: 7200
postscreen can be much more aggressive by slow down new clients for 10
seconds, use a lot of more RBL's but back them up also with DNSWL to
avoid false positives and i have not seen any FP with that setup, look
also at the spamassassin config and consider raise up the scores for
RBL's to give more penalty if as example someone is on the barracuda RBL
but you really don't want to reject because any single RBL
postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?3}${stress:10}s
postscreen_dnsbl_sites =
dnsbl.sorbs.net=127.0.0.10*8
zen.spamhaus.org=127.0.0.[10;11]*8
b.barracudacentral.org=127.0.0.2*7
dnsbl.inps.de=127.0.0.2*7
dnsbl.sorbs.net=127.0.0.5*7
zen.spamhaus.org=127.0.0.[4..7]*7
zen.spamhaus.org=127.0.0.3*5
bl.mailspike.net=127.0.0.2*5
bl.mailspike.net=127.0.0.[10;11;12]*4
bl.spamcop.net=127.0.0.2*4
bl.spameatingmonkey.net=127.0.0.[2;3]*4
dnsrbl.swinog.ch=127.0.0.3*4
zen.spamhaus.org=127.0.0.2*3
dnsbl.sorbs.net=127.0.0.7*3
dnsbl.sorbs.net=127.0.0.8*2
dnsbl.sorbs.net=127.0.0.6*2
dnsbl.sorbs.net=127.0.0.9*2
wl.mailspike.net=127.0.0.[18;19;20]*-2
list.dnswl.org=127.0.[0..255].0*-2
list.dnswl.org=127.0.[0..255].1*-3
list.dnswl.org=127.0.[0..255].2*-4
list.dnswl.org=127.0.[0..255].3*-5
Am 25.12.2014 um 23:24 schrieb Asai:
We have a real spam problem for some users, and this seems to be really
tough spam to block. I have postscreen set up which blocks a lot of
spam, of the spam that does get through, Spamassassin catches about 200
spams a day, but we have about a dozen users that get 20 - 30 spams a
day, so I ask if anyone can give me some advice about my configs here.
This is what I have had thus far, postscreen's deep protocol tests have
been turned on a turned off at different times due to troubleshooting a
particular user's iPhone connection, and they are off at this time:
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2;3;4;5;6;7]*4
#l2.apews.org*3, ##I've used this with variable successs
dbl.spamhaus.org*2
cbl.abuseat.org*2
zen.spamhaus.org*1
bl.spamcop.net*1
b.barracudacentral.org*1
bl.spameatingmonkey.net*1
dnsbl.sorbs.net*1
psbl.surriel.com
bl.mailspike.net
zen.spamhaus.org=127.0.0.11*-3
swl.spamhaus.org*-5
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_whitelist_threshold = -1
postscreen_dnsbl_action = enforce
postscreen_blacklist_action = drop
postscreen_greet_banner =
postscreen_greet_action = drop
I'm wondering about turning this back on under
smtpd_recipient_restrictions which has been turned off since I started
using postscreen:
smtpd_recipient_restrictions = permit_mynetworks,
...
reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org,
reject_rhsbl_sender dbl.spamhaus.org,
reject_rhsbl_sender rhsbl.sorbs.net,
permit
I would be grateful for any advice here and if anyone could share their
experience
--
--asai
