To be more specific about using a notorious DNS such as Google's 8.8.8.8(4.4): When many uses that DNS for RBL, Google queries the RBL from different IP pools (IPv4 and IPv6) and not from 8.8.8.8(4.4) as some might think. As a result, the popular provider has the "feeling" of a constant DNS DDoS attack from those IP pools.
-----Original Message----- From: Marius Gologan [mailto:marius.golo...@gmail.com] Sent: Tuesday, April 28, 2015 10:34 PM To: 'Terry Barnum' Cc: 'postfix users' Subject: RE: spam fighting Shared DNS as Google's 8.8.8.8 is not accepted by some RBLs such as spamhaus. They have an ACL in place. You will lose about 2 points from Spam scoring when you use a public DNS causing some spam to pass. Spamassassin (SA) uses many RBL services checking Domain & IP of the Sender; Domains, IPs and Name Servers in URLs. One email may generate even more than 10 RBL queries. Due that, SA has a protection in order to prevent flooding those service providers. You may consider reducing the amavis throttle from Postfix's master.cf, by reducing the no of processes. In addition, network tests such as Pyzor, Razor2 and DCC require these ports to be opened: out 6277 UDP - DCC service, out 2703 TCP - Razor2 service, out 24441 UDP - Pyzor service. I heard many saying that Spamassassin is weak, while they don't understand how it works. Bottom line, a machine with 2 GB of RAM can easily handle 10k-15k messages a day. -----Original Message----- From: Terry Barnum [mailto:te...@dop.com] Sent: Tuesday, April 28, 2015 8:04 PM To: Marius Gologan Cc: postfix users Subject: Re: spam fighting > On Apr 28, 2015, at 1:47 AM, Marius Gologan <marius.golo...@gmail.com> wrote: > > Hi Terry, > > I use amavisd-new/spamassassin in post-queue configuration with few > adjustments: increased score for SPF_FAIL, DKIM_ADSP_DISCARD, Bayes_80, > Bayes_95, Bayes_99, Bayes_999 and few others. > Local DNS server - critical for RBL queries. > As for postscreen, I preffer "postscreen_greet_action = enforce" only which > doesn't require the client to retry (as opposite to greylist behavior), > while is pretty effective against bots. > > Marius. Thank you for the reply Marius. Do the RBL queries from amavisd-new/spamassassin require a local DNS because they're more resource intensive than postscreen_dnsbl_sites or reject_rhsbl_* queries? I've received 16 UCE emails in the last hour--weight loss, wrinkle creams, bird feeders, pharmacies. More pointers (favorite postfix techniques and/or add-ons, sites to read, etc.) from those who've been successful in reducing spam load are greatly appreciated. Thanks, -Terry > -----Original Message----- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Terry Barnum > Sent: Tuesday, April 28, 2015 1:15 AM > To: postfix users > Subject: spam fighting > > We've been using postscreen and dspam for quite some time but in the past > couple months more spam is making it through. I realize there's no > one-size-fits-all approach but because dspam isn't actively developed > anymore I've started looking around and am curious what others are using. Is > amavisd-new/spamassassin the preferred solution? My company is small with > <30 users. > > Perhaps my postscreen settings could be improved? postscreen_access.cidr is > a small file with 4 entries to whitelist customers that aren't implicated in > the increase in spam. > > $ postconf -n > broken_sasl_auth_clients = yes > command_directory = /opt/local/sbin > daemon_directory = /opt/local/libexec/postfix > data_directory = /opt/local/var/lib/postfix > debugger_command = > PATH=/opt/local/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd > $daemon_directory/$process_name $process_id & sleep 5 > default_privs = nobody > delay_warning_time = 4h > dovecot_destination_recipient_limit = 1 > dspam-lmtp_destination_recipient_limit = 1 > home_mailbox = Maildir/ > html_directory = no > inet_protocols = ipv4 > mail_owner = _postfix > mailq_path = /opt/local/bin/mailq > manpage_directory = /opt/local/share/man > message_size_limit = 51200000 > mydestination = $myhostname, localhost.$mydomain, localhost > myhostname = mailbox.dop.com > mynetworks = 192.168.0.0/23, 127.0.0.0/8 > myorigin = $mydomain > newaliases_path = /opt/local/bin/newaliases > postscreen_access_list = permit_mynetworks, > cidr:/opt/local/etc/postfix/postscreen_access.cidr > postscreen_bare_newline_action = enforce > postscreen_bare_newline_enable = yes > postscreen_blacklist_action = drop > postscreen_dnsbl_action = enforce > postscreen_dnsbl_sites = > b.barracudacentral.org=127.0.0.2*7 > dnsbl.inps.de=127.0.0.2*7 > bl.mailspike.net=127.0.0.2*5 > bl.mailspike.net=127.0.0.[10;11;12]*4 > dnsbl.sorbs.net=127.0.0.10*8 > dnsbl.sorbs.net=127.0.0.5*6 > dnsbl.sorbs.net=127.0.0.7*3 > dnsbl.sorbs.net=127.0.0.8*2 > dnsbl.sorbs.net=127.0.0.6*2 > dnsbl.sorbs.net=127.0.0.9*2 > zen.spamhaus.org=127.0.0.[10;11]*8 > zen.spamhaus.org=127.0.0.[4..7]*6 > zen.spamhaus.org=127.0.0.3*4 > zen.spamhaus.org=127.0.0.2*3 > hostkarma.junkemailfilter.com=127.0.0.2*3 > hostkarma.junkemailfilter.com=127.0.0.4*1 > hostkarma.junkemailfilter.com=127.0.1.2*1 > wl.mailspike.net=127.0.0.[18;19;20]*-2 > list.dnswl.org=127.0.[0..255].0*-2 > list.dnswl.org=127.0.[0..255].1*-3 > list.dnswl.org=127.0.[0..255].2*-4 > list.dnswl.org=127.0.[0..255].3*-5 > hostkarma.junkemailfilter.com=127.0.0.1*-2 > postscreen_dnsbl_threshold = 3 > postscreen_dnsbl_ttl = 5m > postscreen_greet_action = enforce > postscreen_non_smtp_command_enable = yes > postscreen_pipelining_action = enforce > postscreen_pipelining_enable = yes > proxy_interfaces = 70.167.15.110 > queue_directory = /opt/local/var/spool/postfix > readme_directory = /opt/local/share/postfix/readme > sample_directory = /opt/local/share/postfix/sample > sendmail_path = /opt/local/sbin/sendmail > setgid_group = _postdrop > smtpd_banner = $myhostname ESMTP $mail_name > smtpd_helo_required = yes > smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, > reject_non_fqdn_helo_hostname > smtpd_recipient_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_non_fqdn_sender, > reject_non_fqdn_recipient, > reject_unknown_sender_domain, > reject_unknown_recipient_domain, > reject_unauth_pipelining, > reject_unauth_destination, > reject_unlisted_recipient, > check_recipient_access pcre:/opt/local/etc/postfix/recipient_checks.pcre, > check_helo_access hash:/opt/local/etc/postfix/helo_checks, > check_sender_access hash:/opt/local/etc/postfix/sender_checks, > check_client_access hash:/opt/local/etc/postfix/client_checks, > check_client_access pcre:/opt/local/etc/postfix/fqrdns.pcre, > reject_rhsbl_client dbl.spamhaus.org, > reject_rhsbl_sender dbl.spamhaus.org, > reject_rhsbl_helo dbl.spamhaus.org, > check_client_access pcre:/opt/local/etc/postfix/dspam_filter_access > smtpd_reject_unlisted_sender = yes > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = $myhostname > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous > smtpd_sasl_type = dovecot > smtpd_sender_restrictions = permit_mynetworks, reject_unknown_address > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /opt/local/etc/postfix/ssl/certs/postfix.cert > smtpd_tls_key_file = /opt/local/etc/postfix/ssl/private/postfix.key > smtpd_tls_loglevel = 1 > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = > btree:/opt/local/var/lib/postfix/smtpd_tls_cache > smtpd_tls_session_cache_timeout = 3600s > tls_random_source = dev:/dev/urandom > transport_maps = hash:/opt/local/etc/postfix/transport > unknown_local_recipient_reject_code = 550 > vacation_destination_recipient_limit = 1 > virtual_alias_maps = > proxy:mysql:/opt/local/etc/postfix/mysql_virtual_alias_maps.cf > virtual_gid_maps = static:_vmail > virtual_mailbox_base = /Volumes/mail/vmail/ > virtual_mailbox_domains = > proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_domains.cf > virtual_mailbox_maps = > proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_maps.cf > virtual_minimum_uid = _vmail > virtual_transport = dovecot > virtual_uid_maps = static:_vmail > > Thanks, > -Terry > > Terry Barnum > digital OutPost > http://www.dop.com > > > Terry Barnum digital OutPost http://www.dop.com
