> On Apr 28, 2015, at 12:33 PM, Marius Gologan <marius.golo...@gmail.com> wrote: > > Shared DNS as Google's 8.8.8.8 is not accepted by some RBLs such as > spamhaus. They have an ACL in place. > You will lose about 2 points from Spam scoring when you use a public DNS > causing some spam to pass.
Thank you Marius! I did not know that using Google's DNS would reduce or remove the points scoring for postscreen RBLs. I now see this small blurb on the spamhaus faq: <http://www.spamhaus.org/faq/section/DNSBL%20Usage#261> This is likely a huge contributor to our spam increase since spamhaus return a "not listed" when using a public DNS. > Spamassassin (SA) uses many RBL services checking Domain & IP of the Sender; > Domains, IPs and Name Servers in URLs. One email may generate even more than > 10 RBL queries. Due that, SA has a protection in order to prevent flooding > those service providers. You may consider reducing the amavis throttle from > Postfix's master.cf, by reducing the no of processes. > In addition, network tests such as Pyzor, Razor2 and DCC require these ports > to be opened: out 6277 UDP - DCC service, out 2703 TCP - Razor2 service, out > 24441 UDP - Pyzor service. Do most who use postfix/amavisd-new/spamassassin also use shared services like pyzor? > I heard many saying that Spamassassin is weak, while they don't understand > how it works. > > Bottom line, a machine with 2 GB of RAM can easily handle 10k-15k messages a > day. Good info to hear. Thanks, -Terry > -----Original Message----- > From: Terry Barnum [mailto:te...@dop.com] > Sent: Tuesday, April 28, 2015 8:04 PM > To: Marius Gologan > Cc: postfix users > Subject: Re: spam fighting > > >> On Apr 28, 2015, at 1:47 AM, Marius Gologan <marius.golo...@gmail.com> > wrote: >> >> Hi Terry, >> >> I use amavisd-new/spamassassin in post-queue configuration with few >> adjustments: increased score for SPF_FAIL, DKIM_ADSP_DISCARD, Bayes_80, >> Bayes_95, Bayes_99, Bayes_999 and few others. >> Local DNS server - critical for RBL queries. >> As for postscreen, I preffer "postscreen_greet_action = enforce" only > which >> doesn't require the client to retry (as opposite to greylist behavior), >> while is pretty effective against bots. >> >> Marius. > > Thank you for the reply Marius. Do the RBL queries from > amavisd-new/spamassassin require a local DNS because they're more resource > intensive than postscreen_dnsbl_sites or reject_rhsbl_* queries? > > I've received 16 UCE emails in the last hour--weight loss, wrinkle creams, > bird feeders, pharmacies. More pointers (favorite postfix techniques and/or > add-ons, sites to read, etc.) from those who've been successful in reducing > spam load are greatly appreciated. > > Thanks, > -Terry > >> -----Original Message----- >> From: owner-postfix-us...@postfix.org >> [mailto:owner-postfix-us...@postfix.org] On Behalf Of Terry Barnum >> Sent: Tuesday, April 28, 2015 1:15 AM >> To: postfix users >> Subject: spam fighting >> >> We've been using postscreen and dspam for quite some time but in the past >> couple months more spam is making it through. I realize there's no >> one-size-fits-all approach but because dspam isn't actively developed >> anymore I've started looking around and am curious what others are using. > Is >> amavisd-new/spamassassin the preferred solution? My company is small with >> <30 users. >> >> Perhaps my postscreen settings could be improved? postscreen_access.cidr > is >> a small file with 4 entries to whitelist customers that aren't implicated > in >> the increase in spam. >> >> $ postconf -n >> broken_sasl_auth_clients = yes >> command_directory = /opt/local/sbin >> daemon_directory = /opt/local/libexec/postfix >> data_directory = /opt/local/var/lib/postfix >> debugger_command = >> PATH=/opt/local/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd >> $daemon_directory/$process_name $process_id & sleep 5 >> default_privs = nobody >> delay_warning_time = 4h >> dovecot_destination_recipient_limit = 1 >> dspam-lmtp_destination_recipient_limit = 1 >> home_mailbox = Maildir/ >> html_directory = no >> inet_protocols = ipv4 >> mail_owner = _postfix >> mailq_path = /opt/local/bin/mailq >> manpage_directory = /opt/local/share/man >> message_size_limit = 51200000 >> mydestination = $myhostname, localhost.$mydomain, localhost >> myhostname = mailbox.dop.com >> mynetworks = 192.168.0.0/23, 127.0.0.0/8 >> myorigin = $mydomain >> newaliases_path = /opt/local/bin/newaliases >> postscreen_access_list = permit_mynetworks, >> cidr:/opt/local/etc/postfix/postscreen_access.cidr >> postscreen_bare_newline_action = enforce >> postscreen_bare_newline_enable = yes >> postscreen_blacklist_action = drop >> postscreen_dnsbl_action = enforce >> postscreen_dnsbl_sites = >> b.barracudacentral.org=127.0.0.2*7 >> dnsbl.inps.de=127.0.0.2*7 >> bl.mailspike.net=127.0.0.2*5 >> bl.mailspike.net=127.0.0.[10;11;12]*4 >> dnsbl.sorbs.net=127.0.0.10*8 >> dnsbl.sorbs.net=127.0.0.5*6 >> dnsbl.sorbs.net=127.0.0.7*3 >> dnsbl.sorbs.net=127.0.0.8*2 >> dnsbl.sorbs.net=127.0.0.6*2 >> dnsbl.sorbs.net=127.0.0.9*2 >> zen.spamhaus.org=127.0.0.[10;11]*8 >> zen.spamhaus.org=127.0.0.[4..7]*6 >> zen.spamhaus.org=127.0.0.3*4 >> zen.spamhaus.org=127.0.0.2*3 >> hostkarma.junkemailfilter.com=127.0.0.2*3 >> hostkarma.junkemailfilter.com=127.0.0.4*1 >> hostkarma.junkemailfilter.com=127.0.1.2*1 >> wl.mailspike.net=127.0.0.[18;19;20]*-2 >> list.dnswl.org=127.0.[0..255].0*-2 >> list.dnswl.org=127.0.[0..255].1*-3 >> list.dnswl.org=127.0.[0..255].2*-4 >> list.dnswl.org=127.0.[0..255].3*-5 >> hostkarma.junkemailfilter.com=127.0.0.1*-2 >> postscreen_dnsbl_threshold = 3 >> postscreen_dnsbl_ttl = 5m >> postscreen_greet_action = enforce >> postscreen_non_smtp_command_enable = yes >> postscreen_pipelining_action = enforce >> postscreen_pipelining_enable = yes >> proxy_interfaces = 70.167.15.110 >> queue_directory = /opt/local/var/spool/postfix >> readme_directory = /opt/local/share/postfix/readme >> sample_directory = /opt/local/share/postfix/sample >> sendmail_path = /opt/local/sbin/sendmail >> setgid_group = _postdrop >> smtpd_banner = $myhostname ESMTP $mail_name >> smtpd_helo_required = yes >> smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, >> reject_non_fqdn_helo_hostname >> smtpd_recipient_restrictions = >> permit_mynetworks, >> permit_sasl_authenticated, >> reject_non_fqdn_sender, >> reject_non_fqdn_recipient, >> reject_unknown_sender_domain, >> reject_unknown_recipient_domain, >> reject_unauth_pipelining, >> reject_unauth_destination, >> reject_unlisted_recipient, >> check_recipient_access pcre:/opt/local/etc/postfix/recipient_checks.pcre, >> check_helo_access hash:/opt/local/etc/postfix/helo_checks, >> check_sender_access hash:/opt/local/etc/postfix/sender_checks, >> check_client_access hash:/opt/local/etc/postfix/client_checks, >> check_client_access pcre:/opt/local/etc/postfix/fqrdns.pcre, >> reject_rhsbl_client dbl.spamhaus.org, >> reject_rhsbl_sender dbl.spamhaus.org, >> reject_rhsbl_helo dbl.spamhaus.org, >> check_client_access pcre:/opt/local/etc/postfix/dspam_filter_access >> smtpd_reject_unlisted_sender = yes >> smtpd_sasl_auth_enable = yes >> smtpd_sasl_local_domain = $myhostname >> smtpd_sasl_path = private/auth >> smtpd_sasl_security_options = noanonymous >> smtpd_sasl_type = dovecot >> smtpd_sender_restrictions = permit_mynetworks, reject_unknown_address >> smtpd_tls_auth_only = yes >> smtpd_tls_cert_file = /opt/local/etc/postfix/ssl/certs/postfix.cert >> smtpd_tls_key_file = /opt/local/etc/postfix/ssl/private/postfix.key >> smtpd_tls_loglevel = 1 >> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 >> smtpd_tls_security_level = may >> smtpd_tls_session_cache_database = >> btree:/opt/local/var/lib/postfix/smtpd_tls_cache >> smtpd_tls_session_cache_timeout = 3600s >> tls_random_source = dev:/dev/urandom >> transport_maps = hash:/opt/local/etc/postfix/transport >> unknown_local_recipient_reject_code = 550 >> vacation_destination_recipient_limit = 1 >> virtual_alias_maps = >> proxy:mysql:/opt/local/etc/postfix/mysql_virtual_alias_maps.cf >> virtual_gid_maps = static:_vmail >> virtual_mailbox_base = /Volumes/mail/vmail/ >> virtual_mailbox_domains = >> proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_domains.cf >> virtual_mailbox_maps = >> proxy:mysql:/opt/local/etc/postfix/mysql_virtual_mailbox_maps.cf >> virtual_minimum_uid = _vmail >> virtual_transport = dovecot >> virtual_uid_maps = static:_vmail >> >> Thanks, >> -Terry >> >> Terry Barnum >> digital OutPost >> http://www.dop.com >> >> >> > > Terry Barnum > digital OutPost > http://www.dop.com > > > Terry Barnum digital OutPost http://www.dop.com
