>> - Enable RBLs and DBLs. zen.spamhaus.org is the best way to block the >> majority of junk before it reaches SA. Just make sure you are below their >> free threshold limit. One important way to do this is
>"One important way to do this" in terms of the Spamhaus threshold limit >is to not be such a tightwad and poney up for the Spamhaus commercial >service. ;-) >They do a cheaper version than the RSync feed, you can just query their >servers directly. >Spamhaus do a fantastic job. They deserve charitable donations from >generous mail sysadmins !!! We filter a lot of mailboxes and pay spamhaus several thousands of dollars each year. The invaluement.com RBL is very effective and only costs a few hundred dollars a year. >> - Enable greylisting. >Ewww... >I hate people who operate graylisting. Its a lazy "tarnish everyone >with the same brush" approach to anti-spam. >In this day and age, you don't need it. Decent network checks, properly >configured Spamassassin and you should be able to achieve a very >respectable spam catching rate. I respectfully disagree. I too hated greylisting for years until recently when I found a way to slowly ease it in for my users who didn't even detect it. There is no other way to block brand new spam campaigns from compromised accounts. These mail servers normally have a good reputation so they are not on any RBLs yet. Greylisting puts a "speed bump" in place so the RBLs have time to catch up. Spammers pay "sweat shops" to devise new spam that will get through the major filters like SA and commercial products as zero-hour spam. Bayes is often ineffective against these new campaigns. When a new spam campaign like this hits the Internet, the world takes a little while to detect and react to it so you have to put some kind of buffer like greylisting in place. I whitelist a lot of major ISPs and known good senders to bypass greylisting so this only impacts mostly small mail servers that don't have any compromised account detection. My company's support team used to get several calls a week calls about blacklisting senders that turned out to be compromised accounts but now we might get one or two every 3 months now. By the time the blacklist entry was added, RBLs had already been blocking them so I just remove the new entry to keep my lists clean. If you have a large mail filtering environment with a lot of very old email accounts that have become bought and sold on spammer lists, this is a must. I guess if you are only filtering for a few hundred accounts, you can do a lot of things differently and be fine.
