Hi, On Fri, Jul 7, 2017 at 12:14 PM, David Jones <djo...@ena.com> wrote: > On 07/07/2017 11:04 AM, Charles Amstutz wrote: >> >> Thank you everyone for the suggestions, I will look into it. One thing >> I've noticed is that sometimes it takes a day for any *BL's to pick up some >> of the spam, and by that time, the run could be done. Greylisting isn't an >> option. It sometimes feels like always reactive vs pro-active in filtering. >> For example, I try to block the old runs of "Ford Warranties", write a few >> rules, then never receive them again :) >> >> This is a slight over exaggeration, but close. >> > > No. I completely understand. A couple of years ago I was doing the same > thing always reacting to new spam campaigns. It took a lot of my time and I > never felt like I was winning those one-day battles. > > Now I have tuned my MTA (Postfix with postscreen) to reject the majority of > junk before it ever reaches SA. See the archives for these Postscreen > weighted RBLs if you are running Postfix. With about 24 RBLs including > invaluement, I am able to be aggressive with many RBLs adding up to a block > threshold of 8 in postscreen.
I also have postfix, invaluement, of course Kevin's KAM rules, and many (all?) of the other RBLs you use, including senderscore at the postfix and spamassassin level. I'm interested in how your system would have (or currently does) handle this email I received some days ago: https://pastebin.com/innRFvZt Its IP (106.186.119.240) is still not listed with spamhaus, sorbs or hostkarma, and has an 83 rating with senderscore. It's just a short body with a URI which downloads malware. We got hit by this pretty hard. This is where the real threats are. Receive one of these to an Exchange distribution list and your reputation with the customer suffers badly. I'm also interested in other solutions - are those of you with MIMEDefang or other systems blocking these?
