Forgot your password?
typodupeerror

How To Fight Spam Using Your Postfix Configuration 158

Posted by kdawson
from the not-welcome-here dept.
hausmasta writes, "In this guide you will learn how to tweak your virtual Postfix setup to better combat spam by stopping the mail before it hits SpamAssasin, using RBL (Realtime Blacklists) and RHBL (slightly different), greylistings, and Helo Checks." A clear, step-by-step guide to a complex subject.
This discussion has been archived. No new comments can be posted.

How To Fight Spam Using Your Postfix Configuration

Comments Filter:
  • Why to Use this (Score:3, Informative)

    by neonprimetime (528653) on Thursday September 07, 2006 @10:11AM (#16058985)
    The HowtoForge guide is great for everything however if you have a very busy mail server running Spam Assasin on 1000s of message per minute is a CPU killer. The best answer is to stop the mail before it hits Spam Assasin with a range of RBL (Realtime Blacklists) and RHBL (Same but different), Greylistings and Helo Checks.
    • Re: (Score:3, Informative)

      by DaveGuy (984734)
      The system I setup for my company uses as little "spam-scanning" as possible:
      1) greet-pause (reject mode)
      2) IP-blacklist (reject known bad sending IPs)
      3) SPF (reject if indicated)
      4) TLS (temp-fail if indicated)
      5) greylist (temp-fail mode)
      6) rcpt (reject user unknown)
      7) max-rcpts-per-envelope (temp-fail overage)
      8) max-connect-per-interval (temp-fail overage)
      9) IP-whitelist (known good sending IPs skip directly to virus filter)
      10) Domain-Spoofers (quarantine - sender can't trip this unless
  • Yeah, but... (Score:4, Insightful)

    by cp.tar (871488) <cp.tar.bz2@gmail.com> on Thursday September 07, 2006 @10:12AM (#16058988) Journal
    ... aren't blacklists still a bit... tricky?
    • by jank1887 (815982)
      yes, but I'd also qualify running a capable high-volume mailserver as a little bit ... tricky.

      RBL's are rather reliable, having few false positives from a server listing point of view. That said, you will have collateral damage from other users of shared spamming mailservers. There's no way around that, and less-than-clueful business customers will get upset about non-delivery of email. Most issues can be avoided by making customers fully aware of your mailhandling policies, and offer easy whitelisting,

      • Re: (Score:3, Interesting)

        by bogado (25959)
        The only problem is that the customer never knows that his email is being droped. He things that the receiver got the email and choosed to ignore it, simply because it never got returned. And you know what? He is right to think like that, if an email has not returned it should be assumed as delivered.

        The problem with those black lists is that is quite easy to get in one of those and is near impossible to get out. The number of false positives that those RBL produce is huge, and this means a huge number of p
        • Re: (Score:3, Informative)

          by jank1887 (815982)
          did you even read the post you replied to? either way, a response:

          1)The only problem is that the customer never knows that his email is being droped
          Very true, and a sign that the mailserver is making poor use of blacklists. A rejection notice should always be sent. Proper use of blacklists will, as I mentioned above, either allow the message through, but tag it, or notify the sender that it was rejected, providing alternate means of contact or correction.

          2)The problem with those black lists is that

          • Re: (Score:3, Insightful)

            by CerebusUS (21051)
            I'd agree with you _if_ the only reason a server ever got put onto an RBL was due to relaying and misconfiguration. The trouble is that some addresses are inevitably put on the list due to a disagreement about terms of service or what constitutes "spam."

            As the network admin for a consulting company, I'll never use an RBL on our mail because any lost communication from a customer or potential customer costs us more than potentially allowing some spam through (or buying larger hardware to handle better spam
            • Re: (Score:3, Interesting)

              by ePhil_One (634771)
              I'd agree with you _if_ the only reason a server ever got put onto an RBL was due to relaying and misconfiguration. The trouble is that some addresses are inevitably put on the list due to a disagreement about terms of service or what constitutes "spam."

              The RBL's all have different policies. Some are very explicit & limited, some are personal toys (I recall one that blocked all of MCI/UUnet). I start with the most restrictive, falling through about 4-5 total whose policies seem reasonable. Anything ba

          • Re: (Score:3, Interesting)

            by XNormal (8617)
            Quite easy to get in: if your mailserver is sending out lots of spam, yes it is, and it should be. It is the sign of a mailserver that is misconfigured, insecure, or just has bad policies.

            My server is sending out lots of spam but it is not misconfigured or insecure and I don't believe my policies are bad.

            I have set up forwarding addresses for some people and some of them are receiving lots of spam. This means that my server is sending out lots of spam and I think it has already been blacklisted by at least
        • The only problem is that the customer never knows that his email is being droped. He things that the receiver got the email and choosed to ignore it, simply because it never got returned.

          If that's the case, there's a mail admin in the equation somewhere that needs to be fired. What you're describing has exactly nothing to do with RBLs, and everything to do with the server configuration.

          My mail server is running sendmail with 4 DNSBLs, plus a locally-run internal. If a mail message hits those lists, it's rej
          • I just used up my mod points on the IPv6 DNS discussion, but please mod up the parent article.

            As long as the receiving mail server rejects the message with a permanent failure notice, a correctly configured sending mail server will give the user an appropriate response, and if it rejects it with a temporary failure notice, a correctly configured sending server will keep trying, and eventually let the user know if delivery hasn't happened in some time period.

            If the receiving mail server accepts the message,

      • Re: (Score:3, Interesting)

        Oh, we don't care if our email is unreliable, we're BLOCKING SPAM. RBLs are largely counter productive in that regard-- avoid them.

        Email reliability essentially *means* that some spam will get through. GET USED TO IT. Do not trade reliability away to be spam free. False positives are unacceptable, PERIOD. If a filtering system is subject to false positives, it's worse than the problem it is trying to solve.

        Those who would sacrifice a little email reliability for spam security deserve neither.

    • Re:Yeah, but... (Score:4, Interesting)

      by jrockway (229604) * <jon-nospam@jrock.us> on Thursday September 07, 2006 @12:06PM (#16059904) Homepage Journal
      I'm having excellent luck with OpenBSD's spamd blacklisting and greylisting. Haven't lost any important mail, but my SPAM has been cut by about 98%. It's truly amazing.

      http://www.openbsd.org/spamd/ [openbsd.org]
      • What do you think SPAM stands for?
        • by jrockway (229604) *
          Nothing, but everyone else capitializes it these days, so "SPAM" looks correct now. Thanks for your insightful comment, though; I appreciate it.
          • "everyone else capitializes it these days"

            Sure, if by "everyone," you mean "a small minority."

            But I'm always willing to share insight with the sightless masses.

            Actually, I'm doing you a favor. Just like someone would be doing the President a favor if they mentioned to him that he was pronouncing "nucular" incorrectly.
        • What do you think SPAM stands for?

          SPAM stands for SPiced hAM.
    • by ajs (35943)
      Yes, blacklists are tricky. You need to find one whose philosophy you and your users are willing to live with. This is why I use Spamhaus's SBL/XBL list which excludes only those hosts which are known problems. I happen not to agree with the philosophy that I should not be allowed to recieve mail from a network that has one spammer on it. Others disagree and wish to exclude the whole network. Salt to taste.
  • Useless (Score:2, Insightful)

    by Anonymous Coward
    The layout of the linked site is awful and sticking configuration snippets in text areas is awful. I didn't even see any warnings and if you're doing this, there are plenty of things that could go wrong. IMHO, setting up an MTA to reject spam at SMTP time is an involved process that requires the admin know what they are doing, blindly following a poorly written howto is a recipe for disaster.

  • I started using postgrey on my mail server a few months ago and my spam dropped from several hundred per day to about 10 per week. I wrote up this great how-to but figure that if spammer's got wise my advantage would be lost so I never published it.
    • by rel4x (783238)
      In a world where e-mail address are $10-$30 per million, the amount of people using your custom config would probably never be high enough for spammers to care. No Spammer bothers to adjust their software to best every menial anti-spam fix. Only the big ones.
  • bad idea... (Score:4, Informative)

    by Vellmont (569020) on Thursday September 07, 2006 @10:19AM (#16059035)
    If you do this, and you're an ISP (which you likely are if you're getting 1000s of spams a minute) you're very likely to block legit mail from ever getting to subscribers. Realtime Blacklists aren't reliable enough to use alone in blocking spam. You'd serve customers better by buying more/faster machines to handle the load.

    If you DO decide to do this, be VERY carefull about the RBLs you use. Some RBLs list entire blocks of IP addresses of ISPs that have hosted spammers, and some even list every DSL/Cable modem static IP address. I've had me mail blocked by overzealous ISPs before (for just being on a cable modem static IP), so I'm not a big fan of using RBLs or other simple techniques to block spam at the postfix/sendmail level.
  • by Kirth (183) on Thursday September 07, 2006 @10:25AM (#16059079) Homepage
    Don't filter by RBL. Use them to give scores to Spamassassin, but don't reject mail on basis that some host is in some RBL.

    * There are RBLs nearly impossible to get out from, and you might actually get an IP assigned months earlier to somebody who never requested a removal.
    * False positives. Mails misidentified as spam (typically: newsletters which the signed up person no longer wants, vacation-mails in foreign languages) might bring you onto an RBL.
    * Collateral damage. A shared server with 1000 users and 2000 domains might turn up in an RBL because one of those users had an inscecure formmail running a night long. And even after removal by the sysadmins in the morning, 1499 users can't mail you the next 18 hours.
    * Spurious criterions for getting listed. Like "unsolicited bounces" or "sent mail to secret spamtrap"

    So while RBLs are really a useful tools for deciding whether a mail might be spam, using them as THE ONLY reference on whether something is spam or not is just foolish.
    • by repetty (260322) on Thursday September 07, 2006 @10:37AM (#16059147) Homepage
      >> * Collateral damage. A shared server with 1000 users and
      >> 2000 domains might turn up in an RBL because one of those
      >> users had an inscecure formmail running a night long. And
      >> even after removal by the sysadmins in the morning, 1499
      >> users can't mail you the next 18 hours.

      Good point. On the other hand, I don't fucking care. I don't hear anyone knocking on my door, offering to help me filter out my spam. RBL's work GREAT on a tough problem, which is why they haven't gone away.

      And the collateral damage? If a user/subscriber abuses a service then the service provider SHOULD be held accountable and those other 1499 users are better off elsewhere.

      --Richard
      • Re: (Score:3, Insightful)

        by iangoldby (552781)
        I agree that ISPs should to some extent be held accountable, but to hold them 100% accountable ignores the fact that it is virtually impossible to pre-emptively stop all forms of email abuse.

        For example, SORBS have a policy that they will blacklist a server if they receive three or more emails to their spam trap addresses. These addresses are kept secret, so the ISP can't know what these spam trap addresses are. Suppose a malicious client of the ISP discovers (or guesses) one or more of these spam trap addr
      • by sjames (1099)

        And the collateral damage? If a user/subscriber abuses a service then the service provider SHOULD be held accountable and those other 1499 users are better off elsewhere.

        Imagine you're a colo provider. One or your users gets hacked and starts spamming like mad. Your alert admins (perhaps you) cut them off within an hour. Obviously, you deserve to watch your business go down in flames for stupidly failing to hire a psychic to stop the spam before it started. And your 1499 other customers are equally dese

    • by wayne (1579) <wayne@schlitt.net> on Thursday September 07, 2006 @11:51AM (#16059734) Homepage Journal
      * Spurious criterions for getting listed. Like "unsolicited bounces" or "sent mail to secret spamtrap"

      Neither sending bounces to forged email addresses (backscatter [wikipedia.org]) nor sending email to spam traps is a "spurious criteria" for getting listed. If you are doing either of these, you are part of the spam problem and you deserver to have your email blocked.

      Configure your mail server to reject *during* the SMTP session, or only send bounces after the fact if the email passes something like SPF. Using SPF's "best guess" default record of "v=spf1 a mx ptr" when there isn't an SPF record may by safe, but you are still risking sending backscatter to innocent people. Domainkeys and DKIM validate the From: header, which isn't where you should send bounces to, so it can only be used when the Envelope-From and the From: header match. Really, the easiest thing to do is just to always reject during the SMTP session and not accept-then-bounce.

      • sending bounces to forged email addresses

        And sans SPF, manual intervention, how does one programatically tell that a from address is forged so as to not send a reject?

        Clue: fixing the spam problem should not involve neutering legitimate functionality of the mail server - it's a bandaid.

        • A reject should NOT be sent by your server. YOUR server should be telling the sending server "Err... come back later" (450 error) or "No, that's not going to happen. Ever. Not if you were the last postfix server on earth" (550 error).

          Generating the bounce is the responsibility of the sending server, since it's not relying on easily-faked headers to pick its target.
    • Spoken like someone who's run only a small-volume mailserver, if any at all.

      From the other side:
      Consider it in terms of overhead.

      DNSBL:
      Connection opens
      Rec. Server sends banner
      Sending Server HELOs/EHLOs
      Rec. server responds
      Sending server begins MAIL transaction
      Rec. Server queries DNSBLs for sending IP.
      Rec Server sends 550 (permanent failure) error.
      Rec. Server ends connection, leaving Sending mail server to deal with the 550 error.

      Spamassassin using DNSRBL checks:
      Connection opens
      Rec. Server sends banner
      Sending
  • Here is a link setups to build servers with postfix, amavisd, SpamAssassin, ClamAV, Razor (you could also use these settings just for postfix to add better spam resistance).

    I not only am I the President, I'm a user.

    http://www.freespamfilter.org/ [freespamfilter.org]

    Enjoy...I love it...
  • by autocracy (192714) <slashdot2007NO@SPAMstoryinmemo.com> on Thursday September 07, 2006 @10:31AM (#16059112) Homepage
    I am aware there's definitely a fair number of over-zealous blacklists, but I've had an extremely good experience using cbl.abuseat.org as a blacklist source, and haven't encountered any false-positives while perusing my mail logs.
  • Rejecting mail outright based on RBL results is an invitation for loads of false positives. If you're getting "1000s of messages per minute," chances are you are a large business or an ISP. Either way, your customers sending mail from foobaz.net (for example) won't be happy when their no longer gets through because some boneheads at spamcop or spamhaus put them on the RBL.

    If you don't have the proper setup to accept that many messages and do adequate "tag-and-forward" spam analysis, or at least reject la

    • Let me just pipe in with my two cents worth. I'm the mail administrator at a University, and have been through all these arguments before.

      Rejecting mail outright based on RBL results is an invitation for loads of false positives. If you're getting "1000s of messages per minute," chances are you are a large business or an ISP. Either way, your customers sending mail from foobaz.net (for example) won't be happy when their no longer gets through because some boneheads at spamcop or spamhaus put them on the RBL

  • Great guide, ... NOT (Score:2, Informative)

    by xming (133344)
    There are more explaination on the postfix.org than this FA (fine article). Wisely using good RBL (for open proxies) and graylisting and some helo/header checks should reduce a lot of spam.
  • I use a combination of greylisting (10 mins for normal IP addresses and an hour for dynamically assigned IP addresses). I also do a very quick check on a few sender domains such as yahoo.com A "from" yahoo.com must be from a machine with .yahoo.com. If not, it is rejected. Works quite well with less than one spam per day. Given that yesterday had 466 spam's that got rejected, I'm pretty happy. I cannot recall anyone complaining they can't get in. Greylisting works really well because real mail servers try h
    • Re: (Score:3, Insightful)

      by Just Some Guy (3352)

      I also do a very quick check on a few sender domains such as yahoo.com A "from" yahoo.com must be from a machine with .yahoo.com. If not, it is rejected.

      If by that you mean that you're using SPF [openspf.org] or similar, that's a great idea. If it means that you wrote your own code that does something like "if fromdomain != helodomain: reject()", then your system is pathologically broken and needs to be updated.

      • something like "if fromdomain != helodomain: reject()", then your system is pathologically broken and needs to be updated

        Exactly. My dedicated server runs mail, too, and has a A record of hostx.isp.com. Though it handles mail for a dozen domains, all with SPF (and Sender ID) records, the number of bounces / drops I get from people who do this is scarily high.

  • sendmail tweaks (Score:5, Informative)

    by ltjohhed (231735) on Thursday September 07, 2006 @10:47AM (#16059227) Homepage
    A far more effective and less faulty way to filter out some spam can be done by using the new features added in sendmail 8.13.

    FEATURE(`great_pause',5000)
    That one is given in your .mc file.

    Wait's 5000ms to say HELO (EHLO) and all MTA's starting to send data (spambots not being all that RFC-aware) before that is discarded.

    I've measured that it atleast cuts 15-20% of the total amount of spam.
       
    • Ok, I recognize that you are probably trying to promote Sendmail. But for a variety of reasons, there are folks out there that can't or don't want to use Sendmail. I don't use Sendmail because I consider it overly complex. I use postfix and yes, I use the RBLs before it gets to SpamAssassin (gasp). If you tune it properly, it works just fine, thank you. Also the email list archives are extremely helpful in this matter, as is the list itself if you've done your homework first.
      • by KillerBob (217953)

        I don't use Sendmail because I consider it overly complex.

        Please don't get the impression that I'm trying to evangelize you... but Sendmail used to be overly complex. More recent versions are actually pretty good from the configuration perspective, especially if you're using a binary distribution such as a slackpackage or deb package. It's really just a question of changing your sendmail.mc file, and compiling it. Copy to the right location, and restart Sendmail. Poof. It's done.

        Enabling a RBL or RHBL in Se

    • Re: (Score:3, Interesting)

      by leighklotz (192300)
      It's FEATURE(`greet_pause',5000) not FEATURE(`great_pause',5000).
      The previously-referenced Acme [acme.com] page mentions it.
    • by Shadowlore (10860)
      If you run a server that needs to handle a lot of email, and do so in a timely manner, this will hose you. if you run an enterprise environment where there are applicaitons (usually JavaMail based ones) that bork and die on this but are sending legitimate mail, this will hose you.

      There are many legitimate applications that will die if you do this. To recommend this as a general solution is a mistake. Sure, we would all love it if the legitimate apps worked properly, but that isn't the real world. The real w
  • Warning, I used to use RBLs to reject mail, but occasionally all of yahoo or somethnig gets added to a blacklist, and so mail from yahoo would start bouncing (including yahoo groups -- they really ought to use a seperate network for yahoo groups as their free webmail!). So instead of rejecting mail, I started just inserting a warning header, X-Spam-Blacklists:, which is easy to do with Exim. (I assume also with Postfix). Then I could filter the message in Thunderbird into a "probably spam" folder. You c
  • by nblender (741424) on Thursday September 07, 2006 @10:55AM (#16059301)
    To all you greylisters, I don't know what part of the interweb you're from but when I survey my spam, I find that great tracts of it come from zombies via their ISP's mail server which means greylisting is no longer effective. It was effective last year but I think you folks missed the boat. I moderate a mailing list for a popular open source operating system project that uses greylisting and I still get about 100 spam per day as owner-listname...

    Spammers are having their zombies dig through the windows configurations to find the owners email relay and using that to send their spam. It's not that difficult and combats greylisting.

    • Greylisting will always be useful, at least to a certain degree. When you get email from an unrecognized source, one that you can't judge as being a source of legitimate email or if it is a spam source, greylisting lets the reputation systems like DNSBLs and DCC/Razor/etc. catch up. Also, good ISPs and mail admins have tools to watch for likely spam runs. Again, greylisting gives those tools time to act and purge the spam.

      Sure, greylisting also gets rid of spam from spambots that don't retry email, an

    • by Just Some Guy (3352) <kirk+slashdot@strauser.com> on Thursday September 07, 2006 @12:18PM (#16059992) Homepage Journal
      Spammers are having their zombies dig through the windows configurations to find the owners email relay and using that to send their spam.

      In other words, greylisting makes zombies relay spam through their ISP, forcing said ISPs to deal with the problem to keep their mailserver from being both overwhelmed and added to every DNS RBL in existence. In what possible way is this not a Good Thing?

      • Comment: (paraphrase)" X doesn't work because Y happens"
        Rating: +5 "insightful"

        Reply to above comment: "X works because Y happens"
        Rating: +5 "insightful"

        And neither post showed any actual insight; just observation.
    • by Greyfox (87712)
      It's not like any one single method will completely solve your spam problem. I'm using a combination of greylisting and SPF checking on my domains at home and a couple of spams a week get through to SpamAssassin. Thus far SpamAsssin has been giving me a 100% success rate at tagging the spams that do get through and a 0% false positive rate. Pretty good, I think.
  • Some words of wisdom (Score:4, Informative)

    by bfree (113420) on Thursday September 07, 2006 @10:56AM (#16059308)
    Here is an insightful blog posting from Justin Mason [taint.org] about using RBL's (and bl.spamcop.net in particular which this HOW-TO mentions) for filtering spam. You could see a staggering amount of false positives unless any rbl is only one part of a scoring system which decides whether a mail should be rejected.
    • by derF024 (36585) *
      I see a lot of people making this kind of association. "I used superaggressiveblacklist.com's list and all my mail got blocked! RBL's are a complete waste!" That's kind of thinking is just silly. There are hundreds of popular lists on the internet, and not all of them are as aggressive as that other list you used. I use list.dsbl.org and xbl.spamhaus.org on all the mail servers I run. I check mail logs regularly and inspect rejected messages for false positives, and haven't found one yet. Those two list
      • Spamassassin, unfortunately, does have false positives, so anything that spamassassin tags gets delivered with a 'possibly spam' header added.

        Using the default scores?

        I've got the scores tweaked somewhat, and we tag at 5 and reject at 15. RBLs (including ones we wouldn't reject on outright), URIBLs, Razor checks etc are all good for five points each. No PTR gets 10 (although that one's hacked together in our mimedefang filter). Try skewing the scores somewhat for tests that look super-spammy, and reject

  • I for one, welcome our spamfighting overlords, and think that we should see more of this kind of thing on the front page of ./

    Although we've got our share of trolls and fanboys ruining it for the rest of us, I daresay that there are at least a few slashdotters out there who could write guides at least as good as this on a number of geeky and related subjects and present them on the front page, in much the same vein as the original content presented in book reviews etc. It might even be worth paying the a
  • At my last company, we had a big problem with spam. But because the company did some online marketing, there were people in our marketing department that WANTED to get some of the spam so they could see what tactics the competition was using. At one point our mail gateways were so clogged, mail was being delayed by up to 4 or 5 hours at our gateway.

    We fixed the problem by having postfix discard any mail that was not addressed to a legitimate email account. We ran a script that would pull all valid email
    • Re: (Score:2, Informative)

      by DrGalaxy (89127)
      Agree with parent.

      I call this technique "early recipient rejection". As soon as the SMTP client sends "RCPT TO:" our postfix systems check a database list of valid recipients and drop the message immediately if it is not valid.

      To set up early recipient rejection with postfix, read the docs about "check_recipient_access" and apply that directive to your "smtpd_recipient_restrictions" section in main.cf.

  • I wrote basically the same article [freesoftwaremagazine.com] a year ago for Free Software Magazine. We've been using this setup at my office for the last year, and it's been working perfectly - to the point that an upset coworker told me yesterday that she's received four spams last week and wondered if something was wrong.
    • Dude! That five minute delay is genius! Once spammers get wind of it, they will probably change their methods (increaing spam traffic), but it seems highly effective for spammers of the "own a computer and spam as much as possible before getting noticed" ilk.
      • Dude! That five minute delay is genius!

        I can't claim to have invented it, but I've been advocating it to everyone who will listen. We're rejecting over 90% of incoming mail with greylisting (as measured by the number of entries in the greylist database that never returned for the second attempt). An unexpected side effect is that SpamAssassin now rejects less mail than before because all of the "low hanging fruit" has already been filtered out, and because it has less data to feed into its Bayesian trai

  • by ThatDamnMurphyGuy (109869) on Thursday September 07, 2006 @12:29PM (#16060082) Homepage
    The better place to looks is the Howtos and FAQs [postfix.org].

    One of my favorites: http://jimsun.linxnet.com/misc/postfix-anti-UCE.tx t [linxnet.com]
  • Martian Software has an interesting (if somewhat dated) piece on using statistics to cause spammers pain [martiansoftware.com]. Essentially it's a real-time spam filtering system that slows down messages according to how "spammy" they seem to be. For individual messages, a few seconds or more delay would cause little if any problems, but when sending millions of spams, this is a very big issue indeed.

    Personally I'd like to make the spammers pay - in CPU cycles - using methods like this. Of course I'd rather beat them witha

Nothing succeeds like success. -- Alexandre Dumas

Working...