How To Fight Spam Using Your Postfix Configuration

hausmasta writes, "In this guide you will learn how to tweak your virtual Postfix setup to better combat spam by stopping the mail before it hits SpamAssasin, using RBL (Realtime Blacklists) and RHBL (slightly different), greylistings, and Helo Checks." A clear, step-by-step guide to a complex subject.

Re:RBLs and not getting your mail

[slapyslapslap]

If you're running the mail servers for a business, how prudent is it to run a spam filter in the first place? While using something that relies on checking the content of the mail may be useful in getting rid of the most egregious spam, you don't want to block all items identified as spam. You can't run the risk of blocking your customers. Most start out thinking this way. Then they get so burried in spam that they start to think much differently. It CAN be done properly with minimal collateral dammage. A good way to do it is to always send a rejection back to the sender with a reason why. In the event that a real user is rejected, at least they know and can try again via another account, fax, or phone.

I'll Do It One Better...

[Beefslaya]

Here is a link setups to build servers with postfix, amavisd, SpamAssassin, ClamAV, Razor (you could also use these settings just for postfix to add better spam resistance).

I not only am I the President, I'm a user.

http://www.freespamfilter.org/ [freespamfilter.org]

Enjoy...I love it...

Greylisting + a bit more

[stabiesoft]

I use a combination of greylisting (10 mins for normal IP addresses and an hour for dynamically assigned IP addresses). I also do a very quick check on a few sender domains such as yahoo.com A "from" yahoo.com must be from a machine with .yahoo.com. If not, it is rejected. Works quite well with less than one spam per day. Given that yesterday had 466 spam's that got rejected, I'm pretty happy. I cannot recall anyone complaining they can't get in. Greylisting works really well because real mail servers try hard to deliver whereas spammers don't try that hard for delivery.

Re:RBLs and not getting your mail

[raddan]

We block somewhere around 200k spam emails a day. And we have a very similar setup sitting in front of our Exchange server. The kinds of things we can do with Postfix simply aren't possible with Exchange, and once we learned the ins and outs of Postfix, we found it to be easier to use than Exchange. For one, Postfix has real documentation [postfix.org]. Not to mention that the main developer posts regularly on the mailing list. Ever talk to MS's corporate support people for Exchange? Exchange is so huge and complex no one person knows the entire program. Postfix is a model of simplicity by comparison.

Monitor the results of your blacklists!

[reed]

Warning, I used to use RBLs to reject mail, but occasionally all of yahoo or somethnig gets added to a blacklist, and so mail from yahoo would start bouncing (including yahoo groups -- they really ought to use a seperate network for yahoo groups as their free webmail!). So instead of rejecting mail, I started just inserting a warning header, X-Spam-Blacklists:, which is easy to do with Exim. (I assume also with Postfix). Then I could filter the message in Thunderbird into a "probably spam" folder. You could also set up SA to increase a messages score if it's in a blacklist, I think, but I've never tried it.

So if you do set up RBL rejection, make sure you pay attention to what it's rejecting. Skim through the log file a few times in the week or two after doing it, otherwise you'll never no that it's being rejected.
 

Re:RBLs and not getting your mail

[just_another_sean]

As someone who uses Exchange I can say that setting spam filtering up is easy. You can use RBLs or not. You can set thresholds that let a lot in or block a lot with many false positives. If you're worried about losing business mail then you can configure it to be safe about that and never outright refuse or delete mail.

But I don't like it because once you check the boxes, set the sliders and press OK, that's it. Unless you then get into scripting or third party products or any other solutions I can't think of you don't get to customize it any further. In other words, at that point, if you want more, it's just like Unix. I've never worked with any but can't you buy Sendmail or OpenExchange and get a lot of the point and click stuff for free too? And for a lot less then the dragon's horde a small business spends on MS Exchange?

One last thing to mention, we feel the same way as you about losing a customer's mail. So our users don't get anywhere near the spam they used to but the IT Admin that works for me spends anywhere from an hour to two a day checking the spam filter to see what gets tagged. Whitelisting? So far we found a few half ass solutions in forums that for various reasons don't do exactly what we need.

All in all, like most Window's based solutions in my experience, Exchange is easy to set up, hard to customize. We're working on a OpenBSD solution [flakshack.com] as a front end in our spare time. Hopefully we can get it to get the worst of the spam and then set Exchange to be a lot more lax when it gets in... Anything that keeps us from checking the spam filter all day.

Re:Yeah, but...

[bogado]

The only problem is that the customer never knows that his email is being droped. He things that the receiver got the email and choosed to ignore it, simply because it never got returned. And you know what? He is right to think like that, if an email has not returned it should be assumed as delivered.

The problem with those black lists is that is quite easy to get in one of those and is near impossible to get out. The number of false positives that those RBL produce is huge, and this means a huge number of people not receiving emails. I had a friend that almost could not get into an international congress because she did not got any replys from the congress email because it's university was in one of those black lists.

I do not advise anyone to use black lists. There are many good ways to get rid of spam that do not have false positives, like gray listing. Check this out [acme.com], this guy has a very good analisys of the problem and the solutions he used.

Re:Yeah, but...

[jrockway]

I'm having excellent luck with OpenBSD's spamd blacklisting and greylisting. Haven't lost any important mail, but my SPAM has been cut by about 98%. It's truly amazing.

http://www.openbsd.org/spamd/ [openbsd.org]

Re:sendmail tweaks

[leighklotz]

It's FEATURE(`greet_pause',5000) not FEATURE(`great_pause',5000).
The previously-referenced Acme [acme.com] page mentions it.

Re:Yeah, but...

[ePhil_One]

I'd agree with you _if_ the only reason a server ever got put onto an RBL was due to relaying and misconfiguration. The trouble is that some addresses are inevitably put on the list due to a disagreement about terms of service or what constitutes "spam."

The RBL's all have different policies. Some are very explicit & limited, some are personal toys (I recall one that blocked all of MCI/UUnet). I start with the most restrictive, falling through about 4-5 total whose policies seem reasonable. Anything banned gets an email back explaining why and is logged, I pull daily reports with the IP's, RBL, Subject lines, etc from the logs (with a nice summarization header) so I can easily spot check their effectiveness. All client domains are whitelisted by default, most "leads" come in via webforms. Any list that blocks something I want gets scrutinized and removed, thans to the summaries I know RBL #4 is only blocking 150 spams a day anyway, so I can delete it (it might have caught more, but RBL #1 blocks 14k a day before #4 ever gets a shot at it). Another handy trick, use tighter controls on your lower priority servers, real mail almost never goes there, but spammers like to use them because they are less monitored, sometimes poorly configured, and less loaded.

Worked wonders. But implying all RBL's have low false positive rates in irresponsible.

Re:Yeah, but...

[Kazoo the Clown]

Oh, we don't care if our email is unreliable, we're BLOCKING SPAM. RBLs are largely counter productive in that regard-- avoid them.

Email reliability essentially *means* that some spam will get through. GET USED TO IT. Do not trade reliability away to be spam free. False positives are unacceptable, PERIOD. If a filtering system is subject to false positives, it's worse than the problem it is trying to solve.

Those who would sacrifice a little email reliability for spam security deserve neither.

Re:Yeah, but...

[XNormal]

Quite easy to get in: if your mailserver is sending out lots of spam, yes it is, and it should be. It is the sign of a mailserver that is misconfigured, insecure, or just has bad policies.

My server is sending out lots of spam but it is not misconfigured or insecure and I don't believe my policies are bad.

I have set up forwarding addresses for some people and some of them are receiving lots of spam. This means that my server is sending out lots of spam and I think it has already been blacklisted by at least one other provider.

The best place to put spam filtering is at the endpoint - that's where the most information is available to make the decision and the end user can intervene and provider feedback to the classifier (e.g. gmail). If I start filtering spam, in the hope of reducing the chances of being blacklisted, I will be doing a disservice for my users.