How To Fight Spam Using Your Postfix Configuration

hausmasta writes, "In this guide you will learn how to tweak your virtual Postfix setup to better combat spam by stopping the mail before it hits SpamAssasin, using RBL (Realtime Blacklists) and RHBL (slightly different), greylistings, and Helo Checks." A clear, step-by-step guide to a complex subject.

Why to Use this

[neonprimetime]

The HowtoForge guide is great for everything however if you have a very busy mail server running Spam Assasin on 1000s of message per minute is a CPU killer. The best answer is to stop the mail before it hits Spam Assasin with a range of RBL (Realtime Blacklists) and RHBL (Same but different), Greylistings and Helo Checks.

Re:

[DaveGuy]

The system I setup for my company uses as little "spam-scanning" as possible:
1) greet-pause (reject mode)
2) IP-blacklist (reject known bad sending IPs)
3) SPF (reject if indicated)
4) TLS (temp-fail if indicated)
5) greylist (temp-fail mode)
6) rcpt (reject user unknown)
7) max-rcpts-per-envelope (temp-fail overage)
8) max-connect-per-interval (temp-fail overage)
9) IP-whitelist (known good sending IPs skip directly to virus filter)
10) Domain-Spoofers (quarantine - sender can't trip this unless

Yeah, but...

[cp.tar]

... aren't blacklists still a bit... tricky?

Re:

[jank1887]

yes, but I'd also qualify running a capable high-volume mailserver as a little bit ... tricky.

RBL's are rather reliable, having few false positives from a server listing point of view. That said, you will have collateral damage from other users of shared spamming mailservers. There's no way around that, and less-than-clueful business customers will get upset about non-delivery of email. Most issues can be avoided by making customers fully aware of your mailhandling policies, and offer easy whitelisting,

Re:

[bogado]

The only problem is that the customer never knows that his email is being droped. He things that the receiver got the email and choosed to ignore it, simply because it never got returned. And you know what? He is right to think like that, if an email has not returned it should be assumed as delivered.

The problem with those black lists is that is quite easy to get in one of those and is near impossible to get out. The number of false positives that those RBL produce is huge, and this means a huge number of p

Re:

[jank1887]

did you even read the post you replied to? either way, a response:

1)The only problem is that the customer never knows that his email is being droped
Very true, and a sign that the mailserver is making poor use of blacklists. A rejection notice should always be sent. Proper use of blacklists will, as I mentioned above, either allow the message through, but tag it, or notify the sender that it was rejected, providing alternate means of contact or correction.

2)The problem with those black lists is that

Re:

[CerebusUS]

I'd agree with you _if_ the only reason a server ever got put onto an RBL was due to relaying and misconfiguration. The trouble is that some addresses are inevitably put on the list due to a disagreement about terms of service or what constitutes "spam."

As the network admin for a consulting company, I'll never use an RBL on our mail because any lost communication from a customer or potential customer costs us more than potentially allowing some spam through (or buying larger hardware to handle better spam

Re:

[ePhil_One]

I'd agree with you _if_ the only reason a server ever got put onto an RBL was due to relaying and misconfiguration. The trouble is that some addresses are inevitably put on the list due to a disagreement about terms of service or what constitutes "spam."

The RBL's all have different policies. Some are very explicit & limited, some are personal toys (I recall one that blocked all of MCI/UUnet). I start with the most restrictive, falling through about 4-5 total whose policies seem reasonable. Anything ba

Re:

[XNormal]

Quite easy to get in: if your mailserver is sending out lots of spam, yes it is, and it should be. It is the sign of a mailserver that is misconfigured, insecure, or just has bad policies.

My server is sending out lots of spam but it is not misconfigured or insecure and I don't believe my policies are bad.

I have set up forwarding addresses for some people and some of them are receiving lots of spam. This means that my server is sending out lots of spam and I think it has already been blacklisted by at least

Re:

[geminidomino]

The only problem is that the customer never knows that his email is being droped. He things that the receiver got the email and choosed to ignore it, simply because it never got returned.

If that's the case, there's a mail admin in the equation somewhere that needs to be fired. What you're describing has exactly nothing to do with RBLs, and everything to do with the server configuration.

My mail server is running sendmail with 4 DNSBLs, plus a locally-run internal. If a mail message hits those lists, it's rej

Mod Parent Up, Please. 5xx Reject is exactly right

[billstewart]

I just used up my mod points on the IPv6 DNS discussion, but please mod up the parent article.

As long as the receiving mail server rejects the message with a permanent failure notice, a correctly configured sending mail server will give the user an appropriate response, and if it rejects it with a temporary failure notice, a correctly configured sending server will keep trying, and eventually let the user know if delivery hasn't happened in some time period.

If the receiving mail server accepts the message,

Re:

[Kazoo the Clown]

Oh, we don't care if our email is unreliable, we're BLOCKING SPAM. RBLs are largely counter productive in that regard-- avoid them.

Email reliability essentially *means* that some spam will get through. GET USED TO IT. Do not trade reliability away to be spam free. False positives are unacceptable, PERIOD. If a filtering system is subject to false positives, it's worse than the problem it is trying to solve.

Those who would sacrifice a little email reliability for spam security deserve neither.

Re:Yeah, but...

[jrockway]

I'm having excellent luck with OpenBSD's spamd blacklisting and greylisting. Haven't lost any important mail, but my SPAM has been cut by about 98%. It's truly amazing.

http://www.openbsd.org/spamd/ [openbsd.org]

Re:

[Lord Ender]

What do you think SPAM stands for?

Re:

[jrockway]

Nothing, but everyone else capitializes it these days, so "SPAM" looks correct now. Thanks for your insightful comment, though; I appreciate it.

Re:

[Lord Ender]

"everyone else capitializes it these days"

Sure, if by "everyone," you mean "a small minority."

But I'm always willing to share insight with the sightless masses.

Actually, I'm doing you a favor. Just like someone would be doing the President a favor if they mentioned to him that he was pronouncing "nucular" incorrectly.

Re:

[jumpingfred]

What do you think SPAM stands for?

SPAM stands for SPiced hAM.

Re:

[ajs]

Yes, blacklists are tricky. You need to find one whose philosophy you and your users are willing to live with. This is why I use Spamhaus's SBL/XBL list which excludes only those hosts which are known problems. I happen not to agree with the philosophy that I should not be allowed to recieve mail from a network that has one spammer on it. Others disagree and wish to exclude the whole network. Salt to taste.

Re:

[geminidomino]

Since you mentioned the form, I decided to use it. I found a few entries that DO hit, based on what you wrote. Since you mentioned that you may have left out some details, I'll let you answer. (and also trim the form. ;))

Your post advocates a

(X) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state

Useless

[Anonymous Coward]

The layout of the linked site is awful and sticking configuration snippets in text areas is awful. I didn't even see any warnings and if you're doing this, there are plenty of things that could go wrong. IMHO, setting up an MTA to reject spam at SMTP time is an involved process that requires the admin know what they are doing, blindly following a poorly written howto is a recipe for disaster.

postgrey

[viniosity]

I started using postgrey on my mail server a few months ago and my spam dropped from several hundred per day to about 10 per week. I wrote up this great how-to but figure that if spammer's got wise my advantage would be lost so I never published it.

Re:

[rel4x]

In a world where e-mail address are $10-$30 per million, the amount of people using your custom config would probably never be high enough for spammers to care. No Spammer bothers to adjust their software to best every menial anti-spam fix. Only the big ones.

bad idea...

[Vellmont]

If you do this, and you're an ISP (which you likely are if you're getting 1000s of spams a minute) you're very likely to block legit mail from ever getting to subscribers. Realtime Blacklists aren't reliable enough to use alone in blocking spam. You'd serve customers better by buying more/faster machines to handle the load.

If you DO decide to do this, be VERY carefull about the RBLs you use. Some RBLs list entire blocks of IP addresses of ISPs that have hosted spammers, and some even list every DSL/Cable modem static IP address. I've had me mail blocked by overzealous ISPs before (for just being on a cable modem static IP), so I'm not a big fan of using RBLs or other simple techniques to block spam at the postfix/sendmail level.

Re:

[glesga_kiss]

And why were you sending mail direct from your cable modem static IP? You should have been using your ISP's smarthost.

Because when I hook my laptop up to the net away from home using wifi or gprs, it can't get to my ISP's smarthost. So instead I have a publicly accessible server with authetication and SSL set up that I can use from anywhere. This is way better than the last 8 years where I've had to manually change the outgoing server.

I've had to stop this approach because of some RBL lists blocking my

Re:

[Albanach]

Because when I hook my laptop up to the net away from home using wifi or gprs, it can't get to my ISP's smarthost. So instead I have a publicly accessible server with authetication and SSL set up that I can use from anywhere. This is way better than the last 8 years where I've had to manually change the outgoing server.

The question remains - why aren't you using your ISP's smarthost.

There's no reason you can't run an SMTP server at the end of your cable modem - it, however should still pass it's traffic

Re:

[Vellmont]

it, however should still pass it's traffic directly to your ISP's smarthost for onward delivery.

And why would I want to have to rely on my ISPs mailserver to be up to send outgoing mail? I like reliability, I don't like outages. I also don't want to rely on them to route my mail properly, decide I'm a spammer and block me, or whatever. Also, why would I want to make it easier for my ISP to snoop on my mail? (who knows if they'll send targeted advertising, etc).

If you don't mind all those things, fine.

Re:

[Fez]

And why would I want to have to rely on my ISPs mailserver to be up to send outgoing mail? I like reliability, I don't like outages. I also don't want to rely on them to route my mail properly, decide I'm a spammer and block me, or whatever. Also, why would I want to make it easier for my ISP to snoop on my mail? (who knows if they'll send targeted advertising, etc).

If you don't mind all those things, fine. But there's very good reasons to not use your ISPs mailserver.

Then you're probably violating your T

Re:

[Vellmont]

Mail should NOT be coming from end-user dynamic IPs directly. Period. No excuses.

Blah blah blah.. Frankly I don't care about your opinion. It matters to me about as much as what ice cream you prefer. There's no law that says I can't run my own SMTP server on my own internet connection. As far as your universal terms of service, they aren't so universal. Most ISPs prohibit spamming, but there's plenty that have no problem with running a SMTP server on your ip address. If my ISP starts whining about it,

Re:

[Fez]

Unfortunately, attitudes like that are the exact reason that spam continues to get worse and worse. The reason it's so bad is because smtp is so broken and free-flowing. You should care about my opinon because I'm a sysadmin at an ISP, and people like me are who decide if your mail actually gets out.

I bet if you checked the ToS, it does prohibit servers.

Unfortunately very few ISPs (not even the one I admin) block outgoing smtp from anything but known servers. That's the best way to go. If your ISP is fine w

Re:

[Vellmont]

Unfortunately, attitudes like that are the exact reason that spam continues to get worse and worse. The reason it's so bad is because smtp is so broken and free-flowing. You should care about my opinon because I'm a sysadmin at an ISP

Gee.. how did I possibly guess that? You're the hard-ass sysadmin that needs to control everything, and you get all uppity when you can't. Being a sysadmin is about managing risk, not control.

Me running my own SMTP server has exactly zero impact on spam. I don't run an open

Re:

[Achromatic1978]

Then you're probably violating your ToS, unless you've paid for a business account with a static IP in which case they can be de-listed from RBLs.

1) He mentioned a static setup. 2) His ToS with his ISP is of no relevance or importance to you, nor should it be to the decision to accept mail. 3) You're an optimist. I have watched many people try to have static IP addresses delisted from many RBLs with no success whatsoever (and not due to spam coming from them, but because the RBL administrators said "stati

Hard Filter by RBL -- A NoNo

[Kirth]

Don't filter by RBL. Use them to give scores to Spamassassin, but don't reject mail on basis that some host is in some RBL.

* There are RBLs nearly impossible to get out from, and you might actually get an IP assigned months earlier to somebody who never requested a removal.
* False positives. Mails misidentified as spam (typically: newsletters which the signed up person no longer wants, vacation-mails in foreign languages) might bring you onto an RBL.
* Collateral damage. A shared server with 1000 users and 2000 domains might turn up in an RBL because one of those users had an inscecure formmail running a night long. And even after removal by the sysadmins in the morning, 1499 users can't mail you the next 18 hours.
* Spurious criterions for getting listed. Like "unsolicited bounces" or "sent mail to secret spamtrap"

So while RBLs are really a useful tools for deciding whether a mail might be spam, using them as THE ONLY reference on whether something is spam or not is just foolish.

Re:Hard Filter by RBL -- A NoNo

[repetty]

>> * Collateral damage. A shared server with 1000 users and
>> 2000 domains might turn up in an RBL because one of those
>> users had an inscecure formmail running a night long. And
>> even after removal by the sysadmins in the morning, 1499
>> users can't mail you the next 18 hours.

Good point. On the other hand, I don't fucking care. I don't hear anyone knocking on my door, offering to help me filter out my spam. RBL's work GREAT on a tough problem, which is why they haven't gone away.

And the collateral damage? If a user/subscriber abuses a service then the service provider SHOULD be held accountable and those other 1499 users are better off elsewhere.

--Richard

Re:

[iangoldby]

I agree that ISPs should to some extent be held accountable, but to hold them 100% accountable ignores the fact that it is virtually impossible to pre-emptively stop all forms of email abuse.

For example, SORBS have a policy that they will blacklist a server if they receive three or more emails to their spam trap addresses. These addresses are kept secret, so the ISP can't know what these spam trap addresses are. Suppose a malicious client of the ISP discovers (or guesses) one or more of these spam trap addr

Re:

[sjames]

And the collateral damage? If a user/subscriber abuses a service then the service provider SHOULD be held accountable and those other 1499 users are better off elsewhere.

Imagine you're a colo provider. One or your users gets hacked and starts spamming like mad. Your alert admins (perhaps you) cut them off within an hour. Obviously, you deserve to watch your business go down in flames for stupidly failing to hire a psychic to stop the spam before it started. And your 1499 other customers are equally dese

Re:

[geminidomino]

Name a provider where a user has only gotten one chance to abuse the service. Much easier (though, sadly, still a small subset).

The real RBLs don't list based on single incidents, but patterns of abuse. Comcast, for example, is one of the worst in this regard. At one point (I don't know if this is still the case), they actually claimed connecting a firewall/router between the cable modem and PC was a violation of thier TOS.

Re:Hard Filter by RBL -- A NoNo

[wayne]

* Spurious criterions for getting listed. Like "unsolicited bounces" or "sent mail to secret spamtrap"

Neither sending bounces to forged email addresses (backscatter [wikipedia.org]) nor sending email to spam traps is a "spurious criteria" for getting listed. If you are doing either of these, you are part of the spam problem and you deserver to have your email blocked.

Configure your mail server to reject *during* the SMTP session, or only send bounces after the fact if the email passes something like SPF. Using SPF's "best guess" default record of "v=spf1 a mx ptr" when there isn't an SPF record may by safe, but you are still risking sending backscatter to innocent people. Domainkeys and DKIM validate the From: header, which isn't where you should send bounces to, so it can only be used when the Envelope-From and the From: header match. Really, the easiest thing to do is just to always reject during the SMTP session and not accept-then-bounce.

Re:

[Achromatic1978]

sending bounces to forged email addresses

And sans SPF, manual intervention, how does one programatically tell that a from address is forged so as to not send a reject?

Clue: fixing the spam problem should not involve neutering legitimate functionality of the mail server - it's a bandaid.

Re:

[geminidomino]

A reject should NOT be sent by your server. YOUR server should be telling the sending server "Err... come back later" (450 error) or "No, that's not going to happen. Ever. Not if you were the last postfix server on earth" (550 error).

Generating the bounce is the responsibility of the sending server, since it's not relying on easily-faked headers to pick its target.

Re:

[Achromatic1978]

Of course - stupid me... I knew I didn't get enough sleep last night!

Re:

[geminidomino]

Spoken like someone who's run only a small-volume mailserver, if any at all.

From the other side:
Consider it in terms of overhead.

DNSBL:
Connection opens
Rec. Server sends banner
Sending Server HELOs/EHLOs
Rec. server responds
Sending server begins MAIL transaction
Rec. Server queries DNSBLs for sending IP.
Rec Server sends 550 (permanent failure) error.
Rec. Server ends connection, leaving Sending mail server to deal with the 550 error.

Spamassassin using DNSRBL checks:
Connection opens
Rec. Server sends banner
Sending

I'll Do It One Better...

[Beefslaya]

Here is a link setups to build servers with postfix, amavisd, SpamAssassin, ClamAV, Razor (you could also use these settings just for postfix to add better spam resistance).

I not only am I the President, I'm a user.

http://www.freespamfilter.org/ [freespamfilter.org]

Enjoy...I love it...

A good RBL experience?

[autocracy]

I am aware there's definitely a fair number of over-zealous blacklists, but I've had an extremely good experience using cbl.abuseat.org as a blacklist source, and haven't encountered any false-positives while perusing my mail logs.

RBL-based rejection can be a BAD thing

[frostyboy]

Rejecting mail outright based on RBL results is an invitation for loads of false positives. If you're getting "1000s of messages per minute," chances are you are a large business or an ISP. Either way, your customers sending mail from foobaz.net (for example) won't be happy when their no longer gets through because some boneheads at spamcop or spamhaus put them on the RBL.

If you don't have the proper setup to accept that many messages and do adequate "tag-and-forward" spam analysis, or at least reject la

Re:

[Mr. Roadkill]

Let me just pipe in with my two cents worth. I'm the mail administrator at a University, and have been through all these arguments before.

Rejecting mail outright based on RBL results is an invitation for loads of false positives. If you're getting "1000s of messages per minute," chances are you are a large business or an ISP. Either way, your customers sending mail from foobaz.net (for example) won't be happy when their no longer gets through because some boneheads at spamcop or spamhaus put them on the RBL

Great guide, ... NOT

[xming]

There are more explaination on the postfix.org than this FA (fine article). Wisely using good RBL (for open proxies) and graylisting and some helo/header checks should reduce a lot of spam.

Greylisting + a bit more

[stabiesoft]

I use a combination of greylisting (10 mins for normal IP addresses and an hour for dynamically assigned IP addresses). I also do a very quick check on a few sender domains such as yahoo.com A "from" yahoo.com must be from a machine with .yahoo.com. If not, it is rejected. Works quite well with less than one spam per day. Given that yesterday had 466 spam's that got rejected, I'm pretty happy. I cannot recall anyone complaining they can't get in. Greylisting works really well because real mail servers try h

Re:

[Just Some Guy]

I also do a very quick check on a few sender domains such as yahoo.com A "from" yahoo.com must be from a machine with .yahoo.com. If not, it is rejected.

If by that you mean that you're using SPF [openspf.org] or similar, that's a great idea. If it means that you wrote your own code that does something like "if fromdomain != helodomain: reject()", then your system is pathologically broken and needs to be updated.

Re:

[Achromatic1978]

something like "if fromdomain != helodomain: reject()", then your system is pathologically broken and needs to be updated

Exactly. My dedicated server runs mail, too, and has a A record of hostx.isp.com. Though it handles mail for a dozen domains, all with SPF (and Sender ID) records, the number of bounces / drops I get from people who do this is scarily high.

Re:

[Just Some Guy]

Since everyone seems to be mis-interpreting... Nope, its not the "helo" I key on, it is a reverse DNS lookup of the sender's IP address. For a few (granted few, but some of the biggies like yahoo.com) the sender's IP address can be checked to make sure its from where you expect. yahoo.com comes from ???.yahoo.com If it does not, then it is spam.

To the contrary, it looks like we're interpreting you quite well.

Your system is broken - full stop. There are many, many reasons for an email to come from a s

sendmail tweaks

[ltjohhed]

A far more effective and less faulty way to filter out some spam can be done by using the new features added in sendmail 8.13.

FEATURE(`great_pause',5000)
That one is given in your .mc file.

Wait's 5000ms to say HELO (EHLO) and all MTA's starting to send data (spambots not being all that RFC-aware) before that is discarded.

I've measured that it atleast cuts 15-20% of the total amount of spam.
   

Shame the article is about Postfix.

[AltGrendel]

Ok, I recognize that you are probably trying to promote Sendmail. But for a variety of reasons, there are folks out there that can't or don't want to use Sendmail. I don't use Sendmail because I consider it overly complex. I use postfix and yes, I use the RBLs before it gets to SpamAssassin (gasp). If you tune it properly, it works just fine, thank you. Also the email list archives are extremely helpful in this matter, as is the list itself if you've done your homework first.

Re:

[KillerBob]

I don't use Sendmail because I consider it overly complex.

Please don't get the impression that I'm trying to evangelize you... but Sendmail used to be overly complex. More recent versions are actually pretty good from the configuration perspective, especially if you're using a binary distribution such as a slackpackage or deb package. It's really just a question of changing your sendmail.mc file, and compiling it. Copy to the right location, and restart Sendmail. Poof. It's done.

Enabling a RBL or RHBL in Se

Re:

[leighklotz]

It's FEATURE(`greet_pause',5000) not FEATURE(`great_pause',5000).
The previously-referenced Acme [acme.com] page mentions it.

Re:

[Shadowlore]

If you run a server that needs to handle a lot of email, and do so in a timely manner, this will hose you. if you run an enterprise environment where there are applicaitons (usually JavaMail based ones) that bork and die on this but are sending legitimate mail, this will hose you.

There are many legitimate applications that will die if you do this. To recommend this as a general solution is a mistake. Sure, we would all love it if the legitimate apps worked properly, but that isn't the real world. The real w

Monitor the results of your blacklists!

[reed]

Warning, I used to use RBLs to reject mail, but occasionally all of yahoo or somethnig gets added to a blacklist, and so mail from yahoo would start bouncing (including yahoo groups -- they really ought to use a seperate network for yahoo groups as their free webmail!). So instead of rejecting mail, I started just inserting a warning header, X-Spam-Blacklists:, which is easy to do with Exim. (I assume also with Postfix). Then I could filter the message in Thunderbird into a "probably spam" folder. You c

greylisting not all that useful.

[nblender]

To all you greylisters, I don't know what part of the interweb you're from but when I survey my spam, I find that great tracts of it come from zombies via their ISP's mail server which means greylisting is no longer effective. It was effective last year but I think you folks missed the boat. I moderate a mailing list for a popular open source operating system project that uses greylisting and I still get about 100 spam per day as owner-listname...

Spammers are having their zombies dig through the windows configurations to find the owners email relay and using that to send their spam. It's not that difficult and combats greylisting.

greylisting will always be useful

[wayne]

Greylisting will always be useful, at least to a certain degree. When you get email from an unrecognized source, one that you can't judge as being a source of legitimate email or if it is a spam source, greylisting lets the reputation systems like DNSBLs and DCC/Razor/etc. catch up. Also, good ISPs and mail admins have tools to watch for likely spam runs. Again, greylisting gives those tools time to act and purge the spam.

Sure, greylisting also gets rid of spam from spambots that don't retry email, an

Re:greylisting not all that useful.

[Just Some Guy]

Spammers are having their zombies dig through the windows configurations to find the owners email relay and using that to send their spam.

In other words, greylisting makes zombies relay spam through their ISP, forcing said ISPs to deal with the problem to keep their mailserver from being both overwhelmed and added to every DNS RBL in existence. In what possible way is this not a Good Thing?

Why I love slashdot

[Shadowlore]

Comment: (paraphrase)" X doesn't work because Y happens"
Rating: +5 "insightful"

Reply to above comment: "X works because Y happens"
Rating: +5 "insightful"

And neither post showed any actual insight; just observation.

Re:

[Greyfox]

It's not like any one single method will completely solve your spam problem. I'm using a combination of greylisting and SPF checking on my domains at home and a couple of spams a week get through to SpamAssassin. Thus far SpamAsssin has been giving me a 100% success rate at tagging the spams that do get through and a 0% false positive rate. Pretty good, I think.

Some words of wisdom

[bfree]

Here is an insightful blog posting from Justin Mason [taint.org] about using RBL's (and bl.spamcop.net in particular which this HOW-TO mentions) for filtering spam. You could see a staggering amount of false positives unless any rbl is only one part of a scoring system which decides whether a mail should be rejected.

Re:

[derF024]

I see a lot of people making this kind of association. "I used superaggressiveblacklist.com's list and all my mail got blocked! RBL's are a complete waste!" That's kind of thinking is just silly. There are hundreds of popular lists on the internet, and not all of them are as aggressive as that other list you used. I use list.dsbl.org and xbl.spamhaus.org on all the mail servers I run. I check mail logs regularly and inspect rejected messages for false positives, and haven't found one yet. Those two list

Re:

[Mr. Roadkill]

Spamassassin, unfortunately, does have false positives, so anything that spamassassin tags gets delivered with a 'possibly spam' header added.

Using the default scores?

I've got the scores tweaked somewhat, and we tag at 5 and reject at 15. RBLs (including ones we wouldn't reject on outright), URIBLs, Razor checks etc are all good for five points each. No PTR gets 10 (although that one's hacked together in our mimedefang filter). Try skewing the scores somewhat for tests that look super-spammy, and reject

More of this kind of thing

[stunt_penguin]

I for one, welcome our spamfighting overlords, and think that we should see more of this kind of thing on the front page of ./

Although we've got our share of trolls and fanboys ruining it for the rest of us, I daresay that there are at least a few slashdotters out there who could write guides at least as good as this on a number of geeky and related subjects and present them on the front page, in much the same vein as the original content presented in book reviews etc. It might even be worth paying the a

Filtering against dictionary spam

[knarfling]

At my last company, we had a big problem with spam. But because the company did some online marketing, there were people in our marketing department that WANTED to get some of the spam so they could see what tactics the competition was using. At one point our mail gateways were so clogged, mail was being delayed by up to 4 or 5 hours at our gateway.

We fixed the problem by having postfix discard any mail that was not addressed to a legitimate email account. We ran a script that would pull all valid email

Re:

[DrGalaxy]

Agree with parent.

I call this technique "early recipient rejection". As soon as the SMTP client sends "RCPT TO:" our postfix systems check a database list of valid recipients and drop the message immediately if it is not valid.

To set up early recipient rejection with postfix, read the docs about "check_recipient_access" and apply that directive to your "smtpd_recipient_restrictions" section in main.cf.

Another HOWTO that I'm biased toward

[Just Some Guy]

I wrote basically the same article [freesoftwaremagazine.com] a year ago for Free Software Magazine. We've been using this setup at my office for the last year, and it's been working perfectly - to the point that an upset coworker told me yesterday that she's received four spams last week and wondered if something was wrong.

Re:

[twistedcubic]

Dude! That five minute delay is genius! Once spammers get wind of it, they will probably change their methods (increaing spam traffic), but it seems highly effective for spammers of the "own a computer and spam as much as possible before getting noticed" ilk.

Re:

[Just Some Guy]

Dude! That five minute delay is genius!

I can't claim to have invented it, but I've been advocating it to everyone who will listen. We're rejecting over 90% of incoming mail with greylisting (as measured by the number of entries in the greylist database that never returned for the second attempt). An unexpected side effect is that SpamAssassin now rejects less mail than before because all of the "low hanging fruit" has already been filtered out, and because it has less data to feed into its Bayesian trai

There are better guides on the Postfix site.

[ThatDamnMurphyGuy]

The better place to looks is the Howtos and FAQs [postfix.org].

One of my favorites: http://jimsun.linxnet.com/misc/postfix-anti-UCE.tx t [linxnet.com]

Better way - bleed spammers dry

[QuantumFTL]

Martian Software has an interesting (if somewhat dated) piece on using statistics to cause spammers pain [martiansoftware.com]. Essentially it's a real-time spam filtering system that slows down messages according to how "spammy" they seem to be. For individual messages, a few seconds or more delay would cause little if any problems, but when sending millions of spams, this is a very big issue indeed.

Personally I'd like to make the spammers pay - in CPU cycles - using methods like this. Of course I'd rather beat them witha

What the heck are you talking about?

[Anonymous Coward]

You clearly have no understanding of how SpamAssassin works. Blacklists are only one of many negative as well as positive factors that SpamAssassin takes into account when evaluating whether a message is spam or not. You can adjust the score threshold to a level you're personally comfortable with.

I have 3 tiers, ham (non-spam), possible spam (that gets moved into my junk folder), and true spam (really high scores) that gets rejected at the mail server. Also, for anyone else running anti-spam software at

Re:

[Ucklak]

The problem I have, or maybe I haven't figured it out yet, is that 95% of spam (that we get) comes from RIPE and APNIC addresses that are using for hire SMTP servers. The other 5% is from zombie machines on charter.net, rr.com, and other ISPs in the US.

How can I just block out IP addresses instead of domain names without using an external firewall?

Re:

[slapyslapslap]

If you're running the mail servers for a business, how prudent is it to run a spam filter in the first place? While using something that relies on checking the content of the mail may be useful in getting rid of the most egregious spam, you don't want to block all items identified as spam. You can't run the risk of blocking your customers. Most start out thinking this way. Then they get so burried in spam that they start to think much differently. It CAN be done properly with minimal collateral dammage.

Re:RBLs and not getting your mail

[Ed Avis]

A good way to do it is to always send a rejection back to the sender with a reason why.

Um, and the 'sender' is who exactly? Please don't tell me you're using the From: address...

Re:

[Drachemorder]

If it's a valid business email and not spam, I'd expect that the "From:" address should be meaningful. Granted, spammers wouldn't have valid addresses in the "From:" field, but I don't care whether or not a spammer gets my "rejected" message. I only care about notifying the false positives, and a legitimate email should have a valid address to reply to.

Re:

[shadowmas]

You might not care if the spammer doesnt get your rejected message. i dont either, but i certainly do care if you're 'rejected' messages end up in my inbox just because some spammer used my email address as his 'From' address. do everyone a favour either reject any spam at the time you recieve it (via a smtp error code) or dont reject it at all. It would be almost the same as havng a open smtp server since spammers can use your server to send spam as backscatter.

Re:

[emurphy42]

No, no, the point is that spammers typically have someone else's valid addresses in the "From:" field, and then you end up spamming that someone else with the bounce message. Unintentional, sure, but you should still fix it (e.g. by checking SPF).

Re:

[Osiris Ani]

Granted, spammers wouldn't have valid addresses in the "From:" field, but I don't care whether or not a spammer gets my "rejected" message.

Actually, spam will rather often have a valid address in the "From" field. Unfortunately, it rarely ever has any true association to the originating spammer, but is instead usually simply yet another address culled from their list of potential recipients. Sometimes that address will even be yours.

As such, this practice to which you adhere actually makes you part of

That's what SPF is for.

[Medievalist]

If you implement SPF, SPF-aware mailers won't send you those reject messages. And for the most part, spammers will stop using your address in their From: fields, because it decreases their spam's penetration.

Don't confuse SPF with Microsoft's fake "sender-ID" crap, though. That's essentially useless, you want SPFv1 aka "SPF classic", then DKIM as soon as it's ready.

Worked for me...

Re:

[Ed Avis]

Suppose your normal mail is 90% spam and 10% legit (a pretty reasonable figure if your address is published on the web; my mail is two orders of magnitude worse than that). Then suppose that your spam filter is 90% accurate, in that it tags 90% of spam as spam, and only tags 10% of legitimate mail as spam. (Again, real spam filters usually have much lower false positive and false negative rates than this, after a bit of training.) Then for every one genuine 'rejected' message you send out, you'll send 81

Re:

[farnz]

If you're running sensibly, your server does the spam checking *before* returning the final 2xx result at end of data. Thus, once you discover that the mail's spammy, you give the server that's sending mail your way a 5xx result, and let it handle sending a bounce mail to the sender. Spam senders tend to just drop mail on 5xx codes, so you've not lost anything.

That way, your mail server never sends bounces. If a server delivering mail to you starts sending backscatter bounces, it's their problem, and they

Re:RBLs and not getting your mail

[grasshoppa]

If you're running the mail servers for a business, how prudent is it to run a spam filter in the first place? While using something that relies on checking the content of the mail may be useful in getting rid of the most egregious spam, you don't want to block all items identified as spam. You can't run the risk of blocking your customers.

New to the business? You don't block anything in this situation; You mark it with a header ( that's part of the email message that you would likely never see. Most mailers won't display them unless you ask it specifically to do so ), and leave the blocking/filtering up to the end user.

For my uses, I have spamassassin running with a couple RBLs ( both in house and external ). I don't delete any mail; It is instead redirected to a specific folder when it's identified as spam. Over the past 6 months spam has made it into my inbox twice, and i've had no false positives.

If you know what you are doing, this is the ideal solution.

RBLs are notorious (especially SpamAssassin) for blacklisting entire domains when only a small subset of those users are actually sending spam.

Uh, no they aren't. Spamassassin isn't an RBL.

There are a few RBLs that are notorious for their blocking behavior, and as such, few use them.

If you're running your own mail server at home, then a whitelist would probably be more useful than a blacklist since you already know who you want to contact you.

I'd agree with this; Automated whitelists are the way to go.

But you gotta hand it to the Unix folks for making the task of setting up a spam filter this difficult.

It's only difficult when you don't understand the process.


I am curious how difficult it would be to set up a spam filter on an Exchange server.

Curiously enough, most of the time I hear people recommending placing a spamassassin enabled email server in front of an exchange server if you want decent spam protection.

Overall, I'd give your post a 9/10 on the troll scale. It wasn't bad, had factual data twisted in such a way as to be completely false. I even bit, not to argue with you but to make sure innocents don't read your post and get confused.

Re:

[Amouth]

I agree with the spamassassin box in front of the exchange server.

for my work domain. I have two virtual slackware boxes running that do nothing but take mail clamav and spamassassin and then forward it to exchange.. we get about 1-2 messages a second per box and most of them are spam - exchange is a very nice work group server and the integration between outlook - mobile devices and OWA is quite nice - it has it's issues and security holes but I find that using linux spam filters and having exchange only

Re:

[otisg]

But how do you know you didn't get any false positives? You could know that only if you examined every single email marked as spam. Did you really do that? If so, then what is the point of running spam filters? The whole problem is that spam consumes our time, and thus we want to get rid of it without ever seeing it. We don't want to monitor our spam filters.

Re:

[Pollardito]

it actually is easier to clean up spam when you have the likely candidates sorted into their own folder. even if you're still looking at each header/sender before deleting it, you're ahead of the game because you're not working in a mixed mode (opening some and acting on them, deleting others) when dealing with spam or dealing with regular mail.

Re:

[grasshoppa]

But how do you know you didn't get any false positives? You could know that only if you examined every single email marked as spam. Did you really do that?

Two reasons;

1) In my environment,if I don't acknowledge an email I get follow ups from the person until I do. I have never come across a situation where their email has been in the spam folder.

2) I glance at my spam folder on occation ( about once a week ). I look at the senders and the subjects. Takes me a minute ( usually less ).

If so, then what is

Re:

[ajs]

New to the business? You don't block anything in this situation; You mark it with a header ( that's part of the email message that you would likely never see. Most mailers won't display them unless you ask it specifically to do so ), and leave the blocking/filtering up to the end user.

Most businesses do not do this. Most use a spam-filtering appliance that uses a very conservative blacklist (often run by the appliance provider in conjunction with a service contract), fingerprinting and some heuristics to as

Re:RBLs and not getting your mail

[Philosinfinity]

If you're running the mail servers for a business, how prudent is it to run a spam filter in the first place? While using something that relies on checking the content of the mail may be useful in getting rid of the most egregious spam, you don't want to block all items identified as spam. You can't run the risk of blocking your customers.

The firm that I work for gets something like 160,000 emails from external sources a day. Roughly 10% of these are legitimate. How prudent is it to force users to sift through 90% crap in order to get to the legitimate 10%. Currently, we use Postini as our primary MX host. They forward legitimate messages directly to our Exchange server, filter out 100% guaranteed spam, and drop the remainder into a quarantine that we check every few hours. Basically, all I am getting at is that spam filtering is necessary for enterprise environments and that there are actually some good tools to acheive it.

Re:

[MadMidnightBomber]

If you're running the mail servers for a business, how prudent is it to run a spam filter in the first place? While using something that relies on checking the content of the mail may be useful in getting rid of the most egregious spam, you don't want to block all items identified as spam. You can't run the risk of blocking your customers.

The firm that I work for gets something like 160,000 emails from external sources a day. Roughly 10% of these are legitimate. How prudent is it to force users to sift t

Re:

[John Fulmer]

Okay. I'll bite.

> If you're running the mail servers for a business, how prudent is it
> to run a spam filter in the first place?

Many businesses feel that they have a responsibility to block a certain amount of spam, especially porn spam.

> RBLs are notorious (especially SpamAssassin) for blacklisting entire
> domains when only a small subset of those users are actually
> sending spam.

Um.... SpamAssassin != a RBL. It is a spam filter that uses multiple algorithms to try to identify spam. RBL's ar

Re:

[TFGeditor]

For our U.S.-based business, we simply blacklist all email from IP addresses outside the U.S. and Canada. We do not do business with any foreign interests, so we receive no legitimate email from other countries. This cuts our spam load by about 70 percent.

The other thing is to blackhole email that the domain name in the From field (e.g. comcast.net) does not match the sending IP. This reduces spam (which invariably has a fake From address) by another 20 percent. Whatever gets past these is handled at the lo

Re:

[secolactico]

The other thing is to blackhole email that the domain name in the From field (e.g. comcast.net) does not match the sending IP

I don't think this is very wise. What about hosted virtual domains? Maybe my email domain is mydomain.com but my mail server's PTR is mail.provider.com.

I have found that making sure PTR and A match cuts a lot of incoming spam from dynamic addresses.

Re:

[mhollis]

For our U.S.-based business, we simply blacklist all email from IP addresses outside the U.S. and Canada. We do not do business with any foreign interests, so we receive no legitimate email from other countries. This cuts our spam load by about 70 percent.

Increasingly, businesses in the US and Canada will find it impossible to do this (depending one one's business). The economy and business is global and, as time goes forward most non-local industries will need to be able to communicate across national

Re:RBLs and not getting your mail

[raddan]

We block somewhere around 200k spam emails a day. And we have a very similar setup sitting in front of our Exchange server. The kinds of things we can do with Postfix simply aren't possible with Exchange, and once we learned the ins and outs of Postfix, we found it to be easier to use than Exchange. For one, Postfix has real documentation [postfix.org]. Not to mention that the main developer posts regularly on the mailing list. Ever talk to MS's corporate support people for Exchange? Exchange is so huge and complex no one person knows the entire program. Postfix is a model of simplicity by comparison.

Re:RBLs and not getting your mail

[just_another_sean]

As someone who uses Exchange I can say that setting spam filtering up is easy. You can use RBLs or not. You can set thresholds that let a lot in or block a lot with many false positives. If you're worried about losing business mail then you can configure it to be safe about that and never outright refuse or delete mail.

But I don't like it because once you check the boxes, set the sliders and press OK, that's it. Unless you then get into scripting or third party products or any other solutions I can't think of you don't get to customize it any further. In other words, at that point, if you want more, it's just like Unix. I've never worked with any but can't you buy Sendmail or OpenExchange and get a lot of the point and click stuff for free too? And for a lot less then the dragon's horde a small business spends on MS Exchange?

One last thing to mention, we feel the same way as you about losing a customer's mail. So our users don't get anywhere near the spam they used to but the IT Admin that works for me spends anywhere from an hour to two a day checking the spam filter to see what gets tagged. Whitelisting? So far we found a few half ass solutions in forums that for various reasons don't do exactly what we need.

All in all, like most Window's based solutions in my experience, Exchange is easy to set up, hard to customize. We're working on a OpenBSD solution [flakshack.com] as a front end in our spare time. Hopefully we can get it to get the worst of the spam and then set Exchange to be a lot more lax when it gets in... Anything that keeps us from checking the spam filter all day.

Re:

[Tweekster]

Basically, most businesses are willing to lose one email that is important if it means saving hours a week...Because anyone I have dealt with in business, understands the fact that email is not a reliable form of communication. They follow up with a call if they send something critical.

99% means losing one legit email per 100, in all likelyhood it wasnt important,

I use ASSP, automatic whitelists are built as people send emails so email has become useable for my organization. They understand if an email is

Re:

[cortana]

Spamassassin is far more accurate at classifying spam than humans. You will lose less mail if you let Spamassassin do the job.

Re:

[misleb]

If you're running the mail servers for a business, how prudent is it to run a spam filter in the first place? While using something that relies on checking the content of the mail may be useful in getting rid of the most egregious spam, you don't want to block all items identified as spam. You can't run the risk of blocking your customers.

Well, the sender should get a notification if a message was blocked by an RBL. Same can be done with SpamAssassin+Amavisd. Send a bounceback for low scored spam and drop