Journal greginnj's Journal: Email Filtering
How I do it
(Score:2)
by SCHecklerX (229973) Alter Relationship
on Wednesday December 21, @11:30AM (#14309742)
(http://freefall.homeip.net/)
Mimedefang + Spamassassin + Sendmail configs. Why use the CPU cycles to analyze email for spam, when you can outright discard most of the stuff right away (milters kick ass in this respect...no need to receive the whole message. First sign of trouble, and BLAM! It's rejected :)
In Sendmail:
1. Enable greet pause
FEATURE(`greet_pause', `1500')dnl
2. Enable bad receipt throttling
define(`confBAD_RCPT_THROTTLE',`3')dnl
3. Obviously, enable privacy flags
define(`confPRIVACY_FLAGS', `goaway,restrictmailq,restrictqrun')dnl dnl define(`confTO_QUEUEWARN', `4h')
4. And of course, set up your mimedefang filter
INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:360s;R:360s;E:15m')
In your mimedefang script in the filter_sender subroutine:
1. reject anything in the spamhaus sbl-xbl list.
2. reject from any server that sends a helo that is not a FQDN (just look for a '.' in the name, is all I do...spam software is stupid and helos with single words).
3. reject anything that helos with your own mail server or domain name.
4. reject anything that helos with rfc1918 addresses.
In spamassassin:
1. most defaults are good. Make sure you enable the blackhole checks.
2. configure an account on your sever called 'spam'. Use procmail to write a recipe that will send anything you forward to that account to your bayes spam database.
3. make sure that only you can send to the 'spam' account using filter_recipient in mimedefang.
4. do the same with a 'notspam' local account to fix anything that gets mistakenly flagged. You should use sane settings for discard vs. put in a folder for manual analysis.
Optionally, add milter_greylist to the mix. Greylisting REALLY cuts down on the traffic sent to your servers and hits spammers where it hurts...requiring them to use THEIR resources to queue temp-failed messages.
some stats from my current mail log (home server, not huge volume, but I use the same methods at work with great success). The current log is for Dec 18 - 21.
$ grep -i spamhaus /var/log/maillog | wc -l
354 (rejected for being on the sbl/xbl list)
$ grep -i misconfigured /var/log/maillog | wc -l
32 (rejected for having bad helo)
$ grep 'You are NOT' /var/log/maillog | wc -l
79 (rejected for pretending to be my server in the helo)
$ grep -i 'send to this address' /var/log/maillog | wc -l
8 (people not on one of my mail lists trying to send to the list)
$ grep -i spamdiscard /var/log/maillog | wc -l
115 (stuff analyzed and found likely enough to be spam to be dropped)
$ grep spam /var/log/maillog | wc -l
145 (stuff that was flagged as spam, but not automatically discarded)
So, you can see that of 733 spammy messages in ~3 days, only 260 had to actually be analyzed by spamassassin. In the case of rejections, the sender is notified, so if they are *not* a spammer, they can contact you to resolve their misconfiguration. I reject on the spamhaus lists, and no others, because it is very easy to remove yourself from those lists if you find yourself on them for some reason. The other lists are used in scoring, however, when spamassasin does its thing.
-- --
Replace slshdt with slashdot to email me
(Score:2)
by SCHecklerX (229973) Alter Relationship
on Wednesday December 21, @11:30AM (#14309742)
(http://freefall.homeip.net/)
Mimedefang + Spamassassin + Sendmail configs. Why use the CPU cycles to analyze email for spam, when you can outright discard most of the stuff right away (milters kick ass in this respect...no need to receive the whole message. First sign of trouble, and BLAM! It's rejected
In Sendmail:
1. Enable greet pause
FEATURE(`greet_pause', `1500')dnl
2. Enable bad receipt throttling
define(`confBAD_RCPT_THROTTLE',`3')dnl
3. Obviously, enable privacy flags
define(`confPRIVACY_FLAGS', `goaway,restrictmailq,restrictqrun')dnl dnl define(`confTO_QUEUEWARN', `4h')
4. And of course, set up your mimedefang filter
INPUT_MAIL_FILTER(`mimedefang', `S=unix:/var/spool/MIMEDefang/mimedefang.sock, F=T, T=S:360s;R:360s;E:15m')
In your mimedefang script in the filter_sender subroutine:
1. reject anything in the spamhaus sbl-xbl list.
2. reject from any server that sends a helo that is not a FQDN (just look for a '.' in the name, is all I do...spam software is stupid and helos with single words).
3. reject anything that helos with your own mail server or domain name.
4. reject anything that helos with rfc1918 addresses.
In spamassassin:
1. most defaults are good. Make sure you enable the blackhole checks.
2. configure an account on your sever called 'spam'. Use procmail to write a recipe that will send anything you forward to that account to your bayes spam database.
3. make sure that only you can send to the 'spam' account using filter_recipient in mimedefang.
4. do the same with a 'notspam' local account to fix anything that gets mistakenly flagged. You should use sane settings for discard vs. put in a folder for manual analysis.
Optionally, add milter_greylist to the mix. Greylisting REALLY cuts down on the traffic sent to your servers and hits spammers where it hurts...requiring them to use THEIR resources to queue temp-failed messages.
some stats from my current mail log (home server, not huge volume, but I use the same methods at work with great success). The current log is for Dec 18 - 21.
$ grep -i spamhaus
354 (rejected for being on the sbl/xbl list)
$ grep -i misconfigured
32 (rejected for having bad helo)
$ grep 'You are NOT'
79 (rejected for pretending to be my server in the helo)
$ grep -i 'send to this address'
8 (people not on one of my mail lists trying to send to the list)
$ grep -i spamdiscard
115 (stuff analyzed and found likely enough to be spam to be dropped)
$ grep spam
145 (stuff that was flagged as spam, but not automatically discarded)
So, you can see that of 733 spammy messages in ~3 days, only 260 had to actually be analyzed by spamassassin. In the case of rejections, the sender is notified, so if they are *not* a spammer, they can contact you to resolve their misconfiguration. I reject on the spamhaus lists, and no others, because it is very easy to remove yourself from those lists if you find yourself on them for some reason. The other lists are used in scoring, however, when spamassasin does its thing.
-- --
Replace slshdt with slashdot to email me
