OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: Sun Sep 01 2002 - 12:27:37 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I'm using pcre. In main.cf:
    body_checks = pcre:$config_directory/body-checks.pcre

    These are the last checks I do, because they're the most "expensive" (in
    terms of CPU.) So the end of main.cf looks like this:
    # Anti-relay and anti-spam stuff
    smtpd_junk_command_limit = 5

    maps_rbl_domains =
            dynablock.wirehub.net,
            blackholes.wirehub.net,
            dialups.relays.osirusoft.com,
            spamhaus.relays.osirusoft.com,
            relays.ordb.org,
            socks.relays.osirusoft.com,
            proxies.relays.monkeys.com

    smtpd_recipient_restrictions =
            permit_mynetworks
            reject_unauth_destination
            check_client_access hash:$config_directory/access
            check_sender_access hash:$config_directory/access
            reject_unauth_pipelining
            reject_non_fqdn_sender
            reject_non_fqdn_recipient
            reject_unknown_sender_domain
            reject_maps_rbl
            permit

    header_checks = pcre:$config_directory/header-checks.pcre
    body_checks = pcre:$config_directory/body-checks.pcre

    (Most of what's in those files is virus blocks, not spam blocks.)

    Pcre files are just flat text files using pcre (see
    /etc/postfix/README_FILES/PCRE_README and
    /etc/postfix/samples/sample-pcre-body.cf as well as man pcre, and don't
    forget to compile Postfix with support for pcre.)

    Most of the spam is bounced by the rbls. A smaller percentage is
    dropped by the access list (I only use that for spammers that use the
    same domain.tld all the time.) And every once in a while, the body
    checks catch one. Today, I bounced one because of the |good\sporn|
    filter. I've moved most of the domain.tld stuff to the access list,
    because it's faster and you can reject the mail. The ones left in body
    checks are ones that appear in the body of messages with consistently
    forged headers (like extremewebcam.) Header and body checks have to
    accept "DATA" before they can work.

    And BTW, I picked up almost *all* of this right here on this list, with
    the help of people like Ralf Hildebrandt and Eric (Cybertime Hostmaster)
    and Noel Jones and Gary Woods and Clifton Royston. Some I shamelessly
    ripped off from our postmaster, Amos Gouaux, and a very small percentage
    (the body checks) I created myself based on my "spam collection" and
    what was making it through the gauntlet of other checks.

    Paul Schmehl (paulsutdallas.edu)
    Project Coordinator
    University of Texas at Dallas
    http://www.utdallas.edu/~pauls/
    AVIEN Founding Member

    > -----Original Message-----
    > From: Patrick McKane [mailto:pmckanecaseinc.net]
    > Sent: Sunday, September 01, 2002 12:10 PM
    > To: postfix-userspostfix.org
    > Subject: RE: Using blacklists and RBL's with Postfix
    >
    >
    > Do you build a .db with this? How do you incorporate it into
    > the main.cf?
    -
    To unsubscribe, send mail to majordomopostfix.org with content
    (not subject): unsubscribe postfix-users