From: mouss (mlist.onlyfree.fr)
Date: Tue Jul 03 2007 - 11:36:18 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Joey wrote:
>
> Hello All,
>
> As I’m sure everyone here does we try to battle the overwhelming spam
> situation daily. Now I’m trying to figure out after several years of
> rules, filters, lists and other crazy methods to battle the spam what
> rules have become stale or what lists are outdated ( inhouse lists ).
> I do use pflogsumm and get some information from that, however it’s
> not accurate enough per say to insure that I’m not just dumping a
> bunch of cpu cycles in the garbage.
>
> I know I am aggressive in comparison to some people on the list with
> my battle style, and we are pretty successful in blocking a TON of spam.
>
> Our servers are pretty small in comparison to some of the bigger
> groups here on the list, but we blocked 4.9 million message last
> month, delivering about 473K messages which unfortunately still
> contain spam. My problem is as the email volume increases filter
> lists/values grow and create a pretty big overhead eventually bringing
> the system to a crawl on a busy day. ( Dual Xeon 2.4 server).
>
> I have written many small scripts which help me manage and distribute
> my filters to our 3 servers, and in that have made efforts to document
> reject messages etc.
>

The issues are
- if a rule causes too many FPs, then it should not be used (or be used
to put the message in a quarantine that can still be reviewed by the
recipient)
- if a rule improves the catch rate by a ridiculous amount with a risk
of false positives, then a "hit delete" may be better
- a rule that requires too much maintenance, it probably isn't worth the
pain...

I recommend that you use "safe" rules (see below) and put yours at the
end of your restrictions. This will show you if your rules really
improve your situation.

example (quickly typed, so order is possibly not optimal)

smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unlisted_recipient
reject_unlisted_sender
reject_rbl_client zen.spamhaus.org
reject_invalid_hostname
reject_unknown_sender_domain
# reject forged helo (mine or big ISP...)
check_client_helo ${helo_access_map}
# reject if sender MX points to bogus IPs
check_sender_mx_access ${sender_mx_access_map}
# aggressive check, warn instead of reject
warn_if_reject reject_non_fqdn_hostname
# greylist if rdns looks dynamic
check_client_access pcre:/etc/postfix/dynlike_client_access
# greylist if tld is rare in legitimate mail to/from our domain
check_client_access pcre:/etc/postfix/client_tld_access
...
# put your checks here

> I have rules like these:
>
> Client_access:
>
> gdynia.mm.pl 550 SPR-CA2-gdynia.mm.pl
>
> kabelbw.de 550 SPR-CA2-kabelbw.de
>
> versanet.de 550 SPR-CA2-versanet.de
>
> inter.net.il 550 SPR-CA2-inter.net.il
>
> ( spr for me means spam relay )
>

check if these are listed in a DNSBL. you may use spamcop (possibly with
a tempfail by tuning rbl_reply_maps).

> Header_checks:
>
> /^(To|From|Cc|Reply-To):.*uu02\.com/ REJECT Header TFCR 1999
>
> /^Subject:.*COMPLETE CREDIT CARD/ REJECT SubJect Rejected
>
> /^X-Mailer: MaxBulk.Mailer/ REJECT Spam Mailer Program 117
>

I doubt these would catch enough spam. spamassassin is better at this games.

> Body_checks:
>
> Gets built from a huge list of domains that advertise in email, we put
> multiple domain names on a line in order to make the processing time
> less, and we identify each line with a different number so we can
> figure out what domain name caused the reject like below.
>
> /\b(?:(?:\=[[:xdigit:]]{2})+|:\/\/||=40|\.)?(?:zzzworldmeds(?:\.|=2e)com)\b/
> REJECT CONTENT REJECTED-LINED1583
>
> At the firewall level:
>
> We use CIDR block lists updated daily which then update small db’s.
> and we document that like so:
>
> Jul 3 10:30:54 saturn kernel: SPAM-BLOCK-CIDR-ASIAN IN=eth0 OUT=
> MAC=00:03:47:c9:87:40:00:e0:1e:cd:e1:23:08:00 SRC=124.160.91.223
> DST=108.234.15.17 LEN=52 TOS=0x00 PREC=0x00 TTL=51 ID=22358 DF
> PROTO=TCP SPT=8872 DPT=25 WINDOW=58944 RES=0x00 SYN URGP=0
>
> We do things like freemail_access, versign_hijack and just a ton of stuff.
>
> My delima is how can I measure what’s a waste and what’s worth keeping.
>
> Though pflogsumm is great, it doesn’t really tell me that body_checks
> works great for 400 domains but the other 32K domains in the list are
> a waste or that header checks is a waste of time etc.
>
> Yes, all of these do get blocks, the combination makes the whole
> things work pretty well, but what methods can I use to figure out how
> to value what I’m doing?
>
> For those of you that are thinking, all those small scripts and all
> that maintenance is a lot of work, and it’s some work however once
> everything is in place it’s not that bad. And yes it’s aggressive but
> imagine that pflogsumm says 2 out of 3 servers are blocking 89% of the
> messages and I personally still get over 20 junk messages a day, and
> still have clients complaining about SPAM regularly.
>
> So the main question is still how do I weigh everything I am doing and
> cut out the waste, so that we can add newer methods and not crash our
> server. I’m sure many of you deal with this as well, and I figured
> someone would have some ideas…
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]