HOWTO: Spam control for POSTFIX

[edge]

Quote:

Originally Posted by crypted

And you're getting it many times? Both of them many times, daily? Or, just one?

You could remove the scripts from the rsyslog and put them as crontabs around 530am. Rsyslog rotates around 6am I think, check timestamps in your log dir for gz's and stuff.

If the cronjob only sends it once, then at least it's narrowed down to rsyslog or a multiple mail.log entry elsewhere causing a loop or something.

If cronjob sends it multiple times, there's an error in the script..

Okay I've changed Rsyslog to it's original state. If I want to setup a cronjob, what scripts do I need to run?
Only the two scripts?

Quote:

/usr/local/sbin/postgrey_stats.sh > /dev/null
/usr/local/sbin/postfix_report.sh > /dev/null

[crypted]

Just those two scripts, yes.

Actually, the postgrey script isn't extremely necessary unless you're just wanting to see what it's doing/has done over the past day specifically. The other script will mention greylisting as well as other methods and their rates.

I quit using both scripts after about two weeks because it was so successful. Didn't need mailbox clutter showing me how well it was cleaning up other clutter!

[crypted]

I would recommend removing ", reject_rbl_client multihop.dsbl.org" from your Postfix main.cf. It has been fully deactivated and will cause a second delay (not much) right now. Should its DNS be dropped entirely, might be a big staller.

[Rupert]

HI,

is there any chance to enbable/disable greylisting for each mailbox/domain?

I guess it would work by adding each mailbox to the postgrey whitelist file,
but is there a plugin for ispconfig to do this.?


greetings

[crypted]

No plugin for ISPC3 is available at this point.

But, just edit "/etc/postgrey/whitelist_recipients" and add the mailboxes you wish to exclude.

For example, if you want to exclude "abuse@domain.com" add that exact email address. Or, if you want to exclude all abuse emails on every domain, just add "abuse@" to the file.

It's one email address per line.

[Turbanator]

crypted:

Have you seen the following and what do you think of implementing in addition?

http://www.wbitt.com/my-howtos/150-t...ig-server.html

http://www.howtoforge.com/postfix_spf

[crypted]

Before I give much of a response, are you still having SPAM issues?

I literally have 99.8% spam filtration.

The reason for asking is that the more things we stick into our spam filtering plan, the more load the server will have in handling all incoming mail and the increased risk of delivery delays for time sensitive traffic on production systems.

[Turbanator]

I do have a lot of spam still but much less than before.

One note though...I never implemented your spam email honey pot trick which I think is an excellent idea...and I as you can see from my signature, I'm starting it now.

All the bulk spam coming through now seems to come in waves to people on a list somewhere...so if I can get my honeypot email on the same list, it should take care of it.

[crypted]

If the normal measures don't work, or aren't stopping the spam entirely to your liking, then SPF could be useful.

Also, SPF is being adopted globally by many tech companies and governments. So, that's a cool deal. Remember SPF does use DNS entries to assist in validity checks.

I'll make a reminder to write a new HOWTO including SPF in the near future.

[drewb0y]

I have implemented the spam blocking you have suggested here and it is doing a great job so far. One thing I am thinking it would be nice to do is to somehow have an automated process that takes the IP addresses of offending spam senders and then adds it to an iptables filter.

For example, I have seen thousands of messages coming through from a several IPs in the Ukraine all from ukrtel.net. (Dictionary spamming) They are all getting caught by either greylisting or the blacklists.

What I want to know is if there is an easy way to block these major offenders at the firewall level, so that their mail never even makes it to postfix to be rejected.

There are a few I have identified that I wouldn't mind blocking the ISPs whole netblocks, if I could figure out what ranges they own.

My server at the moment is actually handling it all at the moment, but I also only have about 1/3 of the domains on it that it will eventually host for email. I'd like to reduce the load of what it has now as much as possible before I add more to it.

Thanks in advance for any ideas.