HOWTO: Spam control for POSTFIX

Discussion in 'Tips/Tricks/Mods' started by crypted, Sep 8, 2010.

  1. crypted

    crypted New Member

    No, the spamtrap works like this:

    1) spam is sent to several email accounts on your system because emails are found on forums or whatever and easy targets
    2) added spamtrap email looks legit and will also be added to the spamming roster
    3) real email and spamtrap email will be spammed with the same email
    4) postfix will discard all emails that were sent to both the spamtrap email and the real email addresses

    You can put the spamtrap emails in hidden HTML code and all that crap to get them out there, as well. Basically, it just adds another line of defense.

    I had my real email address shown on this forum for a few months. My spam went up like mad as a result. I added the spamtrap to my signature and what not, helped reduce it by about 10 a day since both emails were present for their spam-finding spiders.

    Again, taken individually some of these steps won't be that great of a help. But, when you implement all of this as a collective you will see a great reduction.

    Still not sure? Pretend that we're on the Death Star and we want to send get rid of those pesky Storm Troopers before they find our vulnerable spot. So, we force their ship into a Black Hole. No more Storm Troopers! Spam trap is the black hole for SciFi people.
     
    Last edited: Oct 1, 2010
  2. edge

    edge Active Member Moderator

    Okay. Understood..

    One more thing.
    When I send an email to myself (from lets say a gmail account) I receive it instantly.

    Should it not be delayed for some time? I've set the "--delay=120" in /etc/default/postgrey.
    (postgrey shows: POSTGREY_OPTS="--inet=127.0.0.1:60000 --delay=120")

    I've even removed the proxy.gmail.com from /etc/postgray/whitelist_clients, and yes I did restart postgrey
     
  3. crypted

    crypted New Member

    I would say not. I've noticed instant receipt from email addresses I've received content from previously. However, new addresses (so long as their domain is not whitelisted) will take some time to arrive.

    If you're that concerned though, you can use the script mentioned in the BONUS INSTRUCTIONS and found a few posts down on the first page. It will give you all the details about how GREYLIST is operating. Good for debugging, troubleshooting, and curiosity.
     
  4. primal23

    primal23 New Member

    What I am trying to get from the log, are things that are blocked by the body_checks and header_checks since I have been getting a few false positives, and ubuntu's log viewer wont stay on the position I have need it to, it jumps to the new item automatically. Is this possible? Hope this isnt hijacking the thread.
     
  5. crypted

    crypted New Member

    I would first suggest using the postgrey script I discussed in the post above to ensure it isn't your postgrey creating false positives (doubtful). If it is, you can add whitelist entries for domains or email addresses. You can also do whitelists for the body/header checks in postfix.

    However, I don't believe you will see anything in the mail.log discussing what you want.
     
  6. edge

    edge Active Member Moderator

    I'll have a go at it, but can you please post the "greylist_script.sh" also, or did you make a typo, and should "greylist_script.sh" be named "postgrey_stats.sh"?
     
    Last edited: Oct 1, 2010
  7. crypted

    crypted New Member

  8. primal23

    primal23 New Member

    Just wanted to give an example of what I am trying to get(if at all possible lol)
    Sometimes with false "flags" emails get stopped and I need to pass them on, but since the log viewer wont hold on a position, I have to resend emails and switch to the viewer to try and catch what needs to be changed briefly to allow the email to pass.

    I have been trying to work on a script that would send an email when a "flag" is hit, but haven't had a lot of success as of yet.
     
  9. crypted

    crypted New Member

    On the fly suggestion for viewing and getting the necessary address from the logs to setup whitelists:

    Use "nano" in terminal. I.E.: nano /var/log/mail.log

    That won't change positions as new data is added. However, it doesn't refresh as new data is logged. But, pretty simple and good to use.
     
  10. crypted

    crypted New Member

    Did my NANO suggestion help with your efforts?

    Also, how are the general measures of my HOWTO working for you?

    False positives happen, part of the game... But, I'm proud to say the HOWTO has already saved admins from worrying about over 200,000 spam emails.
     
  11. edge

    edge Active Member Moderator

    Just be aware that when updating to ISPconfig 3.0.3 that /etc/postfix/main.cf will be changed, and that you will need to add the "custom" lines again!
     
  12. crypted

    crypted New Member

    Correct, so I would recommend to those who update to copy their main.cf to something like:
    cp /etc/postfix/main.cf /etc/postfix/main.cf.custom

    And after updating to the new ISPC3:
    rm -rf /etc/postfix/main.cf
    cp /etc/postfix/main.cf.custom /etc/postfix/main.cf
     
  13. crypted

    crypted New Member

    Original post has been updated. I added a Tips & Tricks section. Basically, there were some issues with SORBS. My 71 yr old grandmother abruptly stopped being able to email me today. Apparently, her DSL reset and obtained a new dynamic IP which is blocked. So, I did some modifications to the SORBS zone that I used.

    Anyway, this is a very random and I'm guessing an improbable issue for most people. But, I thought I'd post a heads up in case people complain of returned email and the reason mentioning SORBS.
     
  14. drewb0y

    drewb0y New Member

    SORBS is a horrible blacklist to use. Just do a quick google search on them and you will find a hundred reasons to not use their blacklist and use some of the more reputable ones out there. I could elaborate for you but after enough digging you will see what I mean. One of our customers has a client that was using sorbs and blocking all of their emails. After a week or so of back and forth with their admin, I convinced him to quit using SORBS. Reason being SORBS blocked an entire netblock at GoDaddy because of one report on one IP address (not ours ) and would not unblock without payment.

    Anyway, if your using SORBS, save yourself some headaches and just quit.
     
  15. crypted

    crypted New Member

    SORBS has been a good resource, generally, more recently. It has had a lot of problems I don't deny. And, because of the problem I noticed yesterday, I modified things and added that new advisory section to the GUIDE psot.

    My guide isn't a fool proof solution sent by the Lord above. It went over a month before SORBS started causing any user on my server an issue, and it just so happened to have been me.

    Again, if someone feels there's a problem with mail delivery or hears of such problems and sees SORBS in the rejection email sent to the sender of said email, I would look at the Tips and Tricks section and modify accordingly.
     
  16. drewb0y

    drewb0y New Member

    I didn't mean to be too negative. I just had a bad experience with them personally. Actually hat is how I came to find ISPConfig in the first place. I needed to move email hosting for 23 domains which are currently hosted on a GoDaddy dedicated server sitting in a SORBS blocked netblock. So I just decided to move mail onto a separate machine with better software which I can have more control over. Thus debian and ISPConfig.

    Your work is appreciated crypted, and if you ever make it down to Texas, I'd sure buy you a beer!
     
  17. edge

    edge Active Member Moderator

    For some reason I'm receiveing the "Mail Statistics" email 3 times.
    1 time @ 06:26 and 2 times @ 07:00

    I've no clue why this is happening as it's not in the cronjob.
    Any suggestion where I should start debugging?
     
  18. crypted

    crypted New Member

    Yeah, start with the RSYSLOG. I had that problem as well. What was wrong was that when i added /var/mail.log, it was with other items. So, it would run the mail script for each log file on rotation even though it just provided details for the mail.log.

    Make sure mail.log is alone, with it's own set of details in the brackets.

    My RSYSLOG for the mail.log addition is:
    Code:
    /var/log/mail.log
    {
            rotate 7
            daily
            missingok
            notifempty
            delaycompress
            compress
            prerotate
                  /usr/local/sbin/postfix_report.sh > /dev/null
            endscript
            postrotate
                    invoke-rc.d rsyslog reload > /dev/null
            endscript
    }
    Was mail.log originally in the RSYSLOG file? If not, you might have a duplicate that needs deleted as well. I think that'd be the logrotate.conf but not 100% sure. Can figure it out if necessary.
     
  19. edge

    edge Active Member Moderator

    This is how my /etc/logrotate.d/rsyslog looks like:

    Code:
    /var/log/syslog
    {
            rotate 7
            daily
            missingok
            notifempty
            delaycompress
            compress
            postrotate
                    invoke-rc.d rsyslog reload > /dev/null
            endscript
    }
    
    /var/log/mail.info
    /var/log/mail.warn
    /var/log/mail.err
    /var/log/daemon.log
    /var/log/kern.log
    /var/log/auth.log
    /var/log/user.log
    /var/log/lpr.log
    /var/log/cron.log
    /var/log/debug
    /var/log/messages
    {
            rotate 4
            weekly
            missingok
            notifempty
            compress
            delaycompress
            sharedscripts
            postrotate
                    invoke-rc.d rsyslog reload > /dev/null
            endscript
    }
    /var/log/mail.log
    {
            rotate 7
            daily
            missingok
            notifempty
            delaycompress
            compress
            prerotate
                  /usr/local/sbin/postgrey_stats.sh > /dev/null
                  /usr/local/sbin/postfix_report.sh > /dev/null
            endscript
            postrotate
                    invoke-rc.d rsyslog reload > /dev/null
            endscript
    }
    I do not see anything wrong with it.
     
  20. crypted

    crypted New Member

    And you're getting it many times? Both of them many times, daily? Or, just one?

    You could remove the scripts from the rsyslog and put them as crontabs around 530am. Rsyslog rotates around 6am I think, check timestamps in your log dir for gz's and stuff.

    If the cronjob only sends it once, then at least it's narrowed down to rsyslog or a multiple mail.log entry elsewhere causing a loop or something.

    If cronjob sends it multiple times, there's an error in the script..
     

Share This Page