HOWTO: Spam control for POSTFIX

Discussion in 'Tips/Tricks/Mods' started by crypted, Sep 8, 2010.

  1. edge

    edge Active Member Moderator

    Okay I've changed Rsyslog to it's original state. If I want to setup a cronjob, what scripts do I need to run?
    Only the two scripts?

     
  2. crypted

    crypted New Member

    Just those two scripts, yes.

    Actually, the postgrey script isn't extremely necessary unless you're just wanting to see what it's doing/has done over the past day specifically. The other script will mention greylisting as well as other methods and their rates.

    I quit using both scripts after about two weeks because it was so successful. Didn't need mailbox clutter showing me how well it was cleaning up other clutter! :)
     
  3. crypted

    crypted New Member

    I would recommend removing ", reject_rbl_client multihop.dsbl.org" from your Postfix main.cf. It has been fully deactivated and will cause a second delay (not much) right now. Should its DNS be dropped entirely, might be a big staller.

    :)
     
  4. Rupert

    Rupert New Member

    HI,

    is there any chance to enbable/disable greylisting for each mailbox/domain?

    I guess it would work by adding each mailbox to the postgrey whitelist file,
    but is there a plugin for ispconfig to do this.?


    greetings
     
    Last edited: Oct 28, 2010
  5. crypted

    crypted New Member

    No plugin for ISPC3 is available at this point.

    But, just edit "/etc/postgrey/whitelist_recipients" and add the mailboxes you wish to exclude.

    For example, if you want to exclude "[email protected]" add that exact email address. Or, if you want to exclude all abuse emails on every domain, just add "abuse@" to the file.

    It's one email address per line.
     
  6. Turbanator

    Turbanator Member HowtoForge Supporter

  7. crypted

    crypted New Member

    Before I give much of a response, are you still having SPAM issues?

    I literally have 99.8% spam filtration.

    The reason for asking is that the more things we stick into our spam filtering plan, the more load the server will have in handling all incoming mail and the increased risk of delivery delays for time sensitive traffic on production systems.
     
  8. Turbanator

    Turbanator Member HowtoForge Supporter

    I do have a lot of spam still but much less than before.

    One note though...I never implemented your spam email honey pot trick which I think is an excellent idea...and I as you can see from my signature, I'm starting it now.

    All the bulk spam coming through now seems to come in waves to people on a list somewhere...so if I can get my honeypot email on the same list, it should take care of it.
     
  9. crypted

    crypted New Member

    If the normal measures don't work, or aren't stopping the spam entirely to your liking, then SPF could be useful.

    Also, SPF is being adopted globally by many tech companies and governments. So, that's a cool deal. Remember SPF does use DNS entries to assist in validity checks.

    I'll make a reminder to write a new HOWTO including SPF in the near future.
     
  10. drewb0y

    drewb0y New Member

    Possibility of blocking IP's or ranges using IPTables

    I have implemented the spam blocking you have suggested here and it is doing a great job so far. One thing I am thinking it would be nice to do is to somehow have an automated process that takes the IP addresses of offending spam senders and then adds it to an iptables filter.

    For example, I have seen thousands of messages coming through from a several IPs in the Ukraine all from ukrtel.net. (Dictionary spamming) They are all getting caught by either greylisting or the blacklists.

    What I want to know is if there is an easy way to block these major offenders at the firewall level, so that their mail never even makes it to postfix to be rejected.

    There are a few I have identified that I wouldn't mind blocking the ISPs whole netblocks, if I could figure out what ranges they own.

    My server at the moment is actually handling it all at the moment, but I also only have about 1/3 of the domains on it that it will eventually host for email. I'd like to reduce the load of what it has now as much as possible before I add more to it.

    Thanks in advance for any ideas.
     
  11. crypted

    crypted New Member

    drewb0y have you thought about modifying the postgrey information script in my second or third post? Instead of having it email, you could have it out to a file and parse to count recurrences.

    Maybe an if/then that 5+ occurrences in a day = ipfilter rule?
     
  12. edge

    edge Active Member Moderator

  13. drewb0y

    drewb0y New Member

    Thanks Edge, I just implemented that and within the first 5 minutes it banned 14 different IP addresses.I still plan to implement the country blocking somehow, but this should help for a while.

    I did increase the fail2ban timeout to 20 minutes instead of 10 as well.

     
  14. drewb0y

    drewb0y New Member

    Hmmm

    That has definite possibilities, but I would have no idea how to implement that. My programming skills basically extend as far as copying something already done and modifying it for my situation.

     
  15. crypted

    crypted New Member

    I completely forgot about fail2ban, thanks Edge.

    I'll add that to my list of things to add to a new HOWTO in the near future.

    Thankfully, we have a great group of us here to throw things around to build the best (free) method for fighting spam on our ISPCONFIG-based servers.
     
  16. drewb0y

    drewb0y New Member

  17. Turbanator

    Turbanator Member HowtoForge Supporter

    My spam has greatly dropped but I still get hit each night...(I swear my users sign up on spam lists just to piss me off) Even though we move a ton of email into the Junk folder and train SA each night, plenty of spam still gets through. It seems many are those damned image spam.

    I think there is an image spam filter, (without setting up an awesome spamsnake), has anyone implemented that in our setup here (not spamsnake) on a "perfect server".

    I'm curious about the extra server load and how well it works.

    Also, I beleive spamassassin is updated when ispconfig is, so I haven't upgraded to the newest SA yet and waiting for the next ispc release. Is everyone using the default with ispc (3.2.5) or has anyone gone past what is installed and is running the latest SA 3.3.1?
     
  18. crypted

    crypted New Member

    Can you post the header and content of a few of those emails as CODE?
     
  19. Turbanator

    Turbanator Member HowtoForge Supporter

    HEre is on sample that isn't an image spam, but it does represent a huge number that get through...notice the spam tag. And I'll get a bunch in a row from the same fake domain. We manually move these into junk folders and "learn" nightly but I don't think there is enough info for SA to learn anything.

    If you want, PM me, and I'll forward one directly to you to see if yours filters.

    Code:
    +OK 2628 octets follow.
    Return-Path: <MAILER-DAEMON>
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
    	by ns1.heredns.com (Postfix) with ESMTP id BBAFE10B42DC
    	for <[email protected]>; Tue, 15 Feb 2011 07:36:41 -0800 (PST)
    X-Virus-Scanned: Debian amavisd-new at ns1.heredns.com
    X-Spam-Flag: NO
    X-Spam-Score: -2.499
    X-Spam-Level: 
    X-Spam-Status: No, score=-2.499 tagged_above=-100 required=2.88
    	tests=[BAYES_00=-2.599, RDNS_NONE=0.1]
    Received: from ns1.heredns.com ([127.0.0.1])
    	by localhost (ns1.heredns.com [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id BwsAmpARgQ1p for <[email protected]>;
    	Tue, 15 Feb 2011 07:36:41 -0800 (PST)
    Received: by ns1.heredns.com (Postfix, from userid 5000)
    	id 9A56110B42D8; Tue, 15 Feb 2011 07:36:41 -0800 (PST)
    Delivered-To: [email protected]
    Received: from localhost (localhost [127.0.0.1])
    	by ns1.heredns.com (Postfix) with ESMTP id 8FB5310B42DC
    	for <[email protected]>; Tue, 15 Feb 2011 07:36:41 -0800 (PST)
    X-Virus-Scanned: Debian amavisd-new at ns1.heredns.com
    Received: from ns1.heredns.com ([127.0.0.1])
    	by localhost (ns1.heredns.com [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id 4hB6JyN8jwL9 for <[email protected]>;
    	Tue, 15 Feb 2011 07:36:41 -0800 (PST)
    X-Greylist: delayed 604 seconds by postgrey-1.31 at ns1.heredns.com; Tue, 15 Feb 2011 07:36:41 PST
    Received: from gqep.proulseraw.com (unknown [174.36.86.118])
    	by ns1.heredns.com (Postfix) with ESMTP id 2766010B42D8
    	for <[email protected]>; Tue, 15 Feb 2011 07:36:41 -0800 (PST)
    Message-ID: <[email protected]>
    Date: Tue, 15 Feb 2011 09:20:59 -0600
    To: <[email protected]>
    From: "Karen Miller" <[email protected]>
    Mime-Version: 1.0
    Subject: Earn your share of this $59 billion industry
    User-Agent: Cert - OutMode/2.0 tigww/2.73b3
    X-Mailer: Firefox / 3.2
    Accept-Language: en - us
    Content-Language: en - us
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 8bit
    Content-Disposition: inline
    X-EsetId: 06519D20EC8831375713
    
    Internet Job Locator: #1 site for online jobs
    
    
    For more information and to view positions click here:
    http://gqep.proulseraw.com/2438b36396769379324611396256dab50136a9
    
    
    
    Thank you for visiting the Locator
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    Unsubscribe: http://gqep.proulseraw.com/2438b36396769379324612396256dab50136a9
    or send mail to: unsubscribe
    2764 N. Green Valley Pkwy Suite 394
    Henderson, NV 89014
    
    Click this link to unsubscribe: http://gqep.proulseraw.com/396256dab50136a912438b36396769379
    
    
    I'll look for an image one and post here as well.
     
  20. crypted

    crypted New Member

    It's been complete hell here, so sorry for not responding for so long but I didn't forget! Are you still having image spam problems?

    I'm working on a new mixed guide to integrate several types of protection against bad robots, email harvesters, and so forth into Apache. Testing out each piece of the puzzle one by one on my end before I finish the HOWTO and distribute it.
     

Share This Page