anti spam measures
in [Postfix]
|
Prev: Quotes with Dovecot+Ldap
Next: 3000 recipients
From: "Steve" on 4 Jan 2010 17:47 -------- Original-Nachricht -------- > Datum: Mon, 4 Jan 2010 16:45:21 -0600 > Von: Kenneth Marshall <ktm(a)rice.edu> > An: Roman Gelfand <rgelfand2(a)gmail.com> > CC: Steve <steeeeeveee(a)gmx.net>, postfix-users(a)postfix.org > Betreff: Re: anti spam measures > On Mon, Jan 04, 2010 at 05:40:29PM -0500, Roman Gelfand wrote: > > Well, it looks like, perhaps, I found the missing link. After adding > > s25r rules and HELO response verification in main.cf, no spam has > > siped through. > > > > I think that mostly it was HELO response verification that did it. > > BTW, is there a reason not block emails with incorrect HELO response? > > > > Thanks > > > None really, unless you need to accept mail from misconfigured > servers. (We do.) > Most of do (I would guess). > Cheers, > Ken > Steve > > On Mon, Jan 4, 2010 at 5:30 PM, Steve <steeeeeveee(a)gmx.net> wrote: > > > > > > -------- Original-Nachricht -------- > > >> Datum: Mon, 04 Jan 2010 23:20:04 +0100 > > >> Von: mouss <mouss(a)ml.netoyen.net> > > >> An: postfix-users(a)postfix.org > > >> Betreff: Re: anti spam measures > > > > > >> Steve a ?crit : > > >> > -------- Original-Nachricht -------- > > >> >> Datum: Sun, 03 Jan 2010 23:37:18 +0100 > > >> >> Von: mouss <mouss(a)ml.netoyen.net> > > >> >> An: postfix users list <postfix-users(a)postfix.org> > > >> >> Betreff: Re: anti spam measures > > >> > > > >> >> Roman Gelfand a ?crit : > > >> >>> I am running postfix with anti spam filter (policyd-weight, > sqlgrey, > > >> >>> grossd, dkim, senderid-milter, dspam) . ?With this configuration, > I am > > >> >>> down to under 10 spams a day. ?Looking at my backend server which > is > > >> >>> exchange 2007, I find that all of the remaining spam messages > have > > >> >>> spam confidence level of 7 or greater, which implies this is > blatant > > >> >>> spam. ?Is there spam filter software software that works with > postfix > > >> >>> that can perform checks similar to that of exchange 2007 spam > > >> >>> confidence level? > > >> >>> > > >> >> we can't really tell since we didn't see the messages that made it > > >> >> through postfix+friends. > > >> >> > > >> >> if the messages contained a URI listed at uribl or surbl, then you > > >> could > > >> >> try using uribl/surbl via milter-link or via spamassassin (via > > >> >> amavisd-new). > > >> >> > > >> >> anyway, You can add spamassassin (via amavisd-new) to your chain > and > > >> see > > >> >> ?if it improves your filtering. > > >> >> > > >> > I am for sure one of the people that should keep his mouth shut > since I > > >> have a to strong bias but SpamAssassin? Why? He is using DSPAM and if > I > > >> would purpose him another free solution then only something like > CMR114 or > > >> OSBF-Lua. > > >> > > > >> > > >> because I don't believe he will improve his filtering by adding more > > >> statistical filters (I think: if this was true, he can improve by > better > > >> training/tuning of dspam). > > >> > > > Correct. > > > > > > > > >> In contrsat, adding a finely tuned heuristic > > >> filter will certainly improve his results. > > >> > > > True. > > > > > > > > >> one example: Justin Mason anti-fraud rules (JM_SOUGHT*) will block > fraud > > >> mail that you can't block statistically (because you don't get enough > of > > >> it to train a statistical filter). unless if you are a large ISP/MSP > > >> with users who report fraud mail quickly and you train your filter > with > > >> these reports quickly. > > >> > > > Or you use other ways to filter them out (not statistically). > > > > > > > > >> other examples include: URIBL rules (granted, you can use > milter-link), > > >> DNSxL rules applied to Received headers (mail that is "touched" by a > > >> host in Spamhaus SBL is unwanted!)... > > >> > > >> Once again, I said "add spamassassin" not replace dspam. This is > because > > >> OP wanted to block "more". but adding SA in a way that improves his > > >> results is not effort free. which is why I said: > > >> > > > Right. > > > > > > > > >> > > > >> >> at one time, the question becomes: is the additional effort worth > the > > >> >> pain? > > >> >> > > >> > Good question. > > >> > > >> I personally am from the school of access control before content > > >> filtering. > > >> > > > Me too :) > > > > > > > > >> so I don't feel comfortable arguing for SA vs dspam vs > > >> foofilter. > > >> > > > As I wrote before: I am to biased in that topic so I am not going to > argue either. > > > -- > > > GRATIS f?r alle GMX-Mitglieder: Die maxdome Movie-FLAT! > > > Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 > > > > > -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
From: "Steve" on 4 Jan 2010 17:48 -------- Original-Nachricht -------- > Datum: Mon, 04 Jan 2010 23:47:11 +0100 > Von: "Steve" <steeeeeveee(a)gmx.net> > An: postfix-users(a)postfix.org > Betreff: Re: anti spam measures > > -------- Original-Nachricht -------- > > Datum: Mon, 4 Jan 2010 16:45:21 -0600 > > Von: Kenneth Marshall <ktm(a)rice.edu> > > An: Roman Gelfand <rgelfand2(a)gmail.com> > > CC: Steve <steeeeeveee(a)gmx.net>, postfix-users(a)postfix.org > > Betreff: Re: anti spam measures > > > On Mon, Jan 04, 2010 at 05:40:29PM -0500, Roman Gelfand wrote: > > > Well, it looks like, perhaps, I found the missing link. After adding > > > s25r rules and HELO response verification in main.cf, no spam has > > > siped through. > > > > > > I think that mostly it was HELO response verification that did it. > > > BTW, is there a reason not block emails with incorrect HELO response? > > > > > > Thanks > > > > > None really, unless you need to accept mail from misconfigured > > servers. (We do.) > > > Most of do (I would guess). > Stupid me. To fast typing: Most of us do (I would guess). > > > Cheers, > > Ken > > > Steve > > > > On Mon, Jan 4, 2010 at 5:30 PM, Steve <steeeeeveee(a)gmx.net> wrote: > > > > > > > > -------- Original-Nachricht -------- > > > >> Datum: Mon, 04 Jan 2010 23:20:04 +0100 > > > >> Von: mouss <mouss(a)ml.netoyen.net> > > > >> An: postfix-users(a)postfix.org > > > >> Betreff: Re: anti spam measures > > > > > > > >> Steve a ?crit : > > > >> > -------- Original-Nachricht -------- > > > >> >> Datum: Sun, 03 Jan 2010 23:37:18 +0100 > > > >> >> Von: mouss <mouss(a)ml.netoyen.net> > > > >> >> An: postfix users list <postfix-users(a)postfix.org> > > > >> >> Betreff: Re: anti spam measures > > > >> > > > > >> >> Roman Gelfand a ?crit : > > > >> >>> I am running postfix with anti spam filter (policyd-weight, > > sqlgrey, > > > >> >>> grossd, dkim, senderid-milter, dspam) . ?With this > configuration, > > I am > > > >> >>> down to under 10 spams a day. ?Looking at my backend server > which > > is > > > >> >>> exchange 2007, I find that all of the remaining spam messages > > have > > > >> >>> spam confidence level of 7 or greater, which implies this is > > blatant > > > >> >>> spam. ?Is there spam filter software software that works with > > postfix > > > >> >>> that can perform checks similar to that of exchange 2007 spam > > > >> >>> confidence level? > > > >> >>> > > > >> >> we can't really tell since we didn't see the messages that made > it > > > >> >> through postfix+friends. > > > >> >> > > > >> >> if the messages contained a URI listed at uribl or surbl, then > you > > > >> could > > > >> >> try using uribl/surbl via milter-link or via spamassassin (via > > > >> >> amavisd-new). > > > >> >> > > > >> >> anyway, You can add spamassassin (via amavisd-new) to your chain > > and > > > >> see > > > >> >> ?if it improves your filtering. > > > >> >> > > > >> > I am for sure one of the people that should keep his mouth shut > > since I > > > >> have a to strong bias but SpamAssassin? Why? He is using DSPAM and > if > > I > > > >> would purpose him another free solution then only something like > > CMR114 or > > > >> OSBF-Lua. > > > >> > > > > >> > > > >> because I don't believe he will improve his filtering by adding > more > > > >> statistical filters (I think: if this was true, he can improve by > > better > > > >> training/tuning of dspam). > > > >> > > > > Correct. > > > > > > > > > > > >> In contrsat, adding a finely tuned heuristic > > > >> filter will certainly improve his results. > > > >> > > > > True. > > > > > > > > > > > >> one example: Justin Mason anti-fraud rules (JM_SOUGHT*) will block > > fraud > > > >> mail that you can't block statistically (because you don't get > enough > > of > > > >> it to train a statistical filter). unless if you are a large > ISP/MSP > > > >> with users who report fraud mail quickly and you train your filter > > with > > > >> these reports quickly. > > > >> > > > > Or you use other ways to filter them out (not statistically). > > > > > > > > > > > >> other examples include: URIBL rules (granted, you can use > > milter-link), > > > >> DNSxL rules applied to Received headers (mail that is "touched" by > a > > > >> host in Spamhaus SBL is unwanted!)... > > > >> > > > >> Once again, I said "add spamassassin" not replace dspam. This is > > because > > > >> OP wanted to block "more". but adding SA in a way that improves his > > > >> results is not effort free. which is why I said: > > > >> > > > > Right. > > > > > > > > > > > >> > > > > >> >> at one time, the question becomes: is the additional effort > worth > > the > > > >> >> pain? > > > >> >> > > > >> > Good question. > > > >> > > > >> I personally am from the school of access control before content > > > >> filtering. > > > >> > > > > Me too :) > > > > > > > > > > > >> so I don't feel comfortable arguing for SA vs dspam vs > > > >> foofilter. > > > >> > > > > As I wrote before: I am to biased in that topic so I am not going to > > argue either. > > > > -- > > > > GRATIS f?r alle GMX-Mitglieder: Die maxdome Movie-FLAT! > > > > Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 > > > > > > > > > -- > Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 > - > sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3.5 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/chbrowser
From: Roman Gelfand on 4 Jan 2010 18:08 On Mon, Jan 4, 2010 at 5:44 PM, Steve <steeeeeveee(a)gmx.net> wrote: > > -------- Original-Nachricht -------- >> Datum: Mon, 4 Jan 2010 17:40:29 -0500 >> Von: Roman Gelfand <rgelfand2(a)gmail.com> >> An: Steve <steeeeeveee(a)gmx.net> >> CC: postfix-users(a)postfix.org >> Betreff: Re: anti spam measures > >> Well, it looks like, perhaps, I found the missing link. After adding >> s25r rules and HELO response verification in main.cf, no spam has >> siped through. >> >> I think that mostly it was HELO response verification that did it. >> BTW, is there a reason not block emails with incorrect HELO response? >> > Yes! Probably half of the sending MTA's out there have issues with setting proper HELO/EHLO. I would not block them per default but use your already installed policyd-weight and add a higher score to wrong HELO/EHLO (but the default in policyd-weight should be already okay). I am a bit surprised at your response. I would have expected you to say, a MTA which ignores basic basic configuration rules doesn't deserve that it's mail should be accepted. In fact, this is the way I feel about this. > > >> Thanks >> > Steve > > >> On Mon, Jan 4, 2010 at 5:30 PM, Steve <steeeeeveee(a)gmx.net> wrote: >> > >> > -------- Original-Nachricht -------- >> >> Datum: Mon, 04 Jan 2010 23:20:04 +0100 >> >> Von: mouss <mouss(a)ml.netoyen.net> >> >> An: postfix-users(a)postfix.org >> >> Betreff: Re: anti spam measures >> > >> >> Steve a écrit : >> >> > -------- Original-Nachricht -------- >> >> >> Datum: Sun, 03 Jan 2010 23:37:18 +0100 >> >> >> Von: mouss <mouss(a)ml.netoyen.net> >> >> >> An: postfix users list <postfix-users(a)postfix.org> >> >> >> Betreff: Re: anti spam measures >> >> > >> >> >> Roman Gelfand a écrit : >> >> >>> I am running postfix with anti spam filter (policyd-weight, >> sqlgrey, >> >> >>> grossd, dkim, senderid-milter, dspam) . With this configuration, >> I am >> >> >>> down to under 10 spams a day. Looking at my backend server which >> is >> >> >>> exchange 2007, I find that all of the remaining spam messages have >> >> >>> spam confidence level of 7 or greater, which implies this is >> blatant >> >> >>> spam. Is there spam filter software software that works with >> postfix >> >> >>> that can perform checks similar to that of exchange 2007 spam >> >> >>> confidence level? >> >> >>> >> >> >> we can't really tell since we didn't see the messages that made it >> >> >> through postfix+friends. >> >> >> >> >> >> if the messages contained a URI listed at uribl or surbl, then you >> >> could >> >> >> try using uribl/surbl via milter-link or via spamassassin (via >> >> >> amavisd-new). >> >> >> >> >> >> anyway, You can add spamassassin (via amavisd-new) to your chain and >> >> see >> >> >> if it improves your filtering. >> >> >> >> >> > I am for sure one of the people that should keep his mouth shut since >> I >> >> have a to strong bias but SpamAssassin? Why? He is using DSPAM and if I >> >> would purpose him another free solution then only something like CMR114 >> or >> >> OSBF-Lua. >> >> > >> >> >> >> because I don't believe he will improve his filtering by adding more >> >> statistical filters (I think: if this was true, he can improve by >> better >> >> training/tuning of dspam). >> >> >> > Correct. >> > >> > >> >> In contrsat, adding a finely tuned heuristic >> >> filter will certainly improve his results. >> >> >> > True. >> > >> > >> >> one example: Justin Mason anti-fraud rules (JM_SOUGHT*) will block >> fraud >> >> mail that you can't block statistically (because you don't get enough >> of >> >> it to train a statistical filter). unless if you are a large ISP/MSP >> >> with users who report fraud mail quickly and you train your filter with >> >> these reports quickly. >> >> >> > Or you use other ways to filter them out (not statistically). >> > >> > >> >> other examples include: URIBL rules (granted, you can use milter-link), >> >> DNSxL rules applied to Received headers (mail that is "touched" by a >> >> host in Spamhaus SBL is unwanted!)... >> >> >> >> Once again, I said "add spamassassin" not replace dspam. This is >> because >> >> OP wanted to block "more". but adding SA in a way that improves his >> >> results is not effort free. which is why I said: >> >> >> > Right. >> > >> > >> >> > >> >> >> at one time, the question becomes: is the additional effort worth >> the >> >> >> pain? >> >> >> >> >> > Good question. >> >> >> >> I personally am from the school of access control before content >> >> filtering. >> >> >> > Me too :) >> > >> > >> >> so I don't feel comfortable arguing for SA vs dspam vs >> >> foofilter. >> >> >> > As I wrote before: I am to biased in that topic so I am not going to >> argue either. >> > -- >> > GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! >> > Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 >> > > > -- > GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! > Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 >
From: "Steve" on 4 Jan 2010 18:25 -------- Original-Nachricht -------- > Datum: Mon, 4 Jan 2010 18:08:39 -0500 > Von: Roman Gelfand <rgelfand2(a)gmail.com> > An: Steve <steeeeeveee(a)gmx.net> > CC: postfix-users(a)postfix.org > Betreff: Re: anti spam measures > On Mon, Jan 4, 2010 at 5:44 PM, Steve <steeeeeveee(a)gmx.net> wrote: > > > > -------- Original-Nachricht -------- > >> Datum: Mon, 4 Jan 2010 17:40:29 -0500 > >> Von: Roman Gelfand <rgelfand2(a)gmail.com> > >> An: Steve <steeeeeveee(a)gmx.net> > >> CC: postfix-users(a)postfix.org > >> Betreff: Re: anti spam measures > > > >> Well, it looks like, perhaps, I found the missing link. �After adding > >> s25r rules and HELO response verification in main.cf, no spam has > >> siped through. > >> > >> I think that mostly it was HELO response verification that did it. > >> BTW, is there a reason not block emails with incorrect HELO response? > >> > > Yes! Probably half of the sending MTA's out there have issues with > setting proper HELO/EHLO. I would not block them per default but use your > already installed policyd-weight and add a higher score to wrong HELO/EHLO (but > the default in policyd-weight should be already okay). > > I am a bit surprised at your response. I would have expected you to > say, a MTA which ignores basic basic configuration rules doesn't > deserve that it's mail should be accepted. In fact, this is the way I > feel about this. > Roman. I do messaging since ages (I did messaging on the mainframe where sending electronic mail was still a miracle) and my personal opinion does not count. The reality out there is not so black/withe as you might think. There are a gazillion of MTAs that are wrong configured and use wrong HELO/EHLO. If you have the luxury that you can drop/reject those one that have wrong HELO/EHLO then do it. I can't. At least not without a negative impact for my customers. It's +/- like saying any page on the web that does not pass the W3C HTML/XHTML validation does not deserve to be displayed. You can imagine that a lot of them will fail. And so it is with SMTP. Some mail operators out there are forced to use MTAs that are broken and they are not in the position to update/upgrade/change the software (for whatever reason) and you would punish them just for one single (small) issue like wrong HELO/EHLO? I find this pretty hard. (okay, okay. I am *jealous* that you have that luxury). As I said before: Use a weighted calculation if you can and give a score to wrong HELO/EHLO but don't just drop/reject mails from wrong configured MTAs. The only drop/reject that I do regarding HELO/EHLO is if the remote client is claiming to be my server or my IP. Then I reject but other then that I give them a score for wrong HELO/EHLO and that's it. > > > > > >> Thanks > >> > > Steve > > > > > >> On Mon, Jan 4, 2010 at 5:30 PM, Steve <steeeeeveee(a)gmx.net> wrote: > >> > > >> > -------- Original-Nachricht -------- > >> >> Datum: Mon, 04 Jan 2010 23:20:04 +0100 > >> >> Von: mouss <mouss(a)ml.netoyen.net> > >> >> An: postfix-users(a)postfix.org > >> >> Betreff: Re: anti spam measures > >> > > >> >> Steve a �crit : > >> >> > -------- Original-Nachricht -------- > >> >> >> Datum: Sun, 03 Jan 2010 23:37:18 +0100 > >> >> >> Von: mouss <mouss(a)ml.netoyen.net> > >> >> >> An: postfix users list <postfix-users(a)postfix.org> > >> >> >> Betreff: Re: anti spam measures > >> >> > > >> >> >> Roman Gelfand a �crit : > >> >> >>> I am running postfix with anti spam filter (policyd-weight, > >> sqlgrey, > >> >> >>> grossd, dkim, senderid-milter, dspam) . �With this > configuration, > >> I am > >> >> >>> down to under 10 spams a day. �Looking at my backend server > which > >> is > >> >> >>> exchange 2007, I find that all of the remaining spam messages > have > >> >> >>> spam confidence level of 7 or greater, which implies this is > >> blatant > >> >> >>> spam. �Is there spam filter software software that works with > >> postfix > >> >> >>> that can perform checks similar to that of exchange 2007 spam > >> >> >>> confidence level? > >> >> >>> > >> >> >> we can't really tell since we didn't see the messages that made > it > >> >> >> through postfix+friends. > >> >> >> > >> >> >> if the messages contained a URI listed at uribl or surbl, then > you > >> >> could > >> >> >> try using uribl/surbl via milter-link or via spamassassin (via > >> >> >> amavisd-new). > >> >> >> > >> >> >> anyway, You can add spamassassin (via amavisd-new) to your chain > and > >> >> see > >> >> >> �if it improves your filtering. > >> >> >> > >> >> > I am for sure one of the people that should keep his mouth shut > since > >> I > >> >> have a to strong bias but SpamAssassin? Why? He is using DSPAM and > if I > >> >> would purpose him another free solution then only something like > CMR114 > >> or > >> >> OSBF-Lua. > >> >> > > >> >> > >> >> because I don't believe he will improve his filtering by adding more > >> >> statistical filters (I think: if this was true, he can improve by > >> better > >> >> training/tuning of dspam). > >> >> > >> > Correct. > >> > > >> > > >> >> In contrsat, adding a finely tuned heuristic > >> >> filter will certainly improve his results. > >> >> > >> > True. > >> > > >> > > >> >> one example: Justin Mason anti-fraud rules (JM_SOUGHT*) will block > >> fraud > >> >> mail that you can't block statistically (because you don't get > enough > >> of > >> >> it to train a statistical filter). unless if you are a large ISP/MSP > >> >> with users who report fraud mail quickly and you train your filter > with > >> >> these reports quickly. > >> >> > >> > Or you use other ways to filter them out (not statistically). > >> > > >> > > >> >> other examples include: URIBL rules (granted, you can use > milter-link), > >> >> DNSxL rules applied to Received headers (mail that is "touched" by a > >> >> host in Spamhaus SBL is unwanted!)... > >> >> > >> >> Once again, I said "add spamassassin" not replace dspam. This is > >> because > >> >> OP wanted to block "more". but adding SA in a way that improves his > >> >> results is not effort free. which is why I said: > >> >> > >> > Right. > >> > > >> > > >> >> > > >> >> >> at one time, the question becomes: is the additional effort worth > >> the > >> >> >> pain? > >> >> >> > >> >> > Good question. > >> >> > >> >> I personally am from the school of access control before content > >> >> filtering. > >> >> > >> > Me too :) > >> > > >> > > >> >> so I don't feel comfortable arguing for SA vs dspam vs > >> >> foofilter. > >> >> > >> > As I wrote before: I am to biased in that topic so I am not going to > >> argue either. > >> > -- > >> > GRATIS f�r alle GMX-Mitglieder: Die maxdome Movie-FLAT! > >> > Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 > >> > > > > > -- > > GRATIS f�r alle GMX-Mitglieder: Die maxdome Movie-FLAT! > > Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 > > -- GRATIS f�r alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
From: LuKreme on 4 Jan 2010 18:55
On Jan 4, 2010, at 16:08, Roman Gelfand <rgelfand2(a)gmail.com> wrote: > would have expected you to > say, a MTA which ignores basic basic configuration rules doesn't > deserve that it's mail should be accepted. In fact, this is the way I > feel about this. Seconded. |