Spam Blocking Advice

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Spam Blocking Advice

asai
Greetings,

We have a real spam problem for some users, and this seems to be really
tough spam to block.  I have postscreen set up which blocks a lot of
spam, of the spam that does get through, Spamassassin catches about 200
spams a day, but we have about a dozen users that get 20 - 30 spams a
day, so I ask if anyone can give me some advice about my configs here.  
This is what I have had thus far, postscreen's deep protocol tests have
been turned on a turned off at different times due to troubleshooting a
particular user's iPhone connection, and they are off at this time:

postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2;3;4;5;6;7]*4
         #l2.apews.org*3,  ##I've used this with variable successs
         dbl.spamhaus.org*2
         cbl.abuseat.org*2
         zen.spamhaus.org*1
         bl.spamcop.net*1
         b.barracudacentral.org*1
         bl.spameatingmonkey.net*1
         dnsbl.sorbs.net*1
         psbl.surriel.com
         bl.mailspike.net
         zen.spamhaus.org=127.0.0.11*-3
         swl.spamhaus.org*-5
         list.dnswl.org=127.[0..255].[0..255].0*-2
         list.dnswl.org=127.[0..255].[0..255].1*-3
         list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_whitelist_threshold = -1
postscreen_dnsbl_action = enforce
postscreen_blacklist_action = drop
postscreen_greet_banner =
postscreen_greet_action = drop

I'm wondering about turning this back on under
smtpd_recipient_restrictions which has been turned off since I started
using postscreen:

smtpd_recipient_restrictions =  permit_mynetworks,
        ...

         reject_rbl_client zen.spamhaus.org,
         reject_rbl_client bl.spamcop.net,
         reject_rbl_client cbl.abuseat.org,
         reject_rhsbl_sender dbl.spamhaus.org,
         reject_rhsbl_sender rhsbl.sorbs.net,
         permit

I would be grateful for any advice here and if anyone could share their
experience.

Thanks!

--
--asai

Reply | Threaded
Open this post in threaded view
|

Re: Spam Blocking Advice

Wietse Venema
Asai:

> Greetings,
>
> We have a real spam problem for some users, and this seems to be really
> tough spam to block.  I have postscreen set up which blocks a lot of
> spam, of the spam that does get through, Spamassassin catches about 200
> spams a day, but we have about a dozen users that get 20 - 30 spams a
> day, so I ask if anyone can give me some advice about my configs here.  
> This is what I have had thus far, postscreen's deep protocol tests have
> been turned on a turned off at different times due to troubleshooting a
> particular user's iPhone connection, and they are off at this time:

iPhones (and other mail clients) should connect to the submission
service (port 587 without postscreen), never to port 25.

I don't think that 20-30 residual spam messages are excessive, but
if you are willing to get involved with a game of whack-a-mole,
then you can try to find out if the spam has a common element.

For example, some spam operators use the same DNS or MX server
domain or IP address for their temporary envelope sender domains,
so they can easily be blocked with check_sender_ns_access or
check_sender_mx_access.

This takes some dedication. The alternative is to use a commercial
mail filtering service that sees the bigger picture.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Spam Blocking Advice

lists@rhsoft.net
In reply to this post by asai
make them hate you by more aggresive RBL scoring and *slow down them* as
well as consider a manual trained global bayes with at least 1000 ham
and 1000 spam messages

* find common tags in the maillog
* adjust scores in SA local.cf for them
* adjust the scores for bayes after it si well trained
* consider global hashing services like IXHASH for SpamAssassin
* whatever you setup - be careful about non-scored decisions

our incoming spam *attempts* dopped down from 293 per minute to 20 per
minute and even the last two days the highest peak was 50 per minute and
we are talking here about rejections before the SA milter

below some key configs of our inbound-only filter, i avoid detail
configs because i am happy about some common senders, HELO's and a lot
of PTR's catched with regex and would like them not to change by
bot-developers monitoring public mailing lists :-)

since i trust my bayes with 15000 hand-trained messages that's the
scoring in context of 8.0 = milter reject

# adjust bayes scoring
ifplugin Mail::SpamAssassin::Plugin::Bayes
  score BAYES_00 -3.5
  score BAYES_05 -1.5
  score BAYES_20 -0.5
  score BAYES_40 -0.2
  score BAYES_50 2.5
  score BAYES_60 3.0
  score BAYES_80 5.0
  score BAYES_95 6.5
  score BAYES_99 7.5
  score BAYES_999 0.4
endif

here some real numbers of the current month

Connections:       210100
Delivered:         58351
Blocked:           151749
Invalid User:      6639
Disallowed User:   11
Reject Postscreen: 121348
Reject Postfix:    14346
Reject Milter:     5263
Reject Temporary:  3706
Blacklist:         113766
Pregreet:          15197
Hangup:            50176
Protocol Error:    3876
Illegal Syntax:    8
SpamAssassin:      5158
Virus:             99
Helo:              1669
Subject:           241
Attachment:        13
Sender Regex:      297
Sender Blocked:    573
Sender Verify:     15
Sender Invalid:    1888
Sender Spoofed:    14
Sender Parked:     21
PTR Missing:       1592
PTR Generic:       970
SPF:               569
______________________________________________________________

bots don't like to wait, that's 5 seoconds penalty even after somebody
passed postscreen until the server is under load or the client is on any
DNSWL

smtpd_client_restrictions =
  reject_unlisted_recipient
  permit_dnswl_client list.dnswl.org
  permit_dnswl_client wl.mailspike.net
  permit_dnswl_client iadb.isipp.com
  permit_dnswl_client sa-accredit.habeas.com
  permit_dnswl_client dnswl.inps.de
  permit_dnswl_client swl.spamhaus.org
  permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1
  ${stress?sleep 0}${stress: sleep 5}
______________________________________________________________

some ideas for a restriction order, the thoughts behind the config files
should be clear by their names

smtpd_recipient_restrictions =
  reject_non_fqdn_recipient
  reject_non_fqdn_sender
  reject_unauth_destination
  reject_unlisted_recipient
  check_helo_access regexp:/etc/postfix/blacklist_helo_uncond.cf
  reject_non_fqdn_helo_hostname
  reject_invalid_helo_hostname
  reject_unknown_sender_domain
  check_recipient_access hash:/etc/postfix/blacklist_rcpt.cf
  check_sender_access hash:/etc/postfix/whitelist_sender.cf
  check_sender_access hash:/etc/postfix/blacklist_sender.cf
  check_sender_access hash:/etc/postfix/spoofing_protection.cf
  check_sender_access regexp:/etc/postfix/blacklist_sender_regex.cf
  reject_unknown_reverse_client_hostname
  check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf
  permit_dnswl_client wl.mailspike.net=127.0.0.[19;20]
  permit_dnswl_client list.dnswl.org=127.0.[0..255].[2;3]
  check_policy_service unix:private/spf-policy
  check_recipient_access hash:/etc/postfix/skip_ptr_check.cf
  permit_dnswl_client wl.mailspike.net
  permit_dnswl_client list.dnswl.org
  permit_dnswl_client iadb.isipp.com
  permit_dnswl_client sa-accredit.habeas.com
  permit_dnswl_client dnswl.inps.de
  permit_dnswl_client swl.spamhaus.org
  permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1
  check_helo_access regexp:/etc/postfix/blacklist_helo.cf
  check_reverse_client_hostname_access regexp:/etc/postfix/generic_ptr.cf
  reject_unverified_sender
______________________________________________________________

lower the RBL TTL of postscreen to catch new blacklisted clients faster
and consider setup a unbound dns-cache on localhost with tuned caching

the min-TTL lowers the network costs for DNSBL/DNSWL with a very low
origin TTL after postscreen as well a prevents exceed limits of some lists

  cache-min-ttl: 270
  cache-max-ttl: 7200

postscreen can be much more aggressive by slow down new clients for 10
seconds, use a lot of more RBL's but back them up also with DNSWL to
avoid false positives and i have not seen any FP with that setup, look
also at the spamassassin config and consider raise up the scores for
RBL's to give more penalty if as example someone is on the barracuda RBL
but you really don't want to reject because any single RBL

postscreen_dnsbl_ttl = 5m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_greet_wait = ${stress?3}${stress:10}s
postscreen_dnsbl_sites =
  dnsbl.sorbs.net=127.0.0.10*8
  zen.spamhaus.org=127.0.0.[10;11]*8
  b.barracudacentral.org=127.0.0.2*7
  dnsbl.inps.de=127.0.0.2*7
  dnsbl.sorbs.net=127.0.0.5*7
  zen.spamhaus.org=127.0.0.[4..7]*7
  zen.spamhaus.org=127.0.0.3*5
  bl.mailspike.net=127.0.0.2*5
  bl.mailspike.net=127.0.0.[10;11;12]*4
  bl.spamcop.net=127.0.0.2*4
  bl.spameatingmonkey.net=127.0.0.[2;3]*4
  dnsrbl.swinog.ch=127.0.0.3*4
  zen.spamhaus.org=127.0.0.2*3
  dnsbl.sorbs.net=127.0.0.7*3
  dnsbl.sorbs.net=127.0.0.8*2
  dnsbl.sorbs.net=127.0.0.6*2
  dnsbl.sorbs.net=127.0.0.9*2
  wl.mailspike.net=127.0.0.[18;19;20]*-2
  list.dnswl.org=127.0.[0..255].0*-2
  list.dnswl.org=127.0.[0..255].1*-3
  list.dnswl.org=127.0.[0..255].2*-4
  list.dnswl.org=127.0.[0..255].3*-5


Am 25.12.2014 um 23:24 schrieb Asai:

> We have a real spam problem for some users, and this seems to be really
> tough spam to block.  I have postscreen set up which blocks a lot of
> spam, of the spam that does get through, Spamassassin catches about 200
> spams a day, but we have about a dozen users that get 20 - 30 spams a
> day, so I ask if anyone can give me some advice about my configs here.
> This is what I have had thus far, postscreen's deep protocol tests have
> been turned on a turned off at different times due to troubleshooting a
> particular user's iPhone connection, and they are off at this time:
>
> postscreen_access_list = permit_mynetworks,
> cidr:/etc/postfix/postscreen_access.cidr
> postscreen_dnsbl_threshold = 3
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2;3;4;5;6;7]*4
>          #l2.apews.org*3,  ##I've used this with variable successs
>          dbl.spamhaus.org*2
>          cbl.abuseat.org*2
>          zen.spamhaus.org*1
>          bl.spamcop.net*1
>          b.barracudacentral.org*1
>          bl.spameatingmonkey.net*1
>          dnsbl.sorbs.net*1
>          psbl.surriel.com
>          bl.mailspike.net
>          zen.spamhaus.org=127.0.0.11*-3
>          swl.spamhaus.org*-5
>          list.dnswl.org=127.[0..255].[0..255].0*-2
>          list.dnswl.org=127.[0..255].[0..255].1*-3
>          list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
> postscreen_dnsbl_whitelist_threshold = -1
> postscreen_dnsbl_action = enforce
> postscreen_blacklist_action = drop
> postscreen_greet_banner =
> postscreen_greet_action = drop
>
> I'm wondering about turning this back on under
> smtpd_recipient_restrictions which has been turned off since I started
> using postscreen:
>
> smtpd_recipient_restrictions =  permit_mynetworks,
>         ...
>
>          reject_rbl_client zen.spamhaus.org,
>          reject_rbl_client bl.spamcop.net,
>          reject_rbl_client cbl.abuseat.org,
>          reject_rhsbl_sender dbl.spamhaus.org,
>          reject_rhsbl_sender rhsbl.sorbs.net,
>          permit
>
> I would be grateful for any advice here and if anyone could share their
> experience
Reply | Threaded
Open this post in threaded view
|

Re: Spam Blocking Advice

lists@rhsoft.net
oh and don't forget URIBL scores for SpamAssassin
URIBL_BLACK has a zero-false-positive policy

as said, sapmass-milter runs with block above 8.0 here and the default
max-message size which is scanned is *way* too low, spammers know that

/usr/sbin/spamass-milter -p /run/spamass-milter/spamass-milter.sock -g
sa-milt -r 8.0 -- -s 5242880 --port=10028

score URIBL_AB_SURBL 4.5
score URIBL_JP_SURBL 4.5
score URIBL_MW_SURBL 5.0
score URIBL_PH_SURBL 5.0
score URIBL_WS_SURBL 3.5
score URIBL_SC_SURBL 0.5
score URIBL_SBL 1.5
score URIBL_SBL_A 1.5
score URIBL_DBL_SPAM 3.0
score URIBL_DBL_BOTNETCC 3.0
score URIBL_DBL_PHISH 3.5
score URIBL_DBL_MALWARE 3.5
score URIBL_DBL_ABUSE_SPAM 3.0
score URIBL_DBL_ABUSE_BOTCC 3.0
score URIBL_DBL_ABUSE_PHISH 5.0
score URIBL_DBL_ABUSE_MALW 5.0
score URIBL_BLACK 7.0
score URIBL_GREY 0.5
score URIBL_RED 0.5
score URIBL_DBL_REDIR 0.1
score URIBL_DBL_ABUSE_REDIR 0.3
score URIBL_BLOCKED 0
score URIBL_DBL_ERROR 0
score URI_PHISH 3.5
score URI_TRY_3LD 0.5
score URI_WP_HACKED 3.5

Am 26.12.2014 um 03:15 schrieb [hidden email]:

> make them hate you by more aggresive RBL scoring and *slow down them* as
> well as consider a manual trained global bayes with at least 1000 ham
> and 1000 spam messages
>
> * find common tags in the maillog
> * adjust scores in SA local.cf for them
> * adjust the scores for bayes after it si well trained
> * consider global hashing services like IXHASH for SpamAssassin
> * whatever you setup - be careful about non-scored decisions
>
> our incoming spam *attempts* dopped down from 293 per minute to 20 per
> minute and even the last two days the highest peak was 50 per minute and
> we are talking here about rejections before the SA milter
>
> below some key configs of our inbound-only filter, i avoid detail
> configs because i am happy about some common senders, HELO's and a lot
> of PTR's catched with regex and would like them not to change by
> bot-developers monitoring public mailing lists :-)
>
> since i trust my bayes with 15000 hand-trained messages that's the
> scoring in context of 8.0 = milter reject
>
> # adjust bayes scoring
> ifplugin Mail::SpamAssassin::Plugin::Bayes
>   score BAYES_00 -3.5
>   score BAYES_05 -1.5
>   score BAYES_20 -0.5
>   score BAYES_40 -0.2
>   score BAYES_50 2.5
>   score BAYES_60 3.0
>   score BAYES_80 5.0
>   score BAYES_95 6.5
>   score BAYES_99 7.5
>   score BAYES_999 0.4
> endif
>
> here some real numbers of the current month
>
> Connections:       210100
> Delivered:         58351
> Blocked:           151749
> Invalid User:      6639
> Disallowed User:   11
> Reject Postscreen: 121348
> Reject Postfix:    14346
> Reject Milter:     5263
> Reject Temporary:  3706
> Blacklist:         113766
> Pregreet:          15197
> Hangup:            50176
> Protocol Error:    3876
> Illegal Syntax:    8
> SpamAssassin:      5158
> Virus:             99
> Helo:              1669
> Subject:           241
> Attachment:        13
> Sender Regex:      297
> Sender Blocked:    573
> Sender Verify:     15
> Sender Invalid:    1888
> Sender Spoofed:    14
> Sender Parked:     21
> PTR Missing:       1592
> PTR Generic:       970
> SPF:               569
> ______________________________________________________________
>
> bots don't like to wait, that's 5 seoconds penalty even after somebody
> passed postscreen until the server is under load or the client is on any
> DNSWL
>
> smtpd_client_restrictions =
>   reject_unlisted_recipient
>   permit_dnswl_client list.dnswl.org
>   permit_dnswl_client wl.mailspike.net
>   permit_dnswl_client iadb.isipp.com
>   permit_dnswl_client sa-accredit.habeas.com
>   permit_dnswl_client dnswl.inps.de
>   permit_dnswl_client swl.spamhaus.org
>   permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1
>   ${stress?sleep 0}${stress: sleep 5}
> ______________________________________________________________
>
> some ideas for a restriction order, the thoughts behind the config files
> should be clear by their names
>
> smtpd_recipient_restrictions =
>   reject_non_fqdn_recipient
>   reject_non_fqdn_sender
>   reject_unauth_destination
>   reject_unlisted_recipient
>   check_helo_access regexp:/etc/postfix/blacklist_helo_uncond.cf
>   reject_non_fqdn_helo_hostname
>   reject_invalid_helo_hostname
>   reject_unknown_sender_domain
>   check_recipient_access hash:/etc/postfix/blacklist_rcpt.cf
>   check_sender_access hash:/etc/postfix/whitelist_sender.cf
>   check_sender_access hash:/etc/postfix/blacklist_sender.cf
>   check_sender_access hash:/etc/postfix/spoofing_protection.cf
>   check_sender_access regexp:/etc/postfix/blacklist_sender_regex.cf
>   reject_unknown_reverse_client_hostname
>   check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf
>   permit_dnswl_client wl.mailspike.net=127.0.0.[19;20]
>   permit_dnswl_client list.dnswl.org=127.0.[0..255].[2;3]
>   check_policy_service unix:private/spf-policy
>   check_recipient_access hash:/etc/postfix/skip_ptr_check.cf
>   permit_dnswl_client wl.mailspike.net
>   permit_dnswl_client list.dnswl.org
>   permit_dnswl_client iadb.isipp.com
>   permit_dnswl_client sa-accredit.habeas.com
>   permit_dnswl_client dnswl.inps.de
>   permit_dnswl_client swl.spamhaus.org
>   permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1
>   check_helo_access regexp:/etc/postfix/blacklist_helo.cf
>   check_reverse_client_hostname_access regexp:/etc/postfix/generic_ptr.cf
>   reject_unverified_sender
> ______________________________________________________________
>
> lower the RBL TTL of postscreen to catch new blacklisted clients faster
> and consider setup a unbound dns-cache on localhost with tuned caching
>
> the min-TTL lowers the network costs for DNSBL/DNSWL with a very low
> origin TTL after postscreen as well a prevents exceed limits of some lists
>
>   cache-min-ttl: 270
>   cache-max-ttl: 7200
>
> postscreen can be much more aggressive by slow down new clients for 10
> seconds, use a lot of more RBL's but back them up also with DNSWL to
> avoid false positives and i have not seen any FP with that setup, look
> also at the spamassassin config and consider raise up the scores for
> RBL's to give more penalty if as example someone is on the barracuda RBL
> but you really don't want to reject because any single RBL
>
> postscreen_dnsbl_ttl = 5m
> postscreen_dnsbl_threshold = 8
> postscreen_dnsbl_action = enforce
> postscreen_greet_action = enforce
> postscreen_greet_wait = ${stress?3}${stress:10}s
> postscreen_dnsbl_sites =
>   dnsbl.sorbs.net=127.0.0.10*8
>   zen.spamhaus.org=127.0.0.[10;11]*8
>   b.barracudacentral.org=127.0.0.2*7
>   dnsbl.inps.de=127.0.0.2*7
>   dnsbl.sorbs.net=127.0.0.5*7
>   zen.spamhaus.org=127.0.0.[4..7]*7
>   zen.spamhaus.org=127.0.0.3*5
>   bl.mailspike.net=127.0.0.2*5
>   bl.mailspike.net=127.0.0.[10;11;12]*4
>   bl.spamcop.net=127.0.0.2*4
>   bl.spameatingmonkey.net=127.0.0.[2;3]*4
>   dnsrbl.swinog.ch=127.0.0.3*4
>   zen.spamhaus.org=127.0.0.2*3
>   dnsbl.sorbs.net=127.0.0.7*3
>   dnsbl.sorbs.net=127.0.0.8*2
>   dnsbl.sorbs.net=127.0.0.6*2
>   dnsbl.sorbs.net=127.0.0.9*2
>   wl.mailspike.net=127.0.0.[18;19;20]*-2
>   list.dnswl.org=127.0.[0..255].0*-2
>   list.dnswl.org=127.0.[0..255].1*-3
>   list.dnswl.org=127.0.[0..255].2*-4
>   list.dnswl.org=127.0.[0..255].3*-5
>
>
> Am 25.12.2014 um 23:24 schrieb Asai:
>> We have a real spam problem for some users, and this seems to be really
>> tough spam to block.  I have postscreen set up which blocks a lot of
>> spam, of the spam that does get through, Spamassassin catches about 200
>> spams a day, but we have about a dozen users that get 20 - 30 spams a
>> day, so I ask if anyone can give me some advice about my configs here.
>> This is what I have had thus far, postscreen's deep protocol tests have
>> been turned on a turned off at different times due to troubleshooting a
>> particular user's iPhone connection, and they are off at this time:
>>
>> postscreen_access_list = permit_mynetworks,
>> cidr:/etc/postfix/postscreen_access.cidr
>> postscreen_dnsbl_threshold = 3
>> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2;3;4;5;6;7]*4
>>          #l2.apews.org*3,  ##I've used this with variable successs
>>          dbl.spamhaus.org*2
>>          cbl.abuseat.org*2
>>          zen.spamhaus.org*1
>>          bl.spamcop.net*1
>>          b.barracudacentral.org*1
>>          bl.spameatingmonkey.net*1
>>          dnsbl.sorbs.net*1
>>          psbl.surriel.com
>>          bl.mailspike.net
>>          zen.spamhaus.org=127.0.0.11*-3
>>          swl.spamhaus.org*-5
>>          list.dnswl.org=127.[0..255].[0..255].0*-2
>>          list.dnswl.org=127.[0..255].[0..255].1*-3
>>          list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
>> postscreen_dnsbl_whitelist_threshold = -1
>> postscreen_dnsbl_action = enforce
>> postscreen_blacklist_action = drop
>> postscreen_greet_banner =
>> postscreen_greet_action = drop
>>
>> I'm wondering about turning this back on under
>> smtpd_recipient_restrictions which has been turned off since I started
>> using postscreen:
>>
>> smtpd_recipient_restrictions =  permit_mynetworks,
>>         ...
>>
>>          reject_rbl_client zen.spamhaus.org,
>>          reject_rbl_client bl.spamcop.net,
>>          reject_rbl_client cbl.abuseat.org,
>>          reject_rhsbl_sender dbl.spamhaus.org,
>>          reject_rhsbl_sender rhsbl.sorbs.net,
>>          permit
>>
>> I would be grateful for any advice here and if anyone could share their
>> experience

Reply | Threaded
Open this post in threaded view
|

Re: Spam Blocking Advice

asai
Awesome, thanks for everyone's advice.


On 12/25/14 7:19 PM, [hidden email] wrote:

> oh and don't forget URIBL scores for SpamAssassin
> URIBL_BLACK has a zero-false-positive policy
>
> as said, sapmass-milter runs with block above 8.0 here and the default
> max-message size which is scanned is *way* too low, spammers know that
>
> /usr/sbin/spamass-milter -p /run/spamass-milter/spamass-milter.sock -g
> sa-milt -r 8.0 -- -s 5242880 --port=10028
>
> score URIBL_AB_SURBL 4.5
> score URIBL_JP_SURBL 4.5
> score URIBL_MW_SURBL 5.0
> score URIBL_PH_SURBL 5.0
> score URIBL_WS_SURBL 3.5
> score URIBL_SC_SURBL 0.5
> score URIBL_SBL 1.5
> score URIBL_SBL_A 1.5
> score URIBL_DBL_SPAM 3.0
> score URIBL_DBL_BOTNETCC 3.0
> score URIBL_DBL_PHISH 3.5
> score URIBL_DBL_MALWARE 3.5
> score URIBL_DBL_ABUSE_SPAM 3.0
> score URIBL_DBL_ABUSE_BOTCC 3.0
> score URIBL_DBL_ABUSE_PHISH 5.0
> score URIBL_DBL_ABUSE_MALW 5.0
> score URIBL_BLACK 7.0
> score URIBL_GREY 0.5
> score URIBL_RED 0.5
> score URIBL_DBL_REDIR 0.1
> score URIBL_DBL_ABUSE_REDIR 0.3
> score URIBL_BLOCKED 0
> score URIBL_DBL_ERROR 0
> score URI_PHISH 3.5
> score URI_TRY_3LD 0.5
> score URI_WP_HACKED 3.5
>
> Am 26.12.2014 um 03:15 schrieb [hidden email]:
>> make them hate you by more aggresive RBL scoring and *slow down them* as
>> well as consider a manual trained global bayes with at least 1000 ham
>> and 1000 spam messages
>>
>> * find common tags in the maillog
>> * adjust scores in SA local.cf for them
>> * adjust the scores for bayes after it si well trained
>> * consider global hashing services like IXHASH for SpamAssassin
>> * whatever you setup - be careful about non-scored decisions
>>
>> our incoming spam *attempts* dopped down from 293 per minute to 20 per
>> minute and even the last two days the highest peak was 50 per minute and
>> we are talking here about rejections before the SA milter
>>
>> below some key configs of our inbound-only filter, i avoid detail
>> configs because i am happy about some common senders, HELO's and a lot
>> of PTR's catched with regex and would like them not to change by
>> bot-developers monitoring public mailing lists :-)
>>
>> since i trust my bayes with 15000 hand-trained messages that's the
>> scoring in context of 8.0 = milter reject
>>
>> # adjust bayes scoring
>> ifplugin Mail::SpamAssassin::Plugin::Bayes
>>   score BAYES_00 -3.5
>>   score BAYES_05 -1.5
>>   score BAYES_20 -0.5
>>   score BAYES_40 -0.2
>>   score BAYES_50 2.5
>>   score BAYES_60 3.0
>>   score BAYES_80 5.0
>>   score BAYES_95 6.5
>>   score BAYES_99 7.5
>>   score BAYES_999 0.4
>> endif
>>
>> here some real numbers of the current month
>>
>> Connections:       210100
>> Delivered:         58351
>> Blocked:           151749
>> Invalid User:      6639
>> Disallowed User:   11
>> Reject Postscreen: 121348
>> Reject Postfix:    14346
>> Reject Milter:     5263
>> Reject Temporary:  3706
>> Blacklist:         113766
>> Pregreet:          15197
>> Hangup:            50176
>> Protocol Error:    3876
>> Illegal Syntax:    8
>> SpamAssassin:      5158
>> Virus:             99
>> Helo:              1669
>> Subject:           241
>> Attachment:        13
>> Sender Regex:      297
>> Sender Blocked:    573
>> Sender Verify:     15
>> Sender Invalid:    1888
>> Sender Spoofed:    14
>> Sender Parked:     21
>> PTR Missing:       1592
>> PTR Generic:       970
>> SPF:               569
>> ______________________________________________________________
>>
>> bots don't like to wait, that's 5 seoconds penalty even after somebody
>> passed postscreen until the server is under load or the client is on any
>> DNSWL
>>
>> smtpd_client_restrictions =
>>   reject_unlisted_recipient
>>   permit_dnswl_client list.dnswl.org
>>   permit_dnswl_client wl.mailspike.net
>>   permit_dnswl_client iadb.isipp.com
>>   permit_dnswl_client sa-accredit.habeas.com
>>   permit_dnswl_client dnswl.inps.de
>>   permit_dnswl_client swl.spamhaus.org
>>   permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1
>>   ${stress?sleep 0}${stress: sleep 5}
>> ______________________________________________________________
>>
>> some ideas for a restriction order, the thoughts behind the config files
>> should be clear by their names
>>
>> smtpd_recipient_restrictions =
>>   reject_non_fqdn_recipient
>>   reject_non_fqdn_sender
>>   reject_unauth_destination
>>   reject_unlisted_recipient
>>   check_helo_access regexp:/etc/postfix/blacklist_helo_uncond.cf
>>   reject_non_fqdn_helo_hostname
>>   reject_invalid_helo_hostname
>>   reject_unknown_sender_domain
>>   check_recipient_access hash:/etc/postfix/blacklist_rcpt.cf
>>   check_sender_access hash:/etc/postfix/whitelist_sender.cf
>>   check_sender_access hash:/etc/postfix/blacklist_sender.cf
>>   check_sender_access hash:/etc/postfix/spoofing_protection.cf
>>   check_sender_access regexp:/etc/postfix/blacklist_sender_regex.cf
>>   reject_unknown_reverse_client_hostname
>>   check_sender_ns_access hash:/etc/postfix/blacklist_ns.cf
>>   permit_dnswl_client wl.mailspike.net=127.0.0.[19;20]
>>   permit_dnswl_client list.dnswl.org=127.0.[0..255].[2;3]
>>   check_policy_service unix:private/spf-policy
>>   check_recipient_access hash:/etc/postfix/skip_ptr_check.cf
>>   permit_dnswl_client wl.mailspike.net
>>   permit_dnswl_client list.dnswl.org
>>   permit_dnswl_client iadb.isipp.com
>>   permit_dnswl_client sa-accredit.habeas.com
>>   permit_dnswl_client dnswl.inps.de
>>   permit_dnswl_client swl.spamhaus.org
>>   permit_dnswl_client hostkarma.junkemailfilter.com=127.0.0.1
>>   check_helo_access regexp:/etc/postfix/blacklist_helo.cf
>>   check_reverse_client_hostname_access
>> regexp:/etc/postfix/generic_ptr.cf
>>   reject_unverified_sender
>> ______________________________________________________________
>>
>> lower the RBL TTL of postscreen to catch new blacklisted clients faster
>> and consider setup a unbound dns-cache on localhost with tuned caching
>>
>> the min-TTL lowers the network costs for DNSBL/DNSWL with a very low
>> origin TTL after postscreen as well a prevents exceed limits of some
>> lists
>>
>>   cache-min-ttl: 270
>>   cache-max-ttl: 7200
>>
>> postscreen can be much more aggressive by slow down new clients for 10
>> seconds, use a lot of more RBL's but back them up also with DNSWL to
>> avoid false positives and i have not seen any FP with that setup, look
>> also at the spamassassin config and consider raise up the scores for
>> RBL's to give more penalty if as example someone is on the barracuda RBL
>> but you really don't want to reject because any single RBL
>>
>> postscreen_dnsbl_ttl = 5m
>> postscreen_dnsbl_threshold = 8
>> postscreen_dnsbl_action = enforce
>> postscreen_greet_action = enforce
>> postscreen_greet_wait = ${stress?3}${stress:10}s
>> postscreen_dnsbl_sites =
>>   dnsbl.sorbs.net=127.0.0.10*8
>>   zen.spamhaus.org=127.0.0.[10;11]*8
>>   b.barracudacentral.org=127.0.0.2*7
>>   dnsbl.inps.de=127.0.0.2*7
>>   dnsbl.sorbs.net=127.0.0.5*7
>>   zen.spamhaus.org=127.0.0.[4..7]*7
>>   zen.spamhaus.org=127.0.0.3*5
>>   bl.mailspike.net=127.0.0.2*5
>>   bl.mailspike.net=127.0.0.[10;11;12]*4
>>   bl.spamcop.net=127.0.0.2*4
>>   bl.spameatingmonkey.net=127.0.0.[2;3]*4
>>   dnsrbl.swinog.ch=127.0.0.3*4
>>   zen.spamhaus.org=127.0.0.2*3
>>   dnsbl.sorbs.net=127.0.0.7*3
>>   dnsbl.sorbs.net=127.0.0.8*2
>>   dnsbl.sorbs.net=127.0.0.6*2
>>   dnsbl.sorbs.net=127.0.0.9*2
>>   wl.mailspike.net=127.0.0.[18;19;20]*-2
>>   list.dnswl.org=127.0.[0..255].0*-2
>>   list.dnswl.org=127.0.[0..255].1*-3
>>   list.dnswl.org=127.0.[0..255].2*-4
>>   list.dnswl.org=127.0.[0..255].3*-5
>>
>>
>> Am 25.12.2014 um 23:24 schrieb Asai:
>>> We have a real spam problem for some users, and this seems to be really
>>> tough spam to block.  I have postscreen set up which blocks a lot of
>>> spam, of the spam that does get through, Spamassassin catches about 200
>>> spams a day, but we have about a dozen users that get 20 - 30 spams a
>>> day, so I ask if anyone can give me some advice about my configs here.
>>> This is what I have had thus far, postscreen's deep protocol tests have
>>> been turned on a turned off at different times due to troubleshooting a
>>> particular user's iPhone connection, and they are off at this time:
>>>
>>> postscreen_access_list = permit_mynetworks,
>>> cidr:/etc/postfix/postscreen_access.cidr
>>> postscreen_dnsbl_threshold = 3
>>> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2;3;4;5;6;7]*4
>>>          #l2.apews.org*3,  ##I've used this with variable successs
>>>          dbl.spamhaus.org*2
>>>          cbl.abuseat.org*2
>>>          zen.spamhaus.org*1
>>>          bl.spamcop.net*1
>>>          b.barracudacentral.org*1
>>>          bl.spameatingmonkey.net*1
>>>          dnsbl.sorbs.net*1
>>>          psbl.surriel.com
>>>          bl.mailspike.net
>>>          zen.spamhaus.org=127.0.0.11*-3
>>>          swl.spamhaus.org*-5
>>>          list.dnswl.org=127.[0..255].[0..255].0*-2
>>>          list.dnswl.org=127.[0..255].[0..255].1*-3
>>>          list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
>>> postscreen_dnsbl_whitelist_threshold = -1
>>> postscreen_dnsbl_action = enforce
>>> postscreen_blacklist_action = drop
>>> postscreen_greet_banner =
>>> postscreen_greet_action = drop
>>>
>>> I'm wondering about turning this back on under
>>> smtpd_recipient_restrictions which has been turned off since I started
>>> using postscreen:
>>>
>>> smtpd_recipient_restrictions =  permit_mynetworks,
>>>         ...
>>>
>>>          reject_rbl_client zen.spamhaus.org,
>>>          reject_rbl_client bl.spamcop.net,
>>>          reject_rbl_client cbl.abuseat.org,
>>>          reject_rhsbl_sender dbl.spamhaus.org,
>>>          reject_rhsbl_sender rhsbl.sorbs.net,
>>>          permit
>>>
>>> I would be grateful for any advice here and if anyone could share their
>>> experience
>

--
--asai