LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 08-15-2006, 11:24 AM   #1
dlublink
Member
 
Registered: Oct 2004
Location: Canada
Distribution: Ubuntu
Posts: 329

Rep: Reputation: 30
Spam Blacklists.


Hi,

Two things. Firstly to anyone running an incoming mail server, I strongly recommend using mail blacklists. I filter my mail using blacklists and strict rfc and the result is about 3-5 spams a week combined on all the accounts on my mail server. I used dnsstuff.com as a guide to finding the right combination of blacklists. I found the best way to find a blacklist was to handpick spam on your server, check the ip addresses against dnsstuff.com and check some legitimate emails. You should get an idea of which blacklists are reliable. When you find the right blacklist, go read the black lists terms and conditions first.

My main.cf has :

smtpd_helo_restrictions = permit_mynetworks,
check_helo_access mysql:/etc/postfix/mysql/mysql-helo.cf,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
smtpd_recipient_restrictions =
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client relays.ordb.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client combined.njabl.org,

This blocks 99% of spam.


Anyway, for my question. I would like to block more spam. I have noticed there are certain addresses on my server that have never existed that are often spammed. Two of these addresses are info@mydomain and contact@mydomain. Is there a plugin for postfix where I can specify spamtraps on my server, any mail entering a spam trap will cause the IP to be blocked. 4 hours first time, 8 hours second time etc...? Also having rules saying that the first few times an ip is blocked, it is block with 4xx errors. As the IP spams more and more it should do 5xx.

I want all this to be done before the data command is issued.


Thanks,

David Lublink
 
Old 08-16-2006, 09:58 AM   #2
Child of Wonder
Member
 
Registered: Jul 2004
Location: Sioux Falls, SD
Distribution: Debian, Ubuntu, Fedora, Red Hat
Posts: 69

Rep: Reputation: 16
I'm not sure about the plug in, but you'll need to include it in smtpd_client_restrictions.

Also, here's a few other ideas on things you can add to stop spam.

smtpd_helo_required = yes

smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain

smtpd_recipient_restrictions =
reject_unlisted_recipient
reject_unauth_destination
reject_non_fqdn_recipient
reject_unknown_recipient_domain
check_policy_service inet:127.0.0.1:60000

The last line is for greylisting. It basically checks the connecting IP, from address, and to address and if it's hasn't seen that triplet before, it will temporarily block the email. This forces the sending server to resend the email. If it resends the email, then it goes through.

Most spammers don't resend email automatically. This will also stop a significant amount. Just install Postgrey.
 
Old 08-16-2006, 10:04 AM   #3
dlublink
Member
 
Registered: Oct 2004
Location: Canada
Distribution: Ubuntu
Posts: 329

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Child of Wonder
I'm not sure about the plug in, but you'll need to include it in smtpd_client_restrictions.
Actually I also have this:

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks,
check_helo_access mysql:/etc/postfix/mysql-helo.cf,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit

Just the helo restrictions blocks about 40% of the spam coming into my server. I use check_helo_access to block mailers I would consider spammers but strickly speaking aren't. This list includes: tickle-corp.com,ringo.com,getitfree.net,hi5.com.

As for 'reject_unknown_sender_domain' this is also effective, but it gives me false positives. There are still a lot of legitimate sites that don't send from real domains. Without this directive and all the above between my home server and work server we have had 3 false positives in 8 months.

I am pretty happy with these results.

I think I'll use greylisting.

Thanks,

David
 
Old 08-16-2006, 10:17 AM   #4
dlublink
Member
 
Registered: Oct 2004
Location: Canada
Distribution: Ubuntu
Posts: 329

Original Poster
Rep: Reputation: 30
The reason I haven't yet implemented greylisting is for the same reason I dislike hotmail's spam filters.

My server uses the above mentioned filters before the data command is issued. That being considered, ANY message that is rejected will be sent back to the sender immediatly. The sender will know whether or not the message was recieved. It adds a certain level of confidence to the users of my server.

I have amavis that blocks any emails that are confirmed viruses and sends warnings for suspected viruses.

I don't have any spam folders or anything. This prevents people from missing important emails and saying 'oops it was in my spam folder'.

Trouble with greylisting is emails can be delayed up to 24 hours which may cause user frustration because the users are not aware of what is happening with their messages.

David
 
Old 08-16-2006, 03:29 PM   #5
Child of Wonder
Member
 
Registered: Jul 2004
Location: Sioux Falls, SD
Distribution: Debian, Ubuntu, Fedora, Red Hat
Posts: 69

Rep: Reputation: 16
Mail servers should be configured to resend temporarily blocked email within a few minutes. I'm a System Admin for an ISP of about 40,000 customers and we use it. The block time we have set is 60 seconds. Very rarely do we see mail being delayed more than 5 minutes.
 
Old 08-16-2006, 04:36 PM   #6
dlublink
Member
 
Registered: Oct 2004
Location: Canada
Distribution: Ubuntu
Posts: 329

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Child of Wonder
Mail servers should be configured to resend temporarily blocked email within a few minutes. I'm a System Admin for an ISP of about 40,000 customers and we use it. The block time we have set is 60 seconds. Very rarely do we see mail being delayed more than 5 minutes.
Is it possible to exclude certain addresses from the greylisting?

I have one specific address, support@domain.tld, can't risk having delays on that one.


David
 
Old 08-16-2006, 05:04 PM   #7
Child of Wonder
Member
 
Registered: Jul 2004
Location: Sioux Falls, SD
Distribution: Debian, Ubuntu, Fedora, Red Hat
Posts: 69

Rep: Reputation: 16
You could add the address to a file (call it postgrey_sender_whitelist or anything you want) with an OK and include it in smtpd_recipient_restrictions. Then that address would skip all the remaining checks in smtpd_recipient_restrictions. Just make sure check_sender_access comes before check_policy_service inet:127.0.0.1:60000.

Code:
/etc/postfix/main.cf

smtpd_recipient_restrictions = 
        <all your other recipient checks .....>
        check_sender_access hash:/etc/postfix/postgrey_sender_whitelist
        check_policy_service inet:127.0.0.1:60000
Code:
/etc/postfix/postgrey_sender_whitelist

support@domain.tld OK
postmap /etc/postfix/postgrey_sender_whitelist

Restart Postfix and off you go.

Last edited by Child of Wonder; 08-16-2006 at 05:06 PM.
 
Old 08-21-2006, 08:38 AM   #8
dlublink
Member
 
Registered: Oct 2004
Location: Canada
Distribution: Ubuntu
Posts: 329

Original Poster
Rep: Reputation: 30
What about PTR? I have a number of messages coming from IPs and dnsstuff.com says that some servesr would block using PTR.

Is PTR a reliable way to block spam?

My understanding is PTR is the reverse DNS lookup? Where I can get a hostname from an IP address?

How do I block IPs without PTR and how does everyone feel about this method?

David
 
Old 08-21-2006, 08:59 AM   #9
Child of Wonder
Member
 
Registered: Jul 2004
Location: Sioux Falls, SD
Distribution: Debian, Ubuntu, Fedora, Red Hat
Posts: 69

Rep: Reputation: 16
If you have Postfix version 2.3 or greater, include this line in your smtpd_client_restrictions.

reject_unknown_client_hostname

If you have a version below 2.3 use: reject_unknown_client.

This rule will take the connecting server IP address and do a reverse DNS lookup (PTR record) on it. If it does not return a hostname, the mail is rejected. If the reverse DNS lookup does produce a hostname, then Postfix does a forward lookup on that hostname. If that lookup does not produce the original connecting IP or the lookup fails, the mail is rejected.
 
Old 08-23-2006, 08:40 AM   #10
dlublink
Member
 
Registered: Oct 2004
Location: Canada
Distribution: Ubuntu
Posts: 329

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by Child of Wonder
If you have a version below 2.3 use: reject_unknown_client.
I did this, and spam was still getting through. So I checked, turned out I had setup a mail relay (for my domain and a coulpe of others) a while ago I had forgotten about. It was by the relay that all the extra spam was getting through.

I disabled the relay, I'll see if it works. I'll post my results here.

David
 
  


Reply

Tags
blacklist, spam, trap, whitelist


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
spam filter that puts spam into spam folder? paul_mat Linux - Software 3 03-31-2009 05:18 AM
SPAM Blacklists.... cultavixx General 2 04-06-2006 12:42 PM
privoxy blacklists paul_mat Linux - Networking 1 10-17-2005 04:23 AM
anyone used blacklists mnauta General 5 04-02-2004 12:24 AM
eXtremail and Blacklists Moltag Linux - Networking 1 10-07-2003 08:09 PM


All times are GMT -5. The time now is 11:10 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration