Majority of spams are sent using dynamic ADSL/Cable subscriber lines and thus not through legitimate MTAs. Might be, or mostly the case, these are sent using spambots or infected computers running poorly secured from the internet. Or some are sending spams direct through their computers. Therefore reverse lookups won't match with their domains/hosts.
To help you further mitigate these kinds of spammers, use Postgrey. Postgrey is a third party anti-spam used to greylist or temporarily reject sending smtp clients during RCPT TO command. As said, it is only temporary as a test if the sending client is a real MTA. If the client is not an MTA, but a computer used through spambot, it won't or mostly seldom retry after a greylisting or temporary RCPT rejection period. Majority of spam and virus mails are rejected by these method and will save you lots of CPU cycles specially if you as well have content scanners like Amavisd-new, SpamAssassin and ClamAV installed. Legitimate MTA shall be autowhitelisted after several successful deliveries. Postgrey is a GREYLISTING implementation on postfix.
Also, I recently added a contributed patch for Postgrey to make it even harder for spammers' bots to retry, in case it did, by adding a --retry=2 startup option. Meaning, in case bots has learned already to retry, they need to retry for another one. This makes their delay even longer and might lose their interest. Further, an option to further delay autowhitelisting is also available and which is --auto-whitelist-delay=3600.
Postgrey:
http://isg.ee.ethz.ch/tools/postgrey/
Tarpit+Greylist+S25R:
http://k2net.hakuba.jp/targrey/index.en.html
http://k2net.hakuba.jp/pub/targrey-0...rey-1.27.patch
http://k2net.hakuba.jp/spam/postfix.conf.2.tar.gz
http://k2net.hakuba.jp/pub/postfix-sleep.patch
The postfix.conf.2.tar.gz has all the necessary config files and will just need to be copied to /etc/postfix. I don't yet fully understand much of it but what all I can say is that it is working for me. It has grealy reduce again my qurantine area and just to show to you, here is an 'ls' of my qurantine yesterday.
Code:
root@mxwall:/etc/postfix# ls -l /var/virusmails |grep 2006-12-18
-rw-r----- 1 amavisd amavisd 25367 2006-12-18 02:43 spam-ED+2PXN9zB8K.gz
-rw-r----- 1 amavisd amavisd 27741 2006-12-18 23:32 spam-FCJ-P18n7nPh.gz
-rw-r----- 1 amavisd amavisd 33744 2006-12-18 05:20 spam-GTVtdIYzawxA.gz
-rw-r----- 1 amavisd amavisd 31619 2006-12-18 07:01 spam-MVn4E61LqUoL.gz
-rw-r----- 1 amavisd amavisd 28224 2006-12-18 23:01 spam-Q28Z3YQnUoYo.gz
-rw-r----- 1 amavisd amavisd 19595 2006-12-18 06:25 spam-gBvd6oXXZ+Vk.gz
-rw-r----- 1 amavisd amavisd 29992 2006-12-18 11:10 spam-lXjnVevMTCHm.gz
-rw-r----- 1 amavisd amavisd 20372 2006-12-18 06:26 spam-nxXgmOW41Tzy.gz
-rw-r----- 1 amavisd amavisd 10213 2006-12-18 23:19 spam-vcFNcp6Lmp1J.gz
Checking these lately, it came mostly from spamming servers that only send since when I've telneted, it won't accept connection to port 25.
Here is a pertinent main.cf portion I'm using that you can make as your guide:
Code:
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks
reject_invalid_hostname
reject_non_fqdn_hostname
check_helo_access regexp:/etc/postfix/reject_helo
I also added a two regexp lines in rejct_helo and it is those that I'm sure has blocked clients using only domain.tld and not fully qualified hostname as HELO that I'm sure legitimate MTAs won't do. reject_helo is included with postfix.conf.2.tar.gz.
Code:
/^[a-z]+\.[a-z]{2}$/ REJECT match HELO blacklist
/^[a-z]+\.[a-z]{3}$/ REJECT match HELO blacklist
Code:
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
check_client_access hash:/etc/postfix/whitelist_client
check_client_access regexp:/etc/postfix/permit_client_nots25r
check_client_access mysql:/etc/postfix/mysql-client.cf
....
..... others
....
# this is Postgrey
check_policy_service inet:127.0.0.1:10023
...
permit
Here is a portion of my logs to show how it works:
Dec 19 20:08:51 mxwall postfix/smtpd[30090]: NOQUEUE: warn: RCPT from cik172.neoplus.adsl.tpnet.pl[83.31.34.172]: ; from=<Off@cfcunit.org> to=<pro@****.gov.ph> proto=ESMTP helo=<cik172.neoplus.adsl.tpnet.pl>
Dec 19 20:09:01 mxwall postfix/smtpd[30090]: NOQUEUE:
sleep: RCPT from cik172.neoplus.adsl.tpnet.pl[83.31.34.172]:
lost connection after 10 sec; from=<Off@cfcunit.org> to=<pro@****.gov.ph> proto=ESMTP helo=<cik172.neoplus.adsl.tpnet.pl>
Dec 19 20:09:01 mxwall postfix/smtpd[30090]:
lost connection after RCPT from cik172.neoplus.adsl.tpnet.pl[83.31.34.172]
Dec 19 20:09:01 mxwall postfix/smtpd[30090]: disconnect from cik172.neoplus.adsl.tpnet.pl[83.31.34.172]
And also, incase you are still interested with DKIM, here it is.
http://mipassoc.org/dkim
http://www.ijs.si/software/amavisd/a...docs.html#dkim
http://www.elandsys.com/resources/sendmail/dkim.html
-------
GANI