Valery's Mlog

Mindlog of a Freak
February 11th, 2008 by Valery Dachev

Some Mail Spam Observation

My server hosts several mail domains (including my own one – vdachev.net) and is also a secondary mail exchanger for others. In an effort to reduce the spam traffic sent to and passing through my server I strenghtened the anti-spam policy of my servers. I’ve also moved many mail domains to Google Apps as it turned out to be a great solution and deals pretty well with spam.

There were a few things that I paid attention to:

  • Spammers predominantly use secondary mail exchangers. Quote clever decision – secondary mail exchangers often have no way to check if a mailbox is not available or not and accept the e-mail for delivery. They usually don’t do the spam filtering as it is often a local delivery task so it’s not their job. What I mean… spam is more likely to be accepted by a secondary mail exchanger. Even if a message gets bounced by the primary mail exchanger it is not of importance to the spammer;
  • In my setup I had disabled DNS blacklist checks in Postfix as SpamAssassin did them. However my SpamAssassin marks unsolicited e-mails as spam but lets them pass through. So blacklisted senders were able to send spam to domains I relay for instead of being sent a “554 Transaction failed.” error code. That’s why I added DNS blacklist checks in Postfix itself (a main.cf snippet below);
  • A few weeks after moving a domain to Google Apps and changing the MX records accordingly I still have receive spam relayed through my servers for this domain. I intentionally didn’t remove the domain from the list of domains I relay for because I don’t want a mail to be lost because of unexpired DNS entries. It seems spammers are aware of such techniques and save old MX records. Fine! I removed the obsolete domains out of my relay list…
  • … but the last one presupposes there are system that keeps sending spam for a very long period of time (a few weeks!). If they are hacked why the f*ck their administrators get paid for?! If not, it’s intentional… and their ISPs obviously support spam. I suppose it’s the latter and that’s why wide ranges are blacklisted. Hah! And that’s why my mail queue has almost no requests in it after the change in Postfix.

For those of you interested in the Postfix setting (or just the DNS blacklist I use) here is what my “smtpd_recipient_restrictions” option in main.cf looks like:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_rhsbl_client blackhole.securitysage.com,
reject_rhsbl_sender blackhole.securitysage.com,
reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client proxies.blackholes.wirehub.net,
reject_rbl_client bl.spamcop.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client multihop.dsbl.org,
permit

Comments

2 Responses to “Some Mail Spam Observation”
  1. Кирил Тодоров says

    Имаш няколко решения които не мога да приема за адекватни:
    bl.spamcop.net и задължителния fqdn.

    Да, знам защо ги ползваш, но spamcop-ското полиси за листване е изключително мъгливо, а отделно, никъде в рфц-тата не пише нищо по въпроса за задължителен работещ ревърс луукъп.
    Надявам се поне да си го настроил да връща 4.х.х. грешка за тези случаи.

    Мога и да ти препоръчам няколко техники, които като цяло облекчават сървъра и са доказано ефективни – greylisting и greetdelay.
    Особенно второто работи чудесно и като защита срещу червейчета които се саморазпращат.

    Като цяло ползваш твърде много блеклисти, които макар и полезни далеч не са панацея и нямаш контрол върху тях. Е да, ако става дума за твой си домейн, личен – предполагам няма проблем. Но тази конфигурация на корпоративно ниво би било неизползваема.

  2. @Кирил Тодоров: Благодаря за коментара! :)

    Всички наложени ограничения връщат 4.x.x код. Иначе съм далеч от убеждението, че едните черни списъци ще решат проблема. Засега обаче се представят учудващо добре. С други думи не съм засичал или получавал оплакване за недоставена поща от реален потребител. Самата публикация беше с идеята за преместването на черните списъци от SpamAssassin в Postfix, а не толкова за конкретните списъци, които използвам. Наясно съм, че със SpamCop наистина съм затегнал режима… :)
    Напълно съм съгласен за предложените от теб техники и в предишната инсталация на сървъра ги използвах активно. Но доколкото говорим наистина за не съвсем корпоративна среда, предпочетох направо секирата… :)

Leave a Reply

%d bloggers like this: