[nycbug-talk] [Re: greylisting proxies?]
trish at bsdunix.net
Sun Oct 1 17:28:54 EDT 2006
Actually I find DK and DKIM to be much better as a scheme for authenticated senders than SPF, which in my opinion is a HUGE hack.
As far as #s 2 and 3, I use MailScanner for that... It does a pretty good job, but its still not pre-filtering, probably the best way to do it is with a sendmail ruleset that just simply will deny attachments with those "extentions".
I have one written here as a .mc insertion for when I'm actually near a computer and not my blackberry.
((As I'm not feeling well, sending this from bed/blackberry, hence the horrid quoting as well)
I usually have big machines with lots of firepower doing these kind of proxy-filter connections in front of the real delivery MTA, and I'm not worried about mailscanner, spamassassin, and clamav taking massive resources.
From: Jonathan <nycbug-list at 2xlp.com>
Date: Sun, 1 Oct 2006 15:08:30
To:NYCBUG Talk <talk at lists.nycbug.org>
Subject: Re: [nycbug-talk] [Re: greylisting proxies?]
On Oct 1, 2006, at 12:38 PM, QuiGon wrote:
> I switched to Spamassassin and Clamassassin (as procmail filters)
> haven't looked back. One of the machines I run it on (the one I'm
> sending this mail through) is an AMD K6-2 500/512MB that also runs
> with no issues (no booing here, but it's Slackware, because I've
> yet to
> be able to get *BSD running on a Cobalt RaQ series machine).
On Oct 1, 2006, at 12:48 PM, Okan Demirmen wrote:
> you can run spamd(8) in front of any mta; either on the same box or in
spamd and clamd are both memory and cpu intensive.
if you decide to run them, make sure to do preliminary filtering
1. use some sort of verified sender policy like spf. it'll cut down
about 20% of your spam. its safe to use (no false positives) because
it only works with domains that have opted into the system.
2. block obviously malicious attachments. you can't do zip/exe in
most corporate settings, but there are a ton that viruses send out
3. use some sort of regex hook / facility that can deal with virus
signatures within the MTA itself at receipt time. in exim you can do
a simple PCRE pattern match. during peak virus days this is a
godsend-- i remember one of the sobig variants killing almost every
mailsystem a few years back. mine was going strong though, because a
quick low-cost regex during rcpt rejected 98% of incoming mail within
the MTA itself, before anything hit disk.
4. tweak your system to only allow 2-4 failed addresses per
connection. that drastically limits the number of attempts by most
spam boxes. also set your system to do a geometically increasing
temporary reject based on the number of failed recipients per ip.
ie: fail 1x in 1 hr, get a 1minute temp. reject. fail 2x in 1 hr,
get a 2 minute temp reject , fail 3x in hr get a 4min... etc. i
forget what that method is called, but most MTAs support it built-
in... greylisitng was really just an offshoot of that approach.
5. i've had luck with the razor network as a pre-filter to
6. when you run spamd, make sure you set at least 3 score limits:
accept , accept-to-spamfolder , reject. I've seen tons of people
only use 2 levels, which either makes the spam-probable inbox
completely unusable-- or rejects far too many false positives.
7. bayesian filtering in spamassasin kind of sucks. its not very
good, its a fucking pain in the ass to set up per-user classifiers,
and you can not use a global classifier. i tried and found it
worthless as two people on the system I had set up ended up having a
rather large internet porn addiction, another was really into
mindless stock tips, a fourth had a habit of sending poorly spelled
emails in ALLCAPS full of racial epithets and filthier than dirty sex
jokes ( often both at once ) , and 3 more had friends in asia that
kept sending foreign character set encoded messages . i've heard
mixed things on bogofilter , spambayes, and spamprobe. CRM114 and
dspam are awesome, but can be a pain for setup ( they're probably the
two smartest approaches to filtering and ardent supporters of each
other's product )
% NYC*BUG talk mailing list
%Be sure to check out our Jobs and NYCBUG-announce lists
%We meet the first Wednesday of the month
More information about the talk