[nycbug-talk] [Re: greylisting proxies?]

Trish Lynch trish at bsdunix.net
Sun Oct 1 17:28:54 EDT 2006

Actually I find DK and DKIM to be much better as a scheme for authenticated senders than SPF, which in my opinion is a HUGE hack.

As far as #s 2 and 3, I use MailScanner for that... It does a pretty good job, but its still not pre-filtering, probably the best way to do it is with a sendmail ruleset that just simply will deny attachments with those "extentions".

I have one written here as a .mc insertion for when I'm actually near a computer and not my blackberry. 

((As I'm not feeling well, sending this from bed/blackberry, hence the horrid quoting as well)

I usually have big machines with lots of firepower doing these kind of proxy-filter connections in front of the real delivery MTA, and I'm not worried about mailscanner, spamassassin, and clamav taking massive resources.


Trish Lynch
M: 646-401-1405
H: 201-378-0434    

-----Original Message-----
From: Jonathan <nycbug-list at 2xlp.com>
Date: Sun, 1 Oct 2006 15:08:30 
To:NYCBUG Talk <talk at lists.nycbug.org>
Subject: Re: [nycbug-talk] [Re:  greylisting proxies?]

On Oct 1, 2006, at 12:38 PM, QuiGon wrote:

> I switched to Spamassassin and Clamassassin (as procmail filters)
> haven't looked back.  One of the machines I run it on (the one I'm
> sending this mail through) is an AMD K6-2 500/512MB that also runs  
> with no issues (no booing here, but it's Slackware, because I've  
> yet to
> be able to get *BSD running on a Cobalt RaQ series machine).

On Oct 1, 2006, at 12:48 PM, Okan Demirmen wrote:

> you can run spamd(8) in front of any mta; either on the same box or in
> front.

spamd and clamd are both memory and cpu intensive.

if you decide to run them, make sure to do preliminary filtering  

	1. use some sort of verified sender policy like spf.  it'll cut down  
about 20% of your spam.  its safe to use (no false positives) because  
it only works with domains that have opted into the system.

	2. block obviously malicious attachments.  you can't do zip/exe in  
most corporate settings, but there are a ton that viruses send out		 

	3. use some sort of regex hook / facility that can deal with virus  
signatures within the MTA itself at receipt time.  in exim you can do  
a simple PCRE pattern match.  during peak virus days this is a  
godsend-- i remember one of the sobig variants killing almost every  
mailsystem a few years back.  mine was going strong though, because a  
quick low-cost regex during rcpt rejected 98% of incoming mail within  
the MTA itself, before anything hit disk.

	4. tweak your system to only allow 2-4 failed addresses per  
connection. that drastically limits the number of attempts by most  
spam boxes.  also set your system to do a geometically increasing  
temporary reject based on the number of failed recipients per ip.   
ie: fail 1x in 1 hr, get a 1minute temp. reject.  fail 2x in 1 hr,  
get a 2 minute temp reject , fail 3x in hr get a 4min... etc. i  
forget what that method is called, but most MTAs support it built- 
in... greylisitng was really just an offshoot of that approach.

	5. i've had luck with the razor network as a pre-filter to  

	6. when you run spamd, make sure you set at least 3 score limits:  
accept , accept-to-spamfolder , reject.   I've seen tons of people  
only use 2 levels, which either makes the spam-probable inbox  
completely unusable-- or rejects far too many false positives.

	7. bayesian filtering in spamassasin kind of sucks.  its not very  
good, its a fucking pain in the ass to set up per-user classifiers,  
and you can not use a global classifier.   i tried and found it  
worthless as two people on the system I had set up ended up  having a  
rather large internet porn addiction, another was really into  
mindless stock tips, a fourth had a habit of sending poorly spelled  
emails in ALLCAPS full of racial epithets and filthier than dirty sex  
jokes ( often both at once ) , and 3 more had friends in asia that  
kept sending foreign character set encoded messages .   i've heard  
mixed things on bogofilter , spambayes, and spamprobe.  CRM114 and  
dspam are awesome, but can be a pain for setup ( they're probably the  
two smartest approaches to filtering and ardent supporters of each  
other's product )

% NYC*BUG talk mailing list
%Be sure to check out our Jobs and NYCBUG-announce lists
%We meet the first Wednesday of the month

More information about the talk mailing list