[nycbug-talk] [Re: greylisting proxies?]

[Jonathan]

On Oct 1, 2006, at 12:38 PM, QuiGon wrote:

> I switched to Spamassassin and Clamassassin (as procmail filters)
> haven't looked back.  One of the machines I run it on (the one I'm
> sending this mail through) is an AMD K6-2 500/512MB that also runs  
> LAMP
> with no issues (no booing here, but it's Slackware, because I've  
> yet to
> be able to get *BSD running on a Cobalt RaQ series machine).


On Oct 1, 2006, at 12:48 PM, Okan Demirmen wrote:

> you can run spamd(8) in front of any mta; either on the same box or in
> front.

spamd and clamd are both memory and cpu intensive.

if you decide to run them, make sure to do preliminary filtering  
beforehand:

	1. use some sort of verified sender policy like spf.  it'll cut down  
about 20% of your spam.  its safe to use (no false positives) because  
it only works with domains that have opted into the system.

	2. block obviously malicious attachments.  you can't do zip/exe in  
most corporate settings, but there are a ton that viruses send out		 
ade:adp:bas:bat:chm:cmd:com:cpl:crt:exe:hlp:hta:inf:ins:isp:js:jse:lnk:m 
db:mde:msc:msi:msp:mst:pcd:pif:reg:scr
:sct:shs:shb:url:vb:vbe:vbs:wsc:wsf:wsh:ADE:ADP:BAS:BAT:CHM:CMD:COM:CPL: 
CRT:EXE:HLP:HTA:INF:INS:ISP:JS:JSE:LNK:MDB:MDE:MSC:MSI:MSP:MST:PCD:PIF:R 
EG:SCR:SCT:SHS:SHB:URL:VB:VBE:VBS:WSC:WSF:WSH

	3. use some sort of regex hook / facility that can deal with virus  
signatures within the MTA itself at receipt time.  in exim you can do  
a simple PCRE pattern match.  during peak virus days this is a  
godsend-- i remember one of the sobig variants killing almost every  
mailsystem a few years back.  mine was going strong though, because a  
quick low-cost regex during rcpt rejected 98% of incoming mail within  
the MTA itself, before anything hit disk.

	4. tweak your system to only allow 2-4 failed addresses per  
connection. that drastically limits the number of attempts by most  
spam boxes.  also set your system to do a geometically increasing  
temporary reject based on the number of failed recipients per ip.   
ie: fail 1x in 1 hr, get a 1minute temp. reject.  fail 2x in 1 hr,  
get a 2 minute temp reject , fail 3x in hr get a 4min... etc. i  
forget what that method is called, but most MTAs support it built- 
in... greylisitng was really just an offshoot of that approach.

	5. i've had luck with the razor network as a pre-filter to  
spamassassin.

	6. when you run spamd, make sure you set at least 3 score limits:  
accept , accept-to-spamfolder , reject.   I've seen tons of people  
only use 2 levels, which either makes the spam-probable inbox  
completely unusable-- or rejects far too many false positives.

	7. bayesian filtering in spamassasin kind of sucks.  its not very  
good, its a fucking pain in the ass to set up per-user classifiers,  
and you can not use a global classifier.   i tried and found it  
worthless as two people on the system I had set up ended up  having a  
rather large internet porn addiction, another was really into  
mindless stock tips, a fourth had a habit of sending poorly spelled  
emails in ALLCAPS full of racial epithets and filthier than dirty sex  
jokes ( often both at once ) , and 3 more had friends in asia that  
kept sending foreign character set encoded messages .   i've heard  
mixed things on bogofilter , spambayes, and spamprobe.  CRM114 and  
dspam are awesome, but can be a pain for setup ( they're probably the  
two smartest approaches to filtering and ardent supporters of each  
other's product )