From owner-freebsd-questions@FreeBSD.ORG Mon Dec 17 08:36:23 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2EA1916A417 for ; Mon, 17 Dec 2007 08:36:23 +0000 (UTC) (envelope-from jorn@wcborstel.com) Received: from mail.wcborstel.com (www.wcborstel.com [82.93.93.17]) by mx1.freebsd.org (Postfix) with ESMTP id C971613C4E9 for ; Mon, 17 Dec 2007 08:36:22 +0000 (UTC) (envelope-from jorn@wcborstel.com) Received: from mail.wcborstel.com (localhost [10.0.0.2]) by mail.wcborstel.com (Postfix) with ESMTP id A7F0E4335CE; Mon, 17 Dec 2007 09:36:36 +0100 (CET) Received: by mail.wcborstel.com (Postfix, from userid 58) id 3702A4335CD; Mon, 17 Dec 2007 09:36:36 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on mail.wcborstel.com X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.3 X-Spam-Report: * -1.8 ALL_TRUSTED Passed through trusted hosts only via SMTP * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.0000] Received: from localhost (www.wcborstel.com [10.0.0.3]) by mail.wcborstel.com (Postfix) with ESMTP id 44E554335C7; Mon, 17 Dec 2007 09:36:29 +0100 (CET) MIME-Version: 1.0 Date: Mon, 17 Dec 2007 9:36:29 +0100 From: Jorn Argelo To: girishvenkatachalam@gmail.com In-Reply-To: <20071216185050.GB26535@brahma.susmita.org> References: <20071216185050.GB26535@brahma.susmita.org> Message-ID: <9cc0a3fa1d403f16f4fc9b2abb49fb75@mail.wcborstel.com> X-Sender: jorn@wcborstel.com User-Agent: RoundCube Webmail/0.1b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Virus-Scanned: ClamAV using ClamSMTP Cc: freebsd-questions@freebsd.org Subject: Re: (postfix) SPAM filter? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2007 08:36:23 -0000 On Mon, 17 Dec 2007 00:20:50 +0530, Girish Venkatachalam wrote: > On 14:48:35 Dec 15, Jorn Argelo wrote: >> Greylisting only works so-so nowadays. There was a couple of months it > was >> very effective, but that is long gone. Spammers aren't stupid, and they >> follow the development of anti-spam techniques as much as e-mail admins > do. >> Greylisting is a start, but from my experience it is not nearly enough. >> > > I have heard this said elsewhere too. Yes don't rely solely on greylisting unless you're a lucky guy and don't get a lot of spam. > >> Also I believe that rejecting e-mail is a big point of discussion. We > had >> an internet e-mail environment built about 3 years ago, and there the > users >> were terrorized by spam. We had some users getting 30 spam mails a day > at >> least. This setup was running amavis, spamassassin, postfix, postgrey, > dcc >> and razor. Unfortunately, over time the bayes filter got incorrectly >> trained, and it sometimes rejected valid e-mails. If there's something > you >> DON'T want to happen it's that. And also troubleshooting those kind of >> things can be quite hard ... > > What about CRM114 and dspam? I played with dspam at home but I didn't really got it running as I wanted to. I didn't invest an awful lot of time in it though, so I cannot properly judge it. I never heard of CRM114, so I cannot say anything from that. > > Have you ever tried statistical filtering instead of heuristics with > spamassassin? > > >> We rebuilt the environment from scratch. Right now we are running > OpenBSD >> spamd + OpenBSD Packetfilter. This functions as greylisting / > greptrapping >> in combination with the PF firewall. We made a couple of scripts to trap >> invalid / forged e-mail addresses that are greylisted. Also we make use > of >> the uatraps / nixspam traplists, and our own generated blacklist > generated >> from spam being sent to the postmaster. We had some problems with >> blacklisted entries in the past, but we worked around that. It goes > further >> then that, but I will spare you all the details. > > pf(4) has some amazing features that come in handy for spam control. I > guess it forms a key component of any spam blocking architecture. And it > works in concert with the other OpenBSD niceties you point out like > populating the tables with blacklists and whitelists, greytrapping and > using the pf(4) anchor mechanism to automate stuff. Indeed. PF is very powerful and uses very little resources. Hats off to the OpenBSD guys for this. And indeed, I can recommend every e-mail admin to use a pf and spamd combination. It's awesome and you can do a lot with it. Check out the OpenBSD website for more info. > > The probability and state tracking options in pf(4) are pretty > interesting too if used creatively. Very much so, it opens a lot of new options for you to handle blacklisted entries. > > >> On the second line we run Postfix / ClamSMTP / Clamd / Spamassassin. We >> removed Amavis because it was annoying to upgrade and we wanted to get > rid >> of it, as we had problems with it in the past. With SpamAssassin we use >> sa-update and sa-learn to keep the rules up-to-date and make sure bayes >> gets properly trained. So we are marking e-mail as spam and no longer > block >> it. Why? Simple ... we no longer want to block false positives. Again, >> there is more to this, but I will spare you all the details. > > But if you don't update virus signatures wouldn't that cause worms and > malware propagation? > > I know I am digressing but I thought signature updation was critical to > malware control... Well of course, but with clamd I also ment using freshclam :) So we keep our signature database up-to-date as well. > >> >> Right now we have 2500 happy users. Their local helpdesks helped them > with >> getting an Outlook rule in place to automatically move tagged e-mails to > a >> spam folder. Just like their gmail, hotmail or Yahoo account does at > home. > > Wow, this is great. I am not surprised to hear this. ;) > > >> The environment we have is certainly not the easiest one, but we > automated >> many things, leaving us with practically no work on it. All the updating > of >> rulesets / blacklists / whitelists /whatever goes by itself. Downside of > an >> environment like this is that you will need quite some knowledge of all > the >> components and how they work together. But hey, I got it running at home > as >> well (a bit simpler though) and didn't had a single spam mail in my > mailbox >> the last 4 months. Sure, the ones I do get are getting tagged and moved > to >> my spam folder automatically, which I do with maildrop (though procmail >> does the job nicely too). All in all it works like a charm. > > Using the X-foobar headers I suppose? I just check the Subject header to see if it starts with *****SPAM*****. So yes, using the mail headers :) > >> Well a long story, but maybe it is of use for someone else. As always, >> YMMV. > > Yes, very enlightening, many thanks. Glad to hear. Jorn