Bitshift

• News
• Ideas
• Projects
  • Postfix Anti-Spam Settings
  • GOSSiP Anti-Spam Project
  • RFID Implants Project
  • War-walking
  • Uzing Rendezvous At Home
• Articles

    

Enter your search terms Submit search form

Web bitshift.org

Sites
Instructables
MAKE Magazine
The Show with Ze Frank
Hacker News
Joel On Software Discussion Forum
Wacky Uses


    

Blogs
The Daily WTF
Boing Boing
Warren Ellis' Blog
Valleywag
Consumerist
Joel On Software


    

Comics
xkcd
Penny Arcade
Ctrl-Alt-Del
Bunny
Two Lumps
Casey & Andy
VG Cats
Edible Dirt
Daily Instructions
Real Life Comics


    

Archives

Over the years, I've experimented with a great deal of anti-spam measures (including writing my own anti-spam software, the GOSSiP Project).

My current setup includes using ClamAV for antivirus scanning and CRM114. I may add others in the future (such as one of the DKIM checks implemented in the list of Postfix add-ons).

However, for now I'm happy with CRM114, ClamAV, and a few tweaks to my main.cf file. Between these three, I manage to filter 99.99% of incoming spam, with a near-zero false-positive rate. For those few false positives I do have, I whitelist them.

Those tweaks are:

in_flow_delay = 3s
unknown_local_recipient_reject_code = 450
smtpd_data_restrictions =
reject_unauth_pipelining
smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_unauth_destination,
check_helo_access hash:/etc/postfix/helo_checks,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client pbl.spamhaus.org



This includes the helo_checks file, which must be created, then hashed using postmap:
# This file has to be "compiled" with "postmap"

# Reject anybody that HELO's as being in our own domain(s)
# (Note that if you followed the order suggested in the main.cf
# examples, above, that machines in mynetworks will be okay.)

# Somebody HELO'ing as "localhost?" Impossible, we're "localhost"
localhost REJECT You are not me



PLEASE NOTE: I tested greylisting for about a month. In a previous incarnation, I wrote antispam/antivirus hooks for a commercial mail appliance vendor, and at that time, greylisting was a viable solution...spammers had not tumbled to the simple but powerful checks being used to greylist, and legitiimate senders hadn't yet molested their mailservers to the point that they were breaking RFCs faster than you could blink to avoid spam.

In this day and age, greylisting -- at least in my case -- has proven ineffective. Many spammers now properly retry, thus avoiding the greylist trap, and many legitimate senders never retry, or have a retry period measured in days, not minutes or hours. This proved frustrating, because many legitimate mails simply never reached me, and it's difficult to whitelist something you haven't received yet. It's true that I could whitelist based on recipient, but given the incidence of recipient forging, I tend to avoid that approach whenever possible.