OT: Postfix pre-MailScanner Policy Daemon

[Martin Hepworth]

Kai Schaetzl wrote:
> Drew Marshall wrote on         Mon, 4 Jul 2005 20:46:09 +0100:
> 
> 
>>No sorry, you misunderstood me. What I meant was not suggest that 
>>MailScanner does anything with the SMTP transaction but to suggest an 
>>option for Postfix users to lighten MailScanner's load in a more subtle 
>>way than the usual 'one RBL and you are out' technique of Postfix's RBL 
>>look up system.
> 
> 
> Oh, I see, yes, certainly to be recommended.
> 
>  I like it because it reduces the chance of FP. Even if 
> 
>>one of your best customers or suppliers etc does get themselves listed 
>>in a RBL they won't get rejected as the points score will still let them 
>>through (Provided they have set their MTA up correctly). The other half 
>>of this is that I wouldn't use it by it's self, hence it is a supplement 
>>to MailScanner not a replacement or alternative etc. 
> 
> 
> Well, I'm referring more to the additional checks it does. Especially the 
> HELO check is quite useful (although an RFC violation to refuse on it). It 
> blocks most mail worms and such. However, I don't think that scoring 
> doesn't help much here. If I don't trust an RBL I simply don't use it. If a 
> communications partner gets listed, well, obviously for a reason, f.i. 
> their relay was open or whatever. I can just let them get in with an OK 
> entry in my local access db - if I want. The sooner they clear this up the 
> better. 
> We use three RBLs (spamhaus, sorbs and njabl - the latter doesn't add much, 
> I could just remove it) and the "FP" rate (FP in quotes because actually 
> they are not FPs) is extremely low (1 in 10.000 or less). If I get too many 
> FPs I'd simply drop the "offending" RBL. WE also reject on HELO and wrong 
> MAIL FROM and message ids and our own access db.
> The beauty in this approach is that *one* "hit" is enough. It's quite 
> typical that this kind of mail hits only one or two of the above criteria. 
> But they all are spam, the FP rate is very very low. And if someone wants 
> to send me a legitimate mail from a misconfigured mail server, well, I 
> expect him to fix his server. So, with a scoring system you will miss a 
> *lot* of these, but gain *almost* nothing in regard to battling FPs.
> Scoring by mail content is *much different* because there are simply no 
> single criteria that a mail is spam. (Although a SURBL listing and also a 
> BAYES_99 from a well-trained db may be accurate enough to use them as the 
> single criterion. However, these are more or less dependant on the 
> "history" of SA. Using scoring in SA betters your recognition ratio a lot, 
> but it doesn't much for RBLs and other technical checks on MTA level.
> 
> 
> 
> 
> Kai
> 

Another option I use is to only allow in valid email addresses and the 
MTA. I drop over 70% of my email that way..and don't get any FP's from 
RBLs ;-)

Yes in theory you are open to email guessing attacks, but then my SA and 
  MS are very well setup so this doesn't add much risk :-)

No idea how you do this in PF as I run Exim....


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!