OT: Postfix pre-MailScanner Policy Daemon

Tue Jul 5 14:31:38 IST 2005

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Drew Marshall wrote on         Mon, 4 Jul 2005 20:46:09 +0100:

> No sorry, you misunderstood me. What I meant was not suggest that 
> MailScanner does anything with the SMTP transaction but to suggest an 
> option for Postfix users to lighten MailScanner's load in a more subtle 
> way than the usual 'one RBL and you are out' technique of Postfix's RBL 
> look up system.

Oh, I see, yes, certainly to be recommended.

 I like it because it reduces the chance of FP. Even if 
> one of your best customers or suppliers etc does get themselves listed 
> in a RBL they won't get rejected as the points score will still let them 
> through (Provided they have set their MTA up correctly). The other half 
> of this is that I wouldn't use it by it's self, hence it is a supplement 
> to MailScanner not a replacement or alternative etc. 

Well, I'm referring more to the additional checks it does. Especially the 
HELO check is quite useful (although an RFC violation to refuse on it). It 
blocks most mail worms and such. However, I don't think that scoring 
doesn't help much here. If I don't trust an RBL I simply don't use it. If a 
communications partner gets listed, well, obviously for a reason, f.i. 
their relay was open or whatever. I can just let them get in with an OK 
entry in my local access db - if I want. The sooner they clear this up the 
better. 
We use three RBLs (spamhaus, sorbs and njabl - the latter doesn't add much, 
I could just remove it) and the "FP" rate (FP in quotes because actually 
they are not FPs) is extremely low (1 in 10.000 or less). If I get too many 
FPs I'd simply drop the "offending" RBL. WE also reject on HELO and wrong 
MAIL FROM and message ids and our own access db.
The beauty in this approach is that *one* "hit" is enough. It's quite 
typical that this kind of mail hits only one or two of the above criteria. 
But they all are spam, the FP rate is very very low. And if someone wants 
to send me a legitimate mail from a misconfigured mail server, well, I 
expect him to fix his server. So, with a scoring system you will miss a 
*lot* of these, but gain *almost* nothing in regard to battling FPs.
Scoring by mail content is *much different* because there are simply no 
single criteria that a mail is spam. (Although a SURBL listing and also a 
BAYES_99 from a well-trained db may be accurate enough to use them as the 
single criterion. However, these are more or less dependant on the 
"history" of SA. Using scoring in SA betters your recognition ratio a lot, 
but it doesn't much for RBLs and other technical checks on MTA level.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!