OT: Postfix pre-MailScanner Policy Daemon

Drew Marshall drew at THEMARSHALLS.CO.UK
Tue Jul 5 21:15:39 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Kai Schaetzl wrote:

>> Well, I'm referring more to the additional checks it does. Especially 
>> the HELO check is quite useful (although an RFC violation to refuse 
>> on it). It blocks most mail worms and such. However, I don't think 
>> that scoring doesn't help much here. If I don't trust an RBL I simply 
>> don't use it. If a communications partner gets listed, well, 
>> obviously for a reason, f.i. their relay was open or whatever. I can 
>> just let them get in with an OK entry in my local access db - if I 
>> want. The sooner they clear this up the better. We use three RBLs 
>> (spamhaus, sorbs and njabl - the latter doesn't add much, I could 
>> just remove it) and the "FP" rate (FP in quotes because actually they 
>> are not FPs) is extremely low (1 in 10.000 or less). If I get too 
>> many FPs I'd simply drop the "offending" RBL. WE also reject on HELO 
>> and wrong MAIL FROM and message ids and our own access db.
>
I ran, right up until implementing this policy daemon, spamhaus & sorbs 
list rejection and also reject non RFC821 envelopes, invalid host names, 
domains and a host of 'technically correct' fully qualified domain name 
checks. I am intrigued how you test for message ids? I believe you said 
you are running Sendmail which is obviously different to my Postfix 
(Which I am not aware of being able to make such checks).

>> The beauty in this approach is that *one* "hit" is enough. It's quite 
>> typical that this kind of mail hits only one or two of the above 
>> criteria. But they all are spam, the FP rate is very very low. And if 
>> someone wants to send me a legitimate mail from a misconfigured mail 
>> server, well, I expect him to fix his server. So, with a scoring 
>> system you will miss a *lot* of these, but gain *almost* nothing in 
>> regard to battling FPs.
>> Scoring by mail content is *much different* because there are simply 
>> no single criteria that a mail is spam. (Although a SURBL listing and 
>> also a BAYES_99 from a well-trained db may be accurate enough to use 
>> them as the single criterion. However, these are more or less 
>> dependant on the "history" of SA. Using scoring in SA betters your 
>> recognition ratio a lot, but it doesn't much for RBLs and other 
>> technical checks on MTA level.
>
Up until trying this beast, I would have agreed but all I can say is 
that is has reduced my 'through the MTA' spam levels and therefore the 
load (Which on one of my boxes is quite useful as it is some what under 
powered). I have been quite impressed with the results. Does the scoring 
make a huge difference? Maybe. The most useful thing is bringing a 
number of tests together and rejecting based on hitting more than one of 
them, something similar to that which can be set up with more granular 
control in Exim, as was being discussed last week (I think) where if for 
example, SPF check failed then a 'great pause' was introduced. Postfix 
doesn't have this control. Like it's author, Postfix is more black and 
white.

Martin Hepworth wrote:

> Another option I use is to only allow in valid email addresses and the 
> MTA. I drop over 70% of my email that way..and don't get any FP's from 
> RBLs ;-)
>
Agreed and every MTA should reject non users at SMTP stage (But not all 
do!). Where this isn't possible, I also drop non-deliverable 
Mailer-Daemon messages after a much shorter queue period. No point 
clogging the queue up.

> Yes in theory you are open to email guessing attacks, but then my SA 
> and  MS are very well setup so this doesn't add much risk :-)
>
> No idea how you do this in PF as I run Exim....

Dare I say, it's in the wiki... :-)

Mind you I understand why you might have missed it, all them damn ducks. 
Completely quackers... :-P

Drew

-- 
In line with our policy, this message has 
been scanned for viruses and dangerous 
content by MailScanner, and is believed to be clean.
www.themarshalls.co.uk/policy

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list