Spam question
Dave Jones
dave at jonesol.com
Tue Aug 18 16:46:38 UTC 2015
Jerry is correct. Block at the MTA and use greylisting to help with
compromised accounts from normally trustworthy senders and other
zero-hour senders that aren't listed on RBLs yet.
If your MTA is Postfix definitely look into using Postscreen. It
allows you to use normally unreliable RBLs in a weighted fashion so
they can provide some usefulness in combination with other reliable
RBLs. It also has some other tricks that help block spambots.
http://www.postfix.org/POSTSCREEN_README.html
/etc/postfix/main.cf
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_dnsbl_ttl = 10m
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_sites =
zen.spamhaus.org=127.0.0.[10;11]*8
zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*4
zen.spamhaus.org=127.0.0.2*3
b.barracudacentral.org=127.0.0.2*7
bl.spamcop.net=127.0.0.2*4
dnsbl-1.uceprotect.net=127.0.0.2*3
bl.mailspike.net=127.0.0.2*5
bl.mailspike.net=127.0.0.[10;11;12]*4
dnsbl.sorbs.net=127.0.0.10*7
dnsbl.sorbs.net=127.0.0.5*6
dnsbl.sorbs.net=127.0.0.7*3
dnsbl.sorbs.net=127.0.0.8*2
dnsbl.sorbs.net=127.0.0.6*2
dnsbl.sorbs.net=127.0.0.9*2
hostkarma.junkemailfilter.com=127.0.0.2*3
hostkarma.junkemailfilter.com=127.0.0.4*1
hostkarma.junkemailfilter.com=127.0.1.2*1
wl.mailspike.net=127.0.0.[18;19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-2
You can also look at other Postfix settings to block at the MTA level
for invalid DNS and SMTP HELO values.
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unauth_destination,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unknown_reverse_client_hostname,
reject_unlisted_sender,
reject_unlisted_recipient,
# SQLgrey on 127.0.0.1:2501
check_policy_service inet:127.0.0.1:2501,
reject_unverified_recipient,
permit
Above you see the SQLgrey that I also recommend highly. I started in
discrimination mode to ease into it which was not painful at all for
my users.
On Tue, Aug 18, 2015 at 10:51 AM, Bryan Laurila <blaurila at sbcglobal.net> wrote:
> I haven’t given “current RBLs” much thought in a long time so this
> discussion sparked my interest especially since we have been seeing an
> increase in Spam messages getting past MailScanner in recent months.
>
> Below is an excerpt from my MailScanner.conf file showing my “Spam List =”
> line as well as my “Spam Domain List = “ line (yes, I know it’s blank).
> Below that is my current spam.lists.conf file which hasn’t been updated in a
> long time (anyone have an updated version?).
>
> Although this configuration has worked well for me in the past, I’m thinking
> I could do better.
>
> What are other people are using for their configurations for “Spam List =”
> and “Spam Domain List=”?
>
> Thanks!
> Bryan
>
>
> ====================================================================
> # This is the list of spam blacklists (RBLs) which you are using.
> # See the "Spam List Definitions" file for more information about what
> # you can put here.
> # This can also be the filename of a ruleset.
> #Spam List = # spamhaus-ZEN # You can un-comment this to enable them
> Spam List = spamhaus-ZEN spamcop.net SORBS-NEW SORBS-RECENT SORBS-DNSBL
>
> # This is the list of spam domain blacklists which you are using
> # (such as the "rfc-ignorant" domains). See the "Spam List Definitions"
> # file for more information about what you can put here.
> # This can also be the filename of a ruleset.
> Spam Domain List =
>
> ======================================================================
>
> This is my current spam.lists.conf file which hasn’t been updated in a long
> time.
> =======================================================================================
>
>
> # This file translates the names of the spam lists and spam domains lists
> # into the real DNS domains to search.
>
> # There is a far more comprehensive list of these at
> # http://www.declude.com/JunkMail/Support/ip4r.htm
> # and you can easily search them all at www.DNSstuff.com.
>
> # If you want to search other DNSBL's you will need to define them here
> first,
> # before referring to them by name in mailscanner.conf (or a rules file).
>
> spamhaus.org sbl.spamhaus.org.
> spamhaus-XBL xbl.spamhaus.org.
> spamhaus-PBL pbl.spamhaus.org.
> spamhaus-ZEN zen.spamhaus.org.
> SBL+XBL sbl-xbl.spamhaus.org.
> spamcop.net bl.spamcop.net.
> NJABL dnsbl.njabl.org.
>
> # ORDB has been shut down.
> #ORDB-RBL relays.ordb.org.
>
> #Infinite-Monkeys proxies.relays.monkeys.com.
> #osirusoft.com relays.osirusoft.com.
> # These two lists are now dead and must not be used.
>
> # MAPS now charge for their services, so you'll have to buy a contract
> before
> # attempting to use the next 3 lines.
>
> MAPS-RBL blackholes.mail-abuse.org.
> MAPS-DUL dialups.mail-abuse.org.
> MAPS-RSS relays.mail-abuse.org.
>
> # This next line works for JANET UK Academic sites only
>
> MAPS-RBL+ rbl-plus.mail-abuse.ja.net.
>
> # And build a similar list for the RBL domains that work on the name
> # of the domain rather than the IP address of the exact machine that
> # is listed. This way the RBL controllers can blacklist entire
> # domains very quickly and easily.
> # These aren't used by default, as they slow down MailScanner quite a bit.
>
> RFC-IGNORANT-DSN dsn.rfc-ignorant.org.
> RFC-IGNORANT-POSTMASTER postmaster.rfc-ignorant.org.
> RFC-IGNORANT-ABUSE abuse.rfc-ignorant.org.
> RFC-IGNORANT-WHOIS whois.rfc-ignorant.org.
> RFC-IGNORANT-IPWHOIS ipwhois.rfc-ignorant.org.
> RFC-IGNORANT-BOGUSMX bogusmx.rfc-ignorant.org.
>
> # Easynet are closing down, so don't use these any more
> Easynet-DNSBL blackholes.easynet.nl.
> Easynet-Proxies proxies.blackholes.easynet.nl.
> Easynet-Dynablock dynablock.easynet.nl.
>
> # This list is now dead and must not be used.
> #OSIRUSOFT-SPEWS spews.relays.osirusoft.com.
>
> # These folks are still going strong
> SORBS-DNSBL dnsbl.sorbs.net.
> SORBS-HTTP http.dnsbl.sorbs.net.
> SORBS-SOCKS socks.dnsbl.sorbs.net.
> SORBS-MISC misc.dnsbl.sorbs.net.
> SORBS-SMTP smtp.dnsbl.sorbs.net.
> SORBS-WEB web.dnsbl.sorbs.net.
> SORBS-SPAM spam.dnsbl.sorbs.net.
> SORBS-BLOCK block.dnsbl.sorbs.net.
> SORBS-ZOMBIE zombie.dnsbl.sorbs.net.
> SORBS-DUL dul.dnsbl.sorbs.net.
> SORBS-RHSBL rhsbl.sorbs.net.
> ## Added by BSL on 20131125 from www.sorbs.net/genera/using.shtml
> SORBS-NEW new.spam.dnsbl.sorbs.net.
> SORBS-RECENT recent.spam.dnsbl.sorbs.net.
>
> # These next 2 are "Spam Domain List" entries and not "Spam List"s
> SORBS-BADCONF badconf.rhsbl.sorbs.net.
> SORBS-NOMAIL nomail.rhsbl.sorbs.net.
>
> # Some other good lists
>
> CBL cbl.abuseat.org.
> # JKF 30 Oct 2008 Gone: DSBL list.dsbl.org.
> =================================================================
>
>
> From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On
> Behalf Of Jerry Benton
> Sent: Thursday, August 06, 2015 1:04 PM
> To: MailScanner Discussion
> Subject: Re: Spam question
>
> reject_rbl_client b.barracudacentral.org,
> reject_rbl_client zen.spamhaus.org,
> reject_rbl_client ix.dnsbl.manitu.net,
> reject_rbl_client rbl.megarbl.net,
> reject_rbl_client dnsbl.inps.de,
> reject_rbl_client bl.spamcop.net,
> reject_rbl_client cbl.abuseat.org,
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
> On Aug 6, 2015, at 1:55 PM, Tiago Meireles <tmeireles at electroind.com> wrote:
>
> Any RBLs that you recommend?
>
> From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On
> Behalf Of Jerry Benton
> Sent: Thursday, August 06, 2015 1:50 PM
> To: MailScanner Discussion
> Subject: Re: Spam question
>
> - Use RBLs at the MTA level
> - Use greylisting
>
> -
> Jerry Benton
> www.mailborder.com
>
>
>
> On Aug 6, 2015, at 1:49 PM, Sean M. Schipper <sean.m.schipper at lawrence.edu>
> wrote:
>
> Since last November I’ve been getting inundated with spam (yesterday just
> under 7,000 just in the am) from coming from 3 or 4 IP addresses on the same
> subnet in the morning starting like clockwork just after 9am. Then
> sometimes I’ll get a similar rush of spam in the afternoon coming from a
> separate IP range. Countries of origin include US and Bulgaria mostly but
> also have come from Brasil, Romania and S. Africa.
>
> I’ve been able to train MailScanner to correctly identify these as spam
> since the content is very similar -- tons of links to websites with .php
> extensions. Examples of subject lines: Situations for 2015 that forgive
> your Student-Loan, 12 month MBA programs, accelerated...
>
> To cut down on the processing/traffic on my server I’ve been just
> blacklisting these IP subnets at smtp with a deny bounce message. Does
> anyone have any other suggestions on actions I can take to rid myself of
> this annoying daily routine? Does anyone else have similar battle stories
> like this?
>
> Thanks for any suggestions on this.
>
> Sean
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>
> Confidentiality Notice:
>
> This e-mail communication and any attachments may contain confidential and
> privileged information for the use of the designated recipients named above.
> If you are not the intended recipient, you are hereby notified that you have
> received this communication in error and that any review, disclosure,
> dissemination, distribution or copying of it or its contents is prohibited.
> As required by federal and state laws, you need to hold this information as
> privileged and confidential.
>
> This message may contain Protected Health Information (PHI). PHI is
> personal and sensitive information related to a person's health care. It is
> being emailed to you after appropriate authorization from the patient or
> under circumstances that do not require patient authorization. You, the
> recipient, are obligated to maintain it in a safe, secure and confidential
> manner. Re-disclosure without additional patient consent or as permitted by
> law is prohibited. Unauthorized re-disclosure or failure to maintain
> confidentiality could subject you to penalties described in federal and
> state law.
>
> If you are not the intended recipient, or the employee or agent responsible
> to deliver it to the intended recipient, you are hereby notified that any
> disclosure, copying or distribution of this information is Strictly
> Prohibited. If you have received this communication in error, please notify
> the sender and destroy all copies of this communication and any attachments.
>
> Dickinson County Healthcare System, 1721 S. Stephenson Ave. Iron Mountain,
> MI 49801, www.dchs.org
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
More information about the MailScanner
mailing list