Being hammered with viruses

Dave Jones dave at jonesol.com
Wed Apr 26 15:20:55 UTC 2017 

Use Postscreen RBL weighting to help prevent false positives.  It's amazing
how well this works to make your filtering better than the expensive
appliances out there like Barracuda's and IronPort's that can't do this.

postscreen_cache_retention_time      = 7d
postscreen_bare_newline_ttl          = 7d
postscreen_greet_ttl                 = 7d
postscreen_non_smtp_command_ttl      = 7d
postscreen_pipelining_ttl            = 7d
postscreen_dnsbl_ttl                 = 1m
postscreen_dnsbl_threshold           = 8
postscreen_dnsbl_action              = enforce
postscreen_greet_action              = enforce
postscreen_greet_wait                = ${stress?1}${stress:11}s
postscreen_bare_newline_action       = enforce
postscreen_bare_newline_enable       = yes
postscreen_non_smtp_command_enable   = yes
postscreen_pipelining_enable         = yes
postscreen_dnsbl_whitelist_threshold = -1
postscreen_blacklist_action          = drop

postscreen_dnsbl_sites =
  bl.sorbs.net=127.0.0.10*9
  dnsbl.sorbs.net=127.0.0.14*9
  zen.spamhaus.org=127.0.0.[10;11]*8
  dnsbl.sorbs.net=127.0.0.5*7
  zen.spamhaus.org=127.0.0.[4..7]*7
  b.barracudacentral.org=127.0.0.2*7
  zen.spamhaus.org=127.0.0.3*7
  dnsbl.inps.de=127.0.0.2*7
  hostkarma.junkemailfilter.com=127.0.0.2*4
  dnsbl.sorbs.net=127.0.0.7*4
  bl.spamcop.net=127.0.0.2*4
  bl.spameatingmonkey.net=127.0.0.[2;3]*4
  dnsrbl.swinog.ch=127.0.0.3*4
  ix.dnsbl.manitu.net=127.0.0.2*4
  psbl.surriel.com=127.0.0.2*4
  bl.mailspike.net=127.0.0.[10;11;12]*4
  bl.mailspike.net=127.0.0.2*4
  zen.spamhaus.org=127.0.0.2*3
  bl.spamcannibal.org=127.0.0.2*3
  dnsbl-1.uceprotect.net=127.0.0.2*2
  dnsbl.sorbs.net=127.0.0.6*3
  dnsbl.sorbs.net=127.0.0.9*2
  dnsbl.sorbs.net=127.0.0.8*2
  score.senderscore.com=127.0.4.[0..29]*2
  hostkarma.junkemailfilter.com=127.0.0.4*2
  all.spamrats.com=127.0.0.38*2
  bl.nszones.com=127.0.0.[2;3]*1
  dnsbl-2.uceprotect.net=127.0.0.2*1
  dnsbl.sorbs.net=127.0.0.2*1
  dnsbl.sorbs.net=127.0.0.4*1
  score.senderscore.com=127.0.4.[30..69]*1
  dnsbl.sorbs.net=127.0.0.3*1
  hostkarma.junkemailfilter.com=127.0.1.2*1
  dnsbl.sorbs.net=127.0.0.15*1
  ips.backscatterer.org=127.0.0.2*1
  bl.nszones.com=127.0.0.5*-1
  wl.mailspike.net=127.0.0.[18;19;20]*-2
  hostkarma.junkemailfilter.com=127.0.0.1*-2
  ips.whitelisted.org=127.0.0.2*-2
  safe.dnsbl.sorbs.net=127.0.[0..255].0*-2
  list.dnswl.org=127.0.[0..255].0*-2
  dnswl.inps.de=127.0.[0;1].[2..10]*-2
  list.dnswl.org=127.0.[0..255].1*-3
  list.dnswl.org=127.0.[0..255].2*-4
  list.dnswl.org=127.0.[0..255].3*-5

The above list is from years of adjustment and tuning to be just right for
my environment.  Each SA environment is a little different based on your
location and recipients.

Blocking outright on a single RBL hit is pretty risky so the weighting
above makes it an aggregate score of many RBLs for better accuracy.

If you turn up the sensitivity on your RBLs to block using the list above,
then you have to whitelist major mail providers.  Use postwhite on github
to generate the postscreen_spf_whitelist.cidr daily.

postscreen_access_list =
  permit_mynetworks,
  cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
  cidr:/etc/postfix/postscreen_yahoo_whitelist.cidr,
  cidr:/etc/postfix/postscreen_access.cidr

Yahoo doesn't publish a standard SPF record that can be parsed down to IP
blocks so the postscreen_yahoo_whitelist.cidr is built from this command:

elinks -dump https://help.yahoo.com/kb/SLN23997.html | grep -E
'([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?' | awk '{print
$1, "\t permit"}' > /etc/postfix/postscreen_yahoo_whitelist.cidr 2>&1

I add a few more custom hosts (SPF domains) to my /etc/postwhite.conf:

# CUSTOM HOSTS
# Enter custom hosts separated by a space, ex: "example.com example2.com
example3.com"
custom_hosts="comcast.net rr.com bluehost.com mxlogic.net messagelabs.com
messagegears.net swiftwavenetwork.com authsmtp.com eventbrite.com
trendmicro.com spf.mandrillapp.com amazonses.com radware.com zarca-inc.com
embarqmail.com mailer.surveygizmo.com spf.ess.barracudanetworks.com"

I filter for about 40K mailboxes with the configuration above along with
greylisting and a high MX that tempfails everything.  Postscreen blocks >
95% of the junk so SpamAssassin only has to handle a small percentage of
spam based on content.

Hope this helps,
Dave

On Wed, Apr 26, 2017 at 12:48 AM, Martin Hepworth <maxsec at gmail.com> wrote:

> Also graylisting on the inbound connection
>
> Along with postfix doing unknown recipient rejection
>
> Martin
>
> On Tue, 25 Apr 2017 at 18:47, Michael Huntley <michael at huntley.net> wrote:
>
>> True.  I only trust the three rbls I use - I do realize spamcop may hit
>> on a false positive from time-to-time.
>>
>> I wonder -
>>
>> Danita what are your various smtp/helo/client restrictions within postfix?
>> Cheers,
>>
>> mph
>>
>> On 2017-04-25 10:38, Peter H. Lemieux wrote:
>>
>> I don't enforce RBLs at the SMTP level for fear of false positives.  I
>> let SpamAssassin consult the RBLs instead and score them accordingly, That
>> does mean such messages will need to be handled by MailScanner and not
>> blocked at the doorstep though.
>>
>> Peter
>>
>>
>> On 04/25/2017 01:33 PM, Michael Huntley wrote:
>>
>> Danita -
>>
>> In postscreen do you have any rbls?
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> --
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20170426/1bbf379b/attachment.html>

More information about the MailScanner mailing list