Posts tagged spam

Postfix anti-spam configuration, December 2012

15

I’ve written a few posts on my Postfix anti-spam config, but since it’s been a while and I tweak it from time to time, here’s the config as of late December 2012:

smtpd_helo_restrictions =
        reject_non_fqdn_helo_hostname,
        reject_invalid_helo_hostname,
        reject_rhsbl_helo hostkarma.junkemailfilter.com=127.0.0.2,
        reject_rhsbl_helo zen.spamhaus.org

smtpd_data_restrictions =
        reject_unauth_pipelining

smtpd_client_restrictions =
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
        reject_unknown_client_hostname

smtpd_sender_restrictions =
        reject_unknown_sender_domain,
        reject_unknown_address,
        reject_rhsbl_reverse_client dbl.spamhaus.org,
        reject_rbl_client b.barracudacentral.org

smtpd_recipient_restrictions =
        permit_mynetworks,
        reject_invalid_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_destination,

        permit_dnswl_client list.dnswl.org,

        check_policy_service inet:127.0.0.1:10023,

        reject_rhsbl_reverse_client dbl.spamhaus.org,
        reject_rhsbl_sender dbl.spamhaus.org,
        reject_rhsbl_client dbl.spamhaus.org,
        reject_rhsbl_sender fresh15.spameatingmonkey.net,
        reject_rhsbl_client fresh15.spameatingmonkey.net,
        reject_rhsbl_sender uribl.spameatingmonkey.net,
        reject_rhsbl_client uribl.spameatingmonkey.net,
        reject_rhsbl_sender urired.spameatingmonkey.net,
        reject_rhsbl_client urired.spameatingmonkey.net,
        reject_rhsbl_client hostkarma.junkemailfilter.com=127.0.0.2,

        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spameatingmonkey.net,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
        reject_rbl_client dnsbl.njabl.org,
        reject_rbl_client spamsources.fabel.dk,
        reject_rbl_client truncate.gbudb.net,
        reject_rbl_client ubl.unsubscore.com,
        reject_rbl_client aspews.ext.sorbs.net,
        reject_rbl_client dnsbl.sorbs.net,
        reject_rbl_client backscatter.spameatingmonkey.net,
        reject_rbl_client bl.spameatingmonkey.net,
        reject_rbl_client psbl.surriel.com,
        reject_rbl_client cidr.bl.mcafee.com,
        reject_rbl_client bl.mailspike.net,
        reject_rbl_client ix.dnsbl.manitu.net,
        reject_rbl_client black.uribl.com,
        reject_rbl_client spam.spamrats.com,

        permit

I had a string of spam making it into my mailbox recently which is why I added a few new RBLs to the config, but based on dnsblcount‘s report on the number of DNSBL rejections since the beginning of the month, I can probably trim it down a little (note that the DNSBLs are queried in the order listed in your config).

b.barracudacentral.org            6457
hostkarma.junkemailfilter.com     1513
dbl.spamhaus.org                  1110
fresh15.spameatingmonkey.net        35
zen.spamhaus.org                    17
dnsbl.webequipped.com                3
ubl.unsubscore.com                   3
spam.spamrats.com                    2
truncate.gbudb.net                   2
uribl.spameatingmonkey.net           1
psbl.surriel.com                     1
dnsbl.sorbs.net                      1
bl.mailspike.net                     1
=======================================
Total DNSBL rejections:            9146

Note one additional new item I added to my postfix config is the postgrey greylisting policy service (via the check_policy_service inet:127.0.0.1:10023).

More robust Postfix anti-spam configuration

0

My last post included an updated Postfix main.cf that was better at blocking spam and minimizing false positives through the use of DNS white lists (DNSWLs), but after a few days it was still letting in more spam than I wanted. I did additional tweaking and the following seems to work better, while still preventing false positives.

The main changes included specifying the following additional Postfix restrictions:

  • smtpd_sender_restrictions
  • smtpd_helo_restrictions
  • smtpd_data_restrictions
smtpd_helo_restrictions =
	reject_unknown_helo_hostname

smtpd_data_restrictions =
	reject_unauth_pipelining

smtpd_client_restrictions =
	permit_dnswl_client list.dnswl.org,
	reject_rbl_client b.barracudacentral.org,
	reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,

smtpd_sender_restrictions =
	reject_unknown_sender_domain,
	reject_unknown_address,
	reject_rhsbl_sender dsn.rfc-ignorant.org,
	reject_rhsbl_reverse_client dbl.spamhaus.org,
	reject_rbl_client b.barracudacentral.org,

smtpd_recipient_restrictions =
	permit_mynetworks,
	reject_invalid_hostname,
	reject_non_fqdn_sender,
	reject_non_fqdn_recipient,
	reject_unknown_sender_domain,
	reject_unknown_recipient_domain,
	reject_unauth_destination,
	permit_dnswl_client list.dnswl.org,

	reject_rhsbl_reverse_client dbl.spamhaus.org,
	reject_rhsbl_sender dbl.spamhaus.org,
	reject_rhsbl_client dbl.spamhaus.org,
	reject_rhsbl_sender fresh15.spameatingmonkey.net,
	reject_rhsbl_client fresh15.spameatingmonkey.net,
	reject_rhsbl_sender uribl.spameatingmonkey.net,
	reject_rhsbl_client uribl.spameatingmonkey.net,
	reject_rhsbl_sender urired.spameatingmonkey.net,
	reject_rhsbl_client urired.spameatingmonkey.net,
	reject_rhsbl_client hostkarma.junkemailfilter.com=127.0.0.2,

	reject_rbl_client b.barracudacentral.org,
	reject_rbl_client zen.spamhaus.org,
	reject_rbl_client bl.spameatingmonkey.net,
	reject_rbl_client bl.spamcop.net,
	reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
	reject_rbl_client dnsbl.njabl.org,
	reject_rbl_client bl.tiopan.com,
	reject_rbl_client spamsources.fabel.dk,
	reject_rbl_client truncate.gbudb.net,
	reject_rbl_client ubl.unsubscore.com,
	reject_rbl_client aspews.ext.sorbs.net,
	reject_rbl_client dnsbl.sorbs.net,
	reject_rbl_client backscatter.spameatingmonkey.net,
	reject_rbl_client bl.spameatingmonkey.net,

	permit

12/1/2012 update: I removed reject_rhsbl_sender dsn.rfc-ignorant.org since it is no longer up as of 11/30/2012

Using DNS whitelists in Postfix

4

Update 7/21/2011: I’ve tweaked my main.cf config more recently that provided better results. I will have a follow-up post with the changes and additions.

In an earlier post several years back, I wrote about using DNS blacklists (DNSBLs) in postfix to block unwanted spam from hitting my inbox, and in the last week I tweaked it a bit to include DNS whitelists (DNSWLs). I was discovering that some of the DNSBLs were blocking a small portion of legitimate email from coming through (eg. blocking entire IP ranges for webmail providers).

You need Postfix 2.8 or higher (I was on 2.3.3 so I had to download and compile the latest, 2.8.3), which has a new configuration parameter which added support for querying a DNSWL like a DNSBL:

permit_dnswl_client dnswl_domain=d.d.d.d

The relevant portion of my updated Postfix main.cf is below (note permit_dnswl_client is inserted before any of the reject_rbl* parameters). The DNSWL queries are processed first before the DNSBLs, so it should allow legitimate IPs through and reduce the amount of false positives vs just using the DNSBLs alone.

smtpd_recipient_restrictions =
        permit_mynetworks,
        reject_invalid_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        permit_dnswl_client list.dnswl.org,
        reject_rbl_client b.barracudacentral.org,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spameatingmonkey.net,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client hostkarma.junkemailfilter.com=127.0.0.2,
        reject_rbl_client dnsbl.njabl.org,
        reject_rbl_client bl.tiopan.com,
        reject_rbl_client spamsources.fabel.dk,
        reject_rbl_client truncate.gbudb.net,
        reject_rbl_client ubl.unsubscore.com,
        reject_rbl_client aspews.ext.sorbs.net,
        reject_rbl_client dnsbl.sorbs.net,
        reject_rbl_client backscatter.spameatingmonkey.net,
        reject_rbl_client bl.spameatingmonkey.net,
        reject_rhsbl_sender fresh15.spameatingmonkey.net,
        reject_rhsbl_client fresh15.spameatingmonkey.net,
        reject_rhsbl_sender uribl.spameatingmonkey.net,
        reject_rhsbl_client uribl.spameatingmonkey.net,
        reject_rhsbl_sender urired.spameatingmonkey.net,
        reject_rhsbl_client urired.spameatingmonkey.net,
        reject_rbl_client dnsbl.inps.de,
        reject_rbl_client DDNSBL.InternetDefenseSystems.com,
        permit

After watching the logs for the last couple days, this setup seems to work quite well…only 1 piece of spam slipped through, and more importantly, no false positives! I should also note that I stopped using spamassassin a while back and just these settings in postfix seems to block almost all legitimate spam coming into my server while not generating false positives.

BTW, if you want to tail your maillog from the command line in realtime and see the rejects in a more readable format, this short one liner will work:

$ tail -f /var/log/mail.log | sed -r -n 's/^(.*) \S+ postfix\/.* blocked using ([^;]+).*; from=<(\S+)> to=<(\S+)> proto=.* helo=.*>$/\1 - \2 - \3 - \4/p'

it will output in the format TIMESTAMP – DNSBL – FROM ADDRESS – TO ADDRESS

Stemming spam

1

I use a combination of DNS blacklists (DNSBLs) and spamassassin on my server to try and limit the amount of spam I get. I use the Postfix mail server and here is the relevant part of my Postfix main.cf config file:

smtpd_sender_restrictions = reject_unknown_address

smtpd_client_restrictions =
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        permit_mynetworks,
        reject_unauth_destination,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client dnsbl-1.uceprotect.net,
        permit

message_size_limit = 15728639
disable_vrfy_command = yes
smtpd_helo_required = yes

Note that I’m using 3 DNSBLs (spamhaus, spamcop, and uceprotect — the values for reject_rbl_client) and they are placed towards the end of smtpd_client_restrictions. I only want the external DNSBL DNS lookups to occur if the mail passes the simpler checks first.

Seems to be doing a decent job. I still get a few pieces of spam that fall through the cracks, but don’t want it so aggressive that letgitimate email doesn’t get to me. Here’s the summary data from logwatch from yesterday:

        1   Reject relay denied                        0.02%
      207   Reject HELO/EHLO                           4.40%
      442   Reject unknown user                        9.40%
     4053   Reject RBL                                86.18%
 --------   ------------------------------------------------
     4703   Total Rejects                            100.00%

The DNSBLs combined rejected over 4000 pieces of mail, most of which would have likely been caught by spamassassin anyways if I didn’t have the DNSBL checks, but it’s nice that they didn’t get past my mail server and into my mailbox!

Go to Top