Your Linux Data Center Experts

A thread going on now on the BLUG mailing list is about what people are doing for anti-spam. I've recently made a few changes to our anti-spam setup, so I thought I'd run through the list of things we do.

I just recently added a simple script that pulls down the Spamcop list of top 200 hosts sending spam, and I put those in a separate map which I list in the “smtpd_sender_restrictions” as a “check_client_access” rule. I had first checked our logs and found that a few dozen spams per day were getting through all the checks on our server at SMTP time, so I figured it was worth trying.

I've also been manually adding rules for every spam that does make it into my main mailbox (and have asked other users to forward spam to me for the same treatment). If the e-mail is from one of the big mail providers like yahoo or gmail, I will add the sender envelope address to a blacklist. Otherwise, I will add the IP to an IP-based blacklist.

If I notice a lot of spam from a IP range or reverse name, I may add the whole block. Also, if the spam came from a DSL or ADSL name or otherwise looks like an ISP's block of customers, I've been blocking by reverse DNS name using a regex and reporting a “please send mail through your ISPs mail server”. My feeling here is that if I'm getting spam from them, the ISP isn't policing their direct outgoing connections that well, and hopefully they will if it goes through the ISP's mail servers.

I've also blocked all e-mail from the country-code yahoo addresses on our users mail server. I was getting an amazing amount of spam from yahoo domains in other countries and finally decided to block them. Probably 50% of my spam getting into my main mailbox was from these other countries yahoos.

One particularly bad issue I've had has been with ttnet.net.tr. They have a lot of IP blocks and for some reason I had no luck with getting the regex blocks based on name working. I was adding /32 addresses for a while, but I was getting so many I started adding /24s. I was still getting a lot of spam from new blocks and finally have gone into our routers and found their /16 blocks and started blocking them. I've added around 20 /16 blocks. I then went through and cleared out the old smaller blocks I had, probably at least a thousand of them. Looks like I've blocked over a million IPs just because of ttnet.net.tr.

I've also used Postfix header and body PCRE checks, blocking things like “Subject: Your Lotto Winnings” and “From:.* LOTTO INTERNATIONAL”, again based on just looking at the messages that are getting through. I also have some rules for getting the stock “pump and dump” scams in the body of the message like “\d+ Day Trading Projection” and “Ticker: [A-Z][A-Z][A-Z][A-Z]” (with various spaces allowed within “Ticker”, etc… “a d v e r t i s e m e n t”, and “TRADE ALERT”. You get the idea.

I've done a lot of these manual blocks because spams are fairly disruptive for our company, so I decided around a year to take a fairly hard line on blocking spam. Once we start getting as much or more spam than legitimate mail in our boxes, it impacts our businesses ability to respond to legitimate customer requests. If we let all spam through we'd probably get hundreds to thousands of spams per legitimate e-mail. I already spend nearly 2 hours per day just dealing with legitimate e-mail. Just deleting spam could take that much or more time.

I also use various Postfix anti-spam settings. reject_unauth_pipelining, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain.

I have also set up a map in Postfix to reject HELO names with: our mail server IP in them, our mail server name in them, our domain name in them, “localhost.localdomain” and “127.0.0.1”. However, before this check I do allow our IP address ranges, so a badly configured mail server of ours will pass these, but remote mail servers will not. A lot of spam will say “HELO ”, which is totally not legitimate.

I also have implemented an auto whitelist based on sender address. When we send an outgoing e-mail, the address we're sending to gets added to the whitelist. This is very easy because we are using UUCP for outgoing e-mail, so I just have my “rmail” script add the recipient addresses to a file, which then gets turned into a postfix map.

Also on outgoing e-mails, I run a 26-bit “Hashcash”. I do this because SpamAssassin adds a +5 benefit to messages with 26 bits of hashcash. This takes our mail server around 1 minute to compute (sometimes up to 3 though).

On incoming messages, we run SPF and greylisting at SMTP time, via tumgreyspf. These reject lots of e-mail, probably something around 90% of all incoming e-mail attempts.

Once the message is accepted for delivery, I run messages through clamav, and just drop any messages identified as spam. I also run it through SpamAssassin, and drop messages with a very high score, I believe above 15. Anything between 5 and 15, I try sending a confirmation request to, so that a user who gets blocked by SpamAssassin has a chance to clear their request. We tried running this manually with us checking, but we get up to 10,000 of these messages per day, which makes it impossible for us to manually manage. I hate confirmation systems, but at least here it's already gone through a bunch of other anti-spam checks, and it's only if it's possibly a non-spam does it get sent.

Those are the anti-spam settings we're currently using.

comments powered by Disqus

Join our other satisfied clients. Contact us today.