Weblog entry #1 for Wayne

See all weblog entries made by Wayne.

XML logo

#1
spammed to death
Posted by Wayne on Thu 30 Aug 2007 at 22:24
Tags: , ,
We have recently taken over another company and all their servers, the main mail server which is running sendmail is being hammered.

We are using RBL lists, greet pause and have max children set at 300 which is constantly being reached. I have also blocked a lot of /16's in the firewall but we are still struggling. I have tried to use hermes for greylisting but this has proved to be unstable and pisses off the users. The problem has been getting worse all week.

I'm in the process of installing postfix on Etch and will migrate but will this help?


Suggestions very welcome.


Wayne
[ 4 Comments | Add Comment | XML logo ]
Next >>>

 

Comments on this Entry

#1
Re: spammed to death
Posted by kaerast (82.47.xx.xx) on Fri 31 Aug 2007 at 01:00
[ Send Message | View Weblogs ]

What RBL lists are you using? What exactly is the problem you are having? Just that users are getting lots of spam or that the mail server is being overloaded? How much mail are you getting (per second?)

Configured correctly, Postfix running with a spam filter and possibly greylisting should help. Check out this pre-data anti-uce configuration for Postfix, which should weed out a lot of your spam - although replace the spamhaus rbls with zen.spamhaus.org.

Using multiple rbl lists will delay email and take up processing time, if you're not using a local caching nameserver then this can be a considerable delay. It's also important you do the rbl checking in the correct place - ie. local users don't need rbl checking, and cheap local checks (eg. invalid hostnames) should be done first.

Another tip not often documented is the use of fail2ban alongside Postfix. If you get it denying connections from ip addresses causing rbl failures, relaying attempts, etc. then it'll reduce the amount of connections.

If you're building a new machine to do the filtering then you'll want to train any bayes filters with existing data - have you got a way of doing this? If not, you might want to get the existing setup collecting spam and ham now.

After all of this, if you've still got questions then there's the #postfix channel on freenode. They're a friendly bunch provided you don't ask stupid questions.

[ Parent | Reply to this comment ]

#2
Re: spammed to death
Posted by simonw (84.45.xx.xx) on Sat 1 Sep 2007 at 13:32
[ Send Message | View Weblogs ]
I've written a little on this site about filtering with Postfix on Debian.

In Etch you have policyd-weight packaged, which is a good way of picking up the best of block lists, along side greylisting (with postgrey), this is a pretty effective first line defense against spam.

Of course without knowing what sort of spam they are suffering with it might not be appropriate.

Ultimately the IP address reputation based filtering is suffering because of the amount of spam now coming from Gmail, Hotmail, AOL, and other large email providers. If this continues one will have to either blacklist these providers, or use some sort of content based filtering.

[ Parent | Reply to this comment ]

#3
Re: spammed to death
Posted by Anonymous (62.41.xx.xx) on Wed 5 Sep 2007 at 10:08
to do something about spam from yahoo gmail hotmail etc.

implement verify sender.

info here.

http://www.posluns.com/guides/classes.html

this save me lots of spam.

Louis

[ Parent | Reply to this comment ]

#4
Re: spammed to death
Posted by kroshka (66.252.xx.xx) on Wed 5 Sep 2007 at 23:22
[ Send Message | View Weblogs ]
Using a Bayesian based spamfilter like ASSP (it has much more though) is always a good idea, and very effective once it had time to learn.

[ Parent | Reply to this comment ]

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Mail Filtering

Quick Site Search