Archive for the Spam Control Category
Posted by mike Filed Under Spam Control with Comments Off
Having tried a number of RBLs you will see that some are going out of existence, some are either too aggressive or just do not cover all of the areas that give you the protection you need. Here is a list that makes a good combination of protection without getting too crazy. Be sure to try one at a time so you can determine if one is not right for you. Use at your own risk…you could lose email.
zen.spamhaus.org
This list contains three separate lists.
“The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.
The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.
The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer’s use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.”
bl.spamcop.net
SpamCop Block List
This list contains IP Addresses which have sent Spam as reported by users themselves. This provides the advantage of a list that is finely tuned and very up to date as users respond to add IPs to this list. However, it is an aggressive list as they state.
“The SCBL is aggressive and often errs on the side of blocking mail.”
The other disadvantage is that any user can add an IP to the list thus creating a serious problem for an organization whether it is justified or not. Your enemies or competitors could use this list against you.
cbl.abuseat.org
The CBL takes its source data from very large spamtraps/mail infrastructures, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) and dedicated Spam BOTs which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or “stealth” spamware, dictionary mail harvesters etc.
dnsbl-1.uceprotect.net
This is a unique list in that it will provide results of spammers listed in the last 7 days.
Posted by mike Filed Under Spam Control with Comments Off
Spamassassin has a section in /usr/share/spamassassin called 25_body_tests_es.cf which deals with Spanish Spam. These rules are not listed in the 50_scores.cf so as explained in the 50_scores.cf rules not listed automatically get a score of “1”. In some cases that score may not be enough so you will want to modify it in /etc/mail/spamassassin/local.cf. In this example the rules have all been take from the 25_body_tests_es.cf and placed in local.cf. Each rule has had score added to adjust the score and the number 3 at the end to add an additional 3 points to each rule. The file is saved and then you can restart spamassassin and the changes will begin to take effect.
score REMOVE_ES_01 3
score REMOVE_ES_01 3
score REMOVE_ES_02 3
score REMOVE_ES_03 3
score REMOVE_ES_04 3
score REMOVE_ES_05 3
score REMOVE_ES_06 3
score REMOVE_ES_07 3
score REMOVE_ES_08 3
score SUBSCRIBE_ES_01 3
score DEJAR_DE_FUMAR_ES 3
score GRATIS_ES 3
score INTERESADO_ES 3
score LEY_ORGANICA_ES 3
score NORMATIVA_SPAM_ES 3
score LEY_CHILE_ES_01 3
score LEY_CHILE_ES_02 3
score TARJETA_VERDE_ES 3
score PROMOCION_ES 3
score ALTA_BUSCADORES_ES 3
score EXCLAMACION_ES 3
score PRESENTAMOS_ES 3
score CONTRA_REEMBOLSO_ES 3
score PEDIDO_ES 3
score CLICK_ES 3
score REGALO_ES 3
score GANADORES_ES_01 3
score GANADORES_ES_02 3
score PORNO_GRATIS_ES 3
score MAS_INFORMACION_ES 3
score INFORMACION_RESERVA_ES 3
score REENVIA_ES 3
score NO_MAS_MAIL_1_ES 3
score NO_MAS_MAIL_2_ES 3
score COLECTOR_DE_MAILS_ES 3
Posted by mike Filed Under Spam Control with 2 Comments
SpamAssassin will use tests to check mail headers, the body, IP Addresses and checksums to locate patterns that indicate SPAM. So SpamAssassin will use pattern-based scores for checking patters that are found in headers, the body or attachments and it will use network-based tests that use DNS lookups or access RBL lists.
If you look in the /usr/share/spamassassin directory you will see a list of the tests that are performed by SpamAssassin.
The tests which are used by SpamAssassin and thus amavisd are located in /usr/share/spamassassin. These consist of over 1000 tests on various parts of the email that arrives. It also includes checks for known spammers. There are thousands of rules that are set up in the /usr/share/spamassassin directory. Each test file contains a number of rules that will be performed. The test files are basically self explanatory but here is some additional information that will help. Ratware are programs that are used by spammers to send their email. These specially designed programs have signatures that will be detected. The 10_misc.cf is a file that defines the templates that are used to report spam. The 20_compensate.cf file creates negative scores for good values in mail that indicate that the mail is not spam. The 50_scores.cf is the file that contains the scores for each rule. 60_whitelist.cf is where common addresses are listed. Here is a list of the directory.
# ls /usr/share/spamassassin/
10_misc.cf 25_accessdb.cf 30_text_nl.cf
20_advance_fee.cf 25_antivirus.cf 30_text_pl.cf
20_anti_ratware.cf 25_body_tests_es.cf 30_text_pt_br.cf
20_body_tests.cf 25_body_tests_pl.cf 50_scores.cf
20_compensate.cf 25_dcc.cf 60_awl.cf
20_dnsbl_tests.cf 25_dkim.cf 60_whitelist.cf
20_drugs.cf 25_domainkeys.cf 60_whitelist_dk.cf
20_fake_helo_tests.cf 25_hashcash.cf 60_whitelist_dkim.cf
20_head_tests.cf 25_pyzor.cf 60_whitelist_spf.cf
20_html_tests.cf 25_razor2.cf 60_whitelist_subject.cf
20_meta_tests.cf 25_replace.cf languages
20_net_tests.cf 25_spf.cf sa-update-pubkey.txt
20_phrases.cf 25_textcat.cf sa-update.cron
20_porn.cf 25_uribl.cf triplets.txt
20_ratware.cf 30_text_de.cf user_prefs.template
20_uri_tests.cf 30_text_fr.cf
23_bayes.cf 30_text_it.cf
Here is an example taken from the 20_head_tests.cf file. Note that some tests require a specific version which is listed at the top. The test is listed in CAPS with underscores followed by the regular expression used to evaluate the rule that is listed. The line underneath provides a description of the rule. The score for each rule is listed in 50_scores.cf.
require_version 3.001007
header HEAD_LONG eval:check_msg_parse_flags(‘truncated_header’)
describe HEAD_LONG Message headers are very long
# partial messages; currently-theoretical attack
# unsurprisingly this hits 0/0 right now.
header FRAGMENTED_MESSAGE Content-Type =~ /\bmessage\/partial/i
describe FRAGMENTED_MESSAGE Partial message
header MISSING_HB_SEP eval:check_msg_parse_flags(‘missing_head_body_separator’)
describe MISSING_HB_SEP Missing blank line between message header and body
header UNPARSEABLE_RELAY eval:check_relays_unparseable()
tflags UNPARSEABLE_RELAY userconf
describe UNPARSEABLE_RELAY Informational: message has unparseable relay lines
Each test looks similar to what you see here. These are header test so they start with the work “header” followed by the name of the test in CAPS. The actual expression of the test is on the right hand side. The first one is a regular expression that shows that there is not real name in the header. The second line is a description of the test. The second test listed shows that the From is a blank line and tests for that with a regular expression.
header NO_REAL_NAME From =~ /^["\s]*\<?\S+\@\S+\>?\s*$/
describe NO_REAL_NAME From: does not include a real name
header FROM_BLANK_NAME From =~ /(?:\s|^)”" <\S+>/i
describe FROM_BLANK_NAME From: contains empty name
Each test has a score that is associated with it in the 50_scores.cf file which is also located in /usr/share/spamassassin. The score adds to the email total score which determines if it is Spam.
score NO_REAL_NAME 0 0.550 0 0.961
The scores have 4 fields. The first is the score added is if a matching message has both the network and Bayesian tests are not in use. In NO_REAL_NAME this is 0. The second score is when network tests are in use and Bayesian tests are not in use. The third score is when Bayesian tests are in use but network tests are not. The final score is when both network tests and Bayesian are in use.
score FROM_BLANK_NAME 1.659 1.467 0.936 1.534
Posted by mike Filed Under Spam Control with Comments Off
One way you may choose to manage the mail that comes to the Postfix server is to use the locales which is a part of Spamassassin. If you cannot read other languages there is really no need to run them through your mail system. So for example if you wanted to limit email to English you would edit the:
/etc/mail/spamassassin/local.cf
ok_locales en
This will treat any mail in character sets other than Western as spam. Here are the option that you have:
en – Western character sets in general
ja – Japanese character sets
ko – Korean character sets
ru – Cyrillic character sets
th – Thai character sets
zh – Chinese (both simplified and traditional) character sets
all – Allow all character sets
This is an easy setting to help clean up mail that you cannot read anyway.
Posted by mike Filed Under Spam Control with 1 Comment
Address Sender Verification
One of the best methods of restricting SPAM is to require address verification. This means that Postfix will initiate a SMTP session with the client’s server to verify that it is a legitimate address. This takes time and resources but…it a very effective way to deal with SPAM. You will need to add the reject_unverified_sender option.
smtpd_recipient_restrictions =
warn_if_reject reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_hostname
reject_invalid_hostname
check_helo_access pcre:/etc/postfix/helo_checks
check_sender_mx_access cidr:/etc/postfix/bogus_mx
reject_unverified_sender
permit
There is a way to enhance this process. One thing that Postfix will do is to cache the addresses it checks out and saves them in memory. This is great because the system will not have to look the same address up again…unless you restart the server as the memory will lose the addresses. However, you can tell Postfix to write the addresses to a map file that will allow Postfix to cache them permanently. Use the address_verify_map feature to make this work.
address_verify_map = btree:/var/spool/postfix/verified_senders
If you did not want to cache the negative sender addresses you can use this parameter.
address_verify_negative_cache = no
Copyright CyberMontana Inc. and Postfixmail.com
All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874
Posted by mike Filed Under Spam Control with 2 Comments
Using a Blackhole
The one thing that is important to understand when using blackholes is that these DNS blacklists require Postfix to do a DNS lookup which will take resources from your server and create latency. However, this can be a significant reduction in SPAM. In the example below two kinds of lists are used to block spam, these are only illustrations you should research your list carefully. Each list will have an address that you can enter to access the list. These two are combined in one address. That address is then entered into your smtpd restrictions.
Exploits Block List (http://www.spamhaus.org/xbl/index.lasso)The following information is taken from spamhaus site.
“The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.”
The Spamhaus Block List (http://www.spamhaus.org/sbl/index.lasso)
The following information is taken from spamhaus site.
“The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services), maintained by the Spamhaus Project team and supplied as a free service to help email administrators better manage incoming email streams.
The SBL is queriable in realtime by mail systems thoughout the Internet, allowing email administrators to identify, tag or block incoming connections from IP addresses which Spamhaus deems to be involved in the sending or origination of Unsolicited Bulk Email (aka “Spam”).
The SBL database is maintained by a dedicated international Spamhaus team based in 9 countries, working 24 hours a day, 7 days a week to list new confirmed spam issues and – just as importantly – to delist resolved issues.”
These two lists are combined into this address.
sbl-xbl.spamhaus.org
Update
Now Spamhaus also has combined their PBL list -Non-MTA IP address ranges set by outbound mail policy, to one option called “zen.spamhaus.org”.
zen.spamhaus.org
smtpd_recipient_restrictions =
warn_if_reject reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_hostname
reject_invalid_hostname
check_helo_access pcre:/etc/postfix/helo_checks
check_sender_mx_access cidr:/etc/postfix/bogus_mx
reject_rbl_client zen.spamhaus.org
permit
Copyright CyberMontana Inc. and Postfixmail.com
All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874
Posted by mike Filed Under Spam Control with Comments Off
Non-Routable Networks
Spammers will also use networks which are not routeable, thus not traceable. You can stop this technique with Postfix, however, your network firewall should not allow these kinds of networks to enter your network at all.
Step #1: Create bogus_mx
Create a map that will list these unrouteable networks. Place one network on each line.
0.0.0.0/8 550 Bad Network
10.0.0.0/8 550 Bad Network
127.0.0.0/8 550 Bad Network
224.0.0.0/4 550 Bad Network
192.168.0.0/16 550 Bad Network
Step #2: Enter the Line in smtpd restrictions
smtpd_recipient_restrictions =
warn_if_reject reject_non_fqdn_recipient
reject_non_fqdn_sender
reject_unknown_sender_domain
reject_unknown_recipient_domain
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_hostname
reject_invalid_hostname
check_helo_access pcre:/etc/postfix/helo_checks
check_sender_mx_access cidr:/etc/postfix/bogus_mx
permit
Remember- Linear Maps (PCRE, regexp, CIDR and Flat Files)
These are typical text files. The purpose of these files is to allow Postfix to read them from top to bottom and when a match is found to take some action. This process is much like iptables in that the first match is what counts so order in the file is extremely important. One problem with these maps is that as they get larger it takes more time for Postfix to read them.
Copyright CyberMontana Inc. and Postfixmail.com
All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874
Newer Entries »
