Mailing List Archive

Jon Gabrielson wrote:
>
> 3) switch from postfix to exim, so that I can block spam at smtp time.
> (If someone has tried this, does this have any effect on the
> total amount of spam?)

Better option is to use an SMTP proxy in front of Postfix, or use
a replacement for its SMTP service module. For qmail for instance,
there is a nice package called 'mailfront' which is a filtering
qmail-smtpd replacement.

> -----Original Message-----
> From: Jon Gabrielson [mailto:jon@directfreight.com]
> Sent: Wednesday, February 04, 2004 3:22 PM
> To: SpamAssassin-users@incubator.apache.org
> Subject: Stopping the pre-filtered amount of spam.
>
>
> About 90% of the email I receive is spam. Spamassassin
> does a great job of blocking this spam, but it is still consuming
> a huge amount of bandwidth.
>
> My current ideas to prevent this are:
>
> 1) retire existing email addresses
> (a very big headache)
>
> 2) reply to all spam with fake bounces
> (most spam has fake addresses and
> this just increases bandwidth usage)
>
> 3) switch from postfix to exim, so that I can block spam at smtp time.
> (If someone has tried this, does this have any effect on the
> total amount of spam?)
>
>
> Does anyone know of any other way to potentially reduce the initial
> pre-filtered amount of spam?
>

Currently with Sendmail, I block 4-5 times as much spam that gets filtered
with SA. Nice to know it spares my server, but the bandwidth is still taken
up for all of us using the interweb ;)

Also I've since changed my opinion of Sendmail. It ain't that easy :) Make
sure you grab the O'Reily book on it if you use it. "Itssssss thhhhhhe great
big book of everything, with everything inside. See the server around us.
It's such a perfect guide!"

--Chris (Yeah, I got kids.)

On Wed, 4 Feb 2004 14:22:16 -0600, Jon Gabrielson wrote:

> Does anyone know of any other way to potentially reduce the
> initial pre-filtered amount of spam?

Check for virii before calling SA. There's not reason to run SA on a message if it's a virus message that should be deleted anyway.

Some stuff to do with the SMTP server, before ever feeding stuff to SA:

Make sure your mailer refuses to receive mail with non exsistant domains in MAIL FROM:.
Implement greylisting. It really does block a lot of virii and spam.
Implement cheks for forged HELO pretending to be your server
Use relaydb (the trend towards zombies has made this less effective than it was).

I've got an example doing this sort of stuff with MIMEDefang (a sendmail milter) at http://whatever.frukt.org. I have no idea how to do it with Exim, but hopefully someone else has examples for that.

/Jonas
--
Jonas Eckerman, jonas_lists@frukt.org
http://www.fsdb.org/

On Wed, 4 Feb 2004, Jon Gabrielson wrote:

> About 90% of the email I receive is spam. Spamassassin
> does a great job of blocking this spam, but it is still consuming
> a huge amount of bandwidth.
>
> My current ideas to prevent this are:
>
> 1) retire existing email addresses
> (a very big headache)

Only real effective spam reducer. Get a new address and never give
it out. (Of course the dictionary attackers will still get you ;)


> 2) reply to all spam with fake bounces
> (most spam has fake addresses and
> this just increases bandwidth usage)

Won't make -any- difference, spammer engines (open relays, open proxies,
PC-trojans) ignore them.


> 3) switch from postfix to exim, so that I can block spam at smtp time.
> (If someone has tried this, does this have any effect on the
> total amount of spam?)

This does not reduce network bandwidth as you still have to "pull in"
the whole message to actually run the rules on it. The SMTP reject is
returned after you've received the whole message DATA, instead of the
final "250 message accepted"
It will save on disk-space and your time looking at the garbage.
(IE reduces the amount of spam that is apparent to you).

The only other way to actually reduce the bandwidth is something like
sendmail's "access-db" control. IE a block-list of hosts, IP adresses,
e-mail addresses that you use to drop the connection at the beginning
of the SMTP conversation. (even better, a router IP filter to keep
those -nasty- packets from even getting to your network ;).

> Does anyone know of any other way to potentially reduce the initial
> pre-filtered amount of spam?

Yes, disconnect your network cable. ;)

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Jon Gabrielson wrote:
> About 90% of the email I receive is spam. Spamassassin
> does a great job of blocking this spam, but it is still consuming
> a huge amount of bandwidth.
>
> My current ideas to prevent this are:
>
> 1) retire existing email addresses
> (a very big headache)
>
> 2) reply to all spam with fake bounces
> (most spam has fake addresses and
> this just increases bandwidth usage)
>
> 3) switch from postfix to exim, so that I can block spam at smtp time.
> (If someone has tried this, does this have any effect on the
> total amount of spam?)
>
>
> Does anyone know of any other way to potentially reduce the initial
> pre-filtered amount of spam?
>
>
> Thanks,
>
>
> Jon.
John

with MailScanner (www.mailscanner.info) you can decide what to do with
the spam. Delete it, bounce it, quarantine it...

MailScanner is a bit like AMaVis, in that it wraps around SA, anti-virus
engines and the MTA to provide a higher number of checks.

If you use MailWatch (mailwatch.sourceforge.net) in combination with
MailScanner you can also have a HTML based interface for inspecting the
quarantine areas and releasing email, or teaching the bayes engine about
wrongly tagged email..


--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.

**********************************************************************

On Wed, 4 Feb 2004, Chris Santerre wrote:

> Currently with Sendmail, I block 4-5 times as much spam that gets filtered
> with SA. Nice to know it spares my server, but the bandwidth is still taken
> up for all of us using the interweb ;)

No, if you decide to drop the connection in the check_relay ruleset,
you've only received about 5 TCP/IP packets from the other end
(maybe 1Kbyte data max). Even if you're using delayed evaluation,
the drop will occur within 10 packets. Only way to cut bandwidth
further is to put in a router packet filter.

Back in the days when I got my internet connection via a 19.2Kbaud
SLIP connection, I could -see- each IP packet. ;)

Dave

--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{