Anti Spam Landscape

Dallin Jones squitoey at gmail.com
Tue Jul 17 22:25:25 MDT 2007


I do a few different things. I started having a lot of troubles with
my mail server when it started getting spammed pretty bad. I have
Postfix using Amavis to push the email through ClamAV and SpamAssasin.
My server was brought to it's knees. It was running at 98-99%
processor load and it would take hours for email to go through. So
here is what I did:

First I added a helo restriction using this:
  smtpd_helo_required = yes
  smtpd_helo_restrictions =
        permit_mynetworks,
        check_helo_access hash:/etc/postfix/helo_access,
        reject_non_fqdn_hostname,
        reject_invalid_hostname,
        permit

This eliminated about 80% of my spam. The helo_access file allows me
to make exceptions for my clients that have broken networks. In
addition, this file includes rejects for anything coming from itself.
(Handy since most Spammers try to pretend they are you, hoping to get
around your relay restrictions) It looks similar to this:
mydomain.com      REJECT You are not me!
localhost               REJECT You are not me!
127.0.0.1               REJECT You are not me!
localhost.localdomain   REJECT You are not me!

Next I added this to my main.cf
  smtpd_sender_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        permit
Forcing everything to use a fully qualified domain name helped
eliminate a ton of spam. The next item I did was the last of the light
weight stuff, this catches almost everything else:
smtpd_recipient_restrictions =
        reject_unauth_pipelining,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination
        check_sender_access
                hash:/etc/postfix/sender_access,
        check_recipient_access
                hash:/etc/postfix/recipient_access,
        check_helo_access
                hash:/etc/postfix/secondary_mx_access,
        reject_rbl_client list.dsbl.org
        reject_rbl_client sbl-xbl.spamhaus.org,
        permit

The big stuff here is the reject_rbl_client lines. These line check
the incoming server against relay databases. I used these because they
seemed relatively fair (I don't want valid email getting rejected) and
people are able to get off of these lists since they don't seem to be
Nazi's about it.

After adding these items, pretty much the only email getting to ClamAV
and SpamAssassin are valid email messages. This brought the load of my
sever back into a managable place (4-5% CPU load) and makes email
delivery fast again.

-- 
Dallin Jones
www.dallinjones.com



More information about the PLUG mailing list