Anti Spam Landscape

Kimball Larsen kimball at kimballlarsen.com
Wed Jul 18 08:59:28 MDT 2007 

On Jul 17, 2007, at 10:25 PM, Dallin Jones wrote:

> I do a few different things. I started having a lot of troubles with
> my mail server when it started getting spammed pretty bad. I have
> Postfix using Amavis to push the email through ClamAV and SpamAssasin.
> My server was brought to it's knees. It was running at 98-99%
> processor load and it would take hours for email to go through. So
> here is what I did:
>
> First I added a helo restriction using this:
>  smtpd_helo_required = yes
>  smtpd_helo_restrictions =
>        permit_mynetworks,
>        check_helo_access hash:/etc/postfix/helo_access,
>        reject_non_fqdn_hostname,
>        reject_invalid_hostname,
>        permit
>
> This eliminated about 80% of my spam. The helo_access file allows me
> to make exceptions for my clients that have broken networks. In
> addition, this file includes rejects for anything coming from itself.
> (Handy since most Spammers try to pretend they are you, hoping to get
> around your relay restrictions) It looks similar to this:
> mydomain.com      REJECT You are not me!
> localhost               REJECT You are not me!
> 127.0.0.1               REJECT You are not me!
> localhost.localdomain   REJECT You are not me!
>

This is an interesting (to me) approach.  I've tried to use it, but  
get the following:
fatal: open database /etc/postfix/helo_access.db: Inappropriate file  
type or format

I admit, all I did was copy and slightly modify the above lines to  
see what it would do. :)


> Next I added this to my main.cf
>  smtpd_sender_restrictions =
>        permit_sasl_authenticated,
>        permit_mynetworks,
>        reject_non_fqdn_sender,
>        reject_unknown_sender_domain,
>        permit
> Forcing everything to use a fully qualified domain name helped
> eliminate a ton of spam. The next item I did was the last of the light
> weight stuff, this catches almost everything else:
> smtpd_recipient_restrictions =
>        reject_unauth_pipelining,
>        reject_non_fqdn_recipient,
>        reject_unknown_recipient_domain,
>        permit_mynetworks,
>        permit_sasl_authenticated,
>        reject_unauth_destination
>        check_sender_access
>                hash:/etc/postfix/sender_access,
>        check_recipient_access
>                hash:/etc/postfix/recipient_access,
>        check_helo_access
>                hash:/etc/postfix/secondary_mx_access,
>        reject_rbl_client list.dsbl.org
>        reject_rbl_client sbl-xbl.spamhaus.org,
>        permit
>

This is also valuable stuff as well, as there are a few directives  
here that I've not seen before.  I wanted to ask about the format of  
the sender_access, recipient_access, and secondary_mx_access files to  
which you refer above.  Are these basically whitelists? If so, how do  
you format the files?

I feel like such a noob. :)

-- Kimball

More information about the PLUG mailing list