spam getting through - RBL options #910

Open
stan3 opened this Issue Aug 16, 2016 · 11 comments

Projects

None yet

5 participants

@stan3
Contributor
stan3 commented Aug 16, 2016

I've recently had a couple of bits of spam come through that I've had time to look into:

The first from 213.174.90.233

X-Spam-Status: No, score=1.5 required=5.0 tests=FREEMAIL_FROM,
    HTML_IMAGE_ONLY_28,HTML_MESSAGE,MPART_ALT_DIFF,RCVD_IN_DNSWL_NONE,
    T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.0

The second from 103.229.176.138

X-Spam-Status: No, score=2.8 required=5.0 tests=HTML_MESSAGE,MIME_HTML_ONLY,
    RCVD_IN_BRBL_LASTEXT autolearn=no autolearn_force=no version=3.4.0

Checking with https://mxtoolbox.com/ shows that both are in blacklists, the first just sorbs spam and the second about ten different ones.

I believe spamassassin checks some blacklists already (http://wiki.apache.org/spamassassin/DnsBlocklists) and postfix seems to be configured with reject_rbl_client zen.spamhaus.org.

I'm wondering whether enabling more blacklists might be a good idea. Sorbs spam, based on my limited data, might be a good one (spamassassin mentions not using by default due to a delisting fee).

@yodax
Collaborator
yodax commented Aug 18, 2016

I think this would be a good idea, see some discussions in: #760.

Some excellent suggestions by @ned14

@ned14
ned14 commented Aug 18, 2016

I ran for many years a postfix which rejected email during EHLO if the sender were in a RBL.

The effect on spam received is dramatic. About 80-90% is refused before your postfix ever even calls spamassassin.

If the sender is legit, they also get back a useful error message at the point of trying to send their email immediately instead of their email going into your spam folder and you having to remember to occasionally scan the spam folder for legit email.

I'd highly recommend this configuration, but be aware it comes with lots of caveats.

@ned14
ned14 commented Aug 23, 2016

Ach, I've just discovered the reason my mailinabox isn't doing RBL is because I installed it inside an LXC container which is overwriting the nameserver on boot to Google's public DNS which of course spamhaus won't work with. This would explain a very great deal.

@ned14
ned14 commented Aug 23, 2016

Is there any good reason mailinabox doesn't use the 'postscreen' feature in postfix which can weight multiple RBLs amongst other things?

@JoshData
Member

Dunno.

@ned14
ned14 commented Aug 23, 2016

Those interested may find the "very fast postscreen howto" page at http://rob0.nodns4.us/postscreen.html of interest. It looks like they implement a much more sophisticated edition of grey listing, one without the problems the standard greylisting daemon has. I suppose it helps that postscreen was written by Wietse himself and comes built into postfix.

@ned14
ned14 commented Aug 24, 2016

I'm going to try this postscreen configuration adapted from http://rob0.nodns4.us/postscreen.html for a month or so and see if it reduces the ~1600 spams I see in my spam folder per month:

# Check http://rob0.nodns4.us/postscreen.html for up to date list
postscreen_access_list = permit_mynetworks
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
##postscreen_dnsbl_reply_map =
##        pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites =
        zen.spamhaus.org*3
        b.barracudacentral.org*2
        bl.spameatingmonkey.net*2
        bl.spamcop.net
        dnsbl.sorbs.net
        psbl.surriel.com
        bl.mailspike.net
        swl.spamhaus.org*-4
        list.dnswl.org=127.[0..255].[0..255].0*-2
        list.dnswl.org=127.[0..255].[0..255].1*-3
        list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
##postscreen_greet_action = enforce
##postscreen_whitelist_interfaces = 207.223.116.211 !207.223.116.208/29
##        !216.23.247.72/29 static:all

You also of course need to enable the postscreen service and disable smtp in master.cf.

This is an extremely conservative configuation not using almost all the features of postscreen. All I've enabled is the multiple weighted RBLs and the fact postscreen is automatically a greylister because it always temp fails the first connection from an IP. We'll see how it fares, I may try ramping up the deep protocol inspectors in postscreen after a month or so. I have verified from the logs that postscreen is working a treat, blocking tons of stuff already.

@josephbu

@ned14 How did you go with trialing your proposed postscreen config?

What changes did you make to the MIAB Postfix/Postgrey/SpamAssassin configs to support using postscreen?

@ned14
ned14 commented Oct 13, 2016 edited

@josephbu Let's see. I installed the above config about seven weeks ago. Since then I've received about 200 items into my spam folder. This compares to around 1600 per month, so this config basically reduced the spam landing in the spam folder by about 14 times. My config is as above, it's nothing special.

Do note due to the bad DNS config I was probably effectively running without RBL blocking before, so a properly configured mailinabox won't see as dramatic a drop. I will say that postscreen has MUCH better error handling and reporting.

@josephbu

@ned14 thanks for the information! I've enabled postscreen in my MIAB install and will see how it goes, so far it's been positive.

I like the idea of using postscreen up front, it will minimise the amount of work that SpamAssassin has to do which means a happier box :-)

The scoring method available for RBLs in postscreen is better than just using the RBL's natively in Postfix's smtpd, and allows more flexibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment