I've recently had a couple of bits of spam come through that I've had time to look into:
The first from 184.108.40.206
X-Spam-Status: No, score=1.5 required=5.0 tests=FREEMAIL_FROM,
T_REMOTE_IMAGE autolearn=no autolearn_force=no version=3.4.0
The second from 220.127.116.11
X-Spam-Status: No, score=2.8 required=5.0 tests=HTML_MESSAGE,MIME_HTML_ONLY,
RCVD_IN_BRBL_LASTEXT autolearn=no autolearn_force=no version=3.4.0
Checking with https://mxtoolbox.com/ shows that both are in blacklists, the first just sorbs spam and the second about ten different ones.
I believe spamassassin checks some blacklists already (http://wiki.apache.org/spamassassin/DnsBlocklists) and postfix seems to be configured with reject_rbl_client zen.spamhaus.org.
I'm wondering whether enabling more blacklists might be a good idea. Sorbs spam, based on my limited data, might be a good one (spamassassin mentions not using by default due to a delisting fee).
I think this would be a good idea, see some discussions in: #760.
Some excellent suggestions by @ned14
I ran for many years a postfix which rejected email during EHLO if the sender were in a RBL.
The effect on spam received is dramatic. About 80-90% is refused before your postfix ever even calls spamassassin.
If the sender is legit, they also get back a useful error message at the point of trying to send their email immediately instead of their email going into your spam folder and you having to remember to occasionally scan the spam folder for legit email.
I'd highly recommend this configuration, but be aware it comes with lots of caveats.
We're already using a RBL: https://github.com/mail-in-a-box/mailinabox/blob/master/setup/mail-postfix.sh#L201
Ach, I've just discovered the reason my mailinabox isn't doing RBL is because I installed it inside an LXC container which is overwriting the nameserver on boot to Google's public DNS which of course spamhaus won't work with. This would explain a very great deal.
Is there any good reason mailinabox doesn't use the 'postscreen' feature in postfix which can weight multiple RBLs amongst other things?
Those interested may find the "very fast postscreen howto" page at http://rob0.nodns4.us/postscreen.html of interest. It looks like they implement a much more sophisticated edition of grey listing, one without the problems the standard greylisting daemon has. I suppose it helps that postscreen was written by Wietse himself and comes built into postfix.
I'm going to try this postscreen configuration adapted from http://rob0.nodns4.us/postscreen.html for a month or so and see if it reduces the ~1600 spams I see in my spam folder per month:
# Check http://rob0.nodns4.us/postscreen.html for up to date list
postscreen_access_list = permit_mynetworks
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_threshold = 3
##postscreen_greet_action = enforce
##postscreen_whitelist_interfaces = 18.104.22.168 !22.214.171.124/29
## !126.96.36.199/29 static:all
You also of course need to enable the postscreen service and disable smtp in master.cf.
This is an extremely conservative configuation not using almost all the features of postscreen. All I've enabled is the multiple weighted RBLs and the fact postscreen is automatically a greylister because it always temp fails the first connection from an IP. We'll see how it fares, I may try ramping up the deep protocol inspectors in postscreen after a month or so. I have verified from the logs that postscreen is working a treat, blocking tons of stuff already.
@ned14 How did you go with trialing your proposed postscreen config?
What changes did you make to the MIAB Postfix/Postgrey/SpamAssassin configs to support using postscreen?
@josephbu Let's see. I installed the above config about seven weeks ago. Since then I've received about 200 items into my spam folder. This compares to around 1600 per month, so this config basically reduced the spam landing in the spam folder by about 14 times. My config is as above, it's nothing special.
Do note due to the bad DNS config I was probably effectively running without RBL blocking before, so a properly configured mailinabox won't see as dramatic a drop. I will say that postscreen has MUCH better error handling and reporting.
@ned14 thanks for the information! I've enabled postscreen in my MIAB install and will see how it goes, so far it's been positive.
I like the idea of using postscreen up front, it will minimise the amount of work that SpamAssassin has to do which means a happier box :-)
The scoring method available for RBLs in postscreen is better than just using the RBL's natively in Postfix's smtpd, and allows more flexibility.