View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Current thinking on spam filters?
Log in to Ask a Question

Current thinking on spam filters?

email

Hi folks -

I've been running my Linode for a couple years now with:

Postfix

MySQL

Dovecot

Squirrelmail & Roundcube

DSpam

I've got multiple domains and virtual users, and everything is looked up in the MySQL database. DSpam is running as a service (incoming mail goes into DSpam on port 10026, then spam is delivered to a spam folder and ham is delivered to the inbox via Maildrop) … I also have per-user DSpam retraining via a Dovecot plugin that does drag and drop retraining (drag it into the spam folder = false negative, drag it out of the spam folder = false positive.)

This setup is pretty nice, but also relies on having to build several things from source rather than using packages (I use Arch linux.) So when Arch updates, which is fairly often, if I want to keep up to date at times I may have to rebuild DSpam, Dovecot, the Dovecot spam plugin and/or Maildrop due to various dependencies on packaged libmysql or other things.

What are the current thoughts on spam filtering? I'd like to simplify the whole setup and make it easy to keep the system as a whole up to date, while keeping the ease of use (drag/drop retraining) as well as the awesome accuracy of DSpam (I get a lot of spam and I'm typically at about 98-99% accuracy.) Is spamassassin a viable replacement? What other spam server-side tools are there? Client-side filtering (even just having rules to move tagged spam vs. the server side Maildrop/Procmail action) isn't acceptable to me, nor especially my users.

Just looking for any thoughts, recent ideas, etc. that I can investigate since I haven't really kept up. Any suggestions are most appreciated!

5 Replies

I have a number of rules to reject mail that I know is bad (i.e., HELOing as me, and so forth), and that kicks off most of it. Only then do I consult Spamhaus Zen, and that gets enough of the rest that I haven't seen spam in months. All you need, really, depending on how bad spammers want to get to you.

@jed:

I have a number of rules to reject mail that I know is bad
Would you care to share (unless of course it's patent pending)?

@vonskippy:

@jed:

I have a number of rules to reject mail that I know is bad
Would you care to share (unless of course it's patent pending)?
I myself stole it from someone on a mailing list, so…sure! I actually removed some of theirs, but this is just the stuff Postfix can do.

smtpd_recipient_restrictions = 
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client dnsbl.njabl.org,
    reject_unauth_destination

I've got exim configured similarly to Jed's configuration, so that it rejects invalid email before involving a lot of resources.

Passing that, mail goes through spamassassin. Way back in the day, I used to run bogofilter, and have multiple folders for training. When I switched to spamassassin I was worried about leaving that behind, but it has been 100% successful. I have no complaints about the filtering, and it's just so much easier to not have to deal with training. spamassassin does have built-in Bayesian learning which works a treat.

Of course exim also runs everything through ClamAV. And any time a mail is going to be rejected, the connection is "tarpitted" for a good long while first. Really slows the spammers down.

Recently I've also implemented Nolisting, as well as a modified version of Unlisting. (Modified in that a failure isn't an automatic rejection, just a tightening of the spam score leash.)

Also, incidentally, I don't believe in having a Spam folder at all. When you implement a Spam folder, you're treating outright, blatant spam with more courtesy (a rejection notice) than you are the borderline stuff (which is effectively a delivery failure with no notice to anybody). I either accept mail or reject it, none of this limbo business.

Mine is close to Jed's.

smtpd_recipient_restrictions =
        reject_unknown_sender_domain,
        reject_unauth_pipelining,
        check_sender_access hash:/etc/postfix/sender,
        reject_unknown_sender_domain,
        reject_non_fqdn_sender,
        reject_unknown_client,
        reject_non_fqdn_hostname,
        reject_unverified_sender,
        reject_unauth_destination,
        permit

The "sender" map allows me to whitelist/blacklist domains or addresses

fortunoff@news.fortunoff.com 554 Fuck off spammers - see if I spend money with you again!
money88.com                     554 Spam not welcome here
amtrak.com                      reject_unauth_destination,permit

The "rejectunauthsender" tries to do remote address verification. This is… contentious. It sometimes fails, hence the need for close monitoring and the sender whitelist.

I don't do local submission via smtp so I don't need permit_mynetworks.

On top of this I have an automatic firewall which blocks senders that have failed 25 times in a day to send a message via my machine, and I use spamassassin on the results.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct