Domain: securitysage.com
Stories and comments across the archive that link to securitysage.com.
Comments · 10
-
Re:SpamAssassin is too costly.
Pushing all messages through SpamAssassin would be simply silly. As always you should first use the cheap checks, and only use the very expensive ones like SA until the last moment. You should balance your anti-spam configuration with the risk of false-positives, because some checks may work well in theory but don't work at all in the reality of the internet. Many mailservers have bugs or configurations that would cause you to block legitimate mail, and if you block a false positive at the mailserver level, you can't drag it out of your spam mailbox later.
In other words, read before you do and run in 'warn-before-act' mode for a while. It's for example possible but not practical to check for existence of the sender's address, even though that would work wonders against spam.
If you're using Postfix, there are many check you can do before your heavy filter steps in.
Good resources are:
http://www.securitysage.com/antispam/intro.html
http://jimsun.linxnet.com/misc/postfix-anti-UCE.tx t
After doing a bunch of Postfix header checks (such as valid fqdn domains, existing recipients, some RFC-compliance, etc) I check several conservative blacklists, such sbl-xbl.spamhaus.org (with is great), check against my greylisting policy-server, and only then feed it through the bayesian spamfilter (dspam in my case). A last check is amavisd-new which checks for viruses and disallowed filetypes.
This stops (if I recall correctly) 90% of spam *before* it reaches the spamfilter. Only 2-3 messages a week reach my inbox undetected. -
Re:Challenge Response Spam
I'd be interested to know which blacklists are by domain, not by sending IP address
Here you go.
-
Puh-lease...
...disable your catchall-address on your 4 domains, and only set up the addresses you need. You will see that the rate of spam you get will drop.
Furthermore the overall traffic you cause on the net will drop also, because the spam will be blocked directly at the mailserver with a 550. The mail will not be transmitted at all.
There are at least a dozen of other methods to block mail from entering a mailserver (given you really have admin-rights on the MX of your domains). There is no need to forward 3000 mails a day to some unlucky bureaucrat.
Please see:
Greylisting - the next step in the spam-control war (generic)
Anti-UCE Cheat-Sheet (Postfix)
Security-Sage Anti-Spam Guide (Postfix) -
Re:SMTP time scanning, finally.
I've been rejecting spam via header and body checks with postfix for about that long myself... Thanks Security Sage!
-
Re:insight needed
I don't see any compelling reasons to migrate if everything is working fine in Qmail.
If you want a cookbook on how to set up Postfix and SpamAssassin and friends, there are several really good resources: Jeffrey Posluns, Jim Seymour, Meng Wong (old but still useful). Posluns' guide is probably where you should start first.
-
Re:Not sure you're getting it
Sure! These are things you can do if you are using Postfix as your MTA.
In your main.cf file include this at the bottom
body_checks = regexp:/etc/postfix/spammerbodies
Learn more here about main.cf and other cool spam protections here:
http://www.afp548.com/Articles/mail/spam2.html including a really great RBL configuration.
Create a spammerbodies file and include this line
# various encoded URL formats. if they're trying to disguise the URL then they're up to no good /(ftp|https?):\/\/([^\/]*@)?([01]{10,})?(\d+|00+\d +(\.00+\d+){3}|[\%0-9a-zA-Z\.\?_-]*\%[\%0-9a-zA-Z\ .\?_-]+)(:\d+)?(\/|"|\s|$)/ REJECT
You can get a full list of other scripts here:
http://www.securitysage.com/guides/postfix_uce_bod y.html
and here
http://www.hispalinux.es/~data/postfix/
Hope that helps. -
Re:beats the hell outta sendmail...
I'm a real big fan of Security Sage's postfix configuration. The cover pretty much everything interesting regarding Postfix except LDAP. Jason
-
Re:The real solution to spam.
It's been done, thankfully without finger.
-
Re:Reject Executable AttachementsIt's a very good idea these days to just reject all executable attachments...
If you want to send someone an executable, send it to them in a zip or tar.gz.All this does is moves the problem around. It's not a very good idea at all (though unfortunately it's a compelling one).
1. Soon enough, executable malware will shroud itself in a
.zip wrapper (some of it already does), and at the same time, "for convenience", new idiot-aligned (made by and for) email software will make it easy to open attachments inside zip attachments.2. Meanwhile, it becomes harder and harder for the rest of us to use e-mail at all, as the number of proscribed message attributes grows and grows. I'm a Unix user, I want to send a fellow Unix user a script which I've placed in a file which I unthinkingly gave a name ending in ".scr", and though the file is not dangerous to me or my recipient or anyone else, it's filtered out on behalf of people who use an operating system which neither I nor my recipient use. Bleah.
The referenced header checks disallow 53 different filename extensions, all of which I now presumably have to remember to avoid using. (The problem is of course exacerbated by Windows' stubborn insistence that extension === file type.)
-
Reject Executable Attachements
It's a very good idea these days to just reject all executable attachments at "the gates" so to speak. I use postfix 1.1 so I added:
body_checks = pcre:/etc/postfix/mime_header_checks
to /etc/main.cf where the file referenced came from here:
http://www.securitysage.com/files/mime_header_chec ks
but there are many regular expression filters like this one. Note, with 2.x you need to use the 'mime_header_checks' directive rather than 'body_checks'.
If you want to send someone an executable, send it to them in a zip or tar.gz.