Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Fight Spam Using Your Postfix Configuration

Posted by ryuzaki0 on from the not-welcome-here dept.

hausmasta writes, "In this guide you will learn how to tweak your virtual Postfix setup to better combat spam by stopping the mail before it hits SpamAssasin, using RBL (Realtime Blacklists) and RHBL (slightly different), greylistings, and Helo Checks." A clear, step-by-step guide to a complex subject.

1 of 158 comments (clear)

  1. Re:bad idea... by Fez · · Score: 0, Troll
    1) He mentioned a static setup. 2) His ToS with his ISP is of no relevance or importance to you, nor should it be to the decision to accept mail. 3) You're an optimist. I have watched many people try to have static IP addresses delisted from many RBLs with no success whatsoever (and not due to spam coming from them, but because the RBL administrators said "static or not, you're an ISP customer, use their server".


    It's not really his place as the customer to deal with the blacklist, the ISP should be doing that. If I had a customer come to me and tell me they got blacklisted just because of their IP range, I would contact the RBL on their behalf. It's my netblock after all. At least with SORBS they require contact with the network owner. Also, the ISP should have something to the effect of '.static.' somewhere in the reverse DNS for the netblock containing static IPs to avoid this. I am an optimist, but I also have dealt with this on some occasions.

    Also, if he has his own domain, the ISP could setup his static IP to reverse resolve to his own domain. Toss in an SPF record, and I find it hard to believe he couldn't get delisted.

    He should be in contact with his ISP if he wants it to work. He's paying them to handle his mail, among other things, so why shouldn't they work with him? If they won't, then get another ISP that will.

    Says who? Why? Clue: abuse by malcontents is not a legitimate reason.


    Says just about every admin who is sick to death of spam from compromised zombie machines. Why should mail be allowed to flow from end users directly to mail servers? Why is it against the law in the US for anyone but a mail carrier to put things in a mailbox? Forcing people to go through proper mail servers provides an extra layer of protection and accountability. The ISP will likely see the spammers and cut them off (or at least raise flags when the ISPs server itself gets blacklisted!), and there is little to gain by allowing everyone access.

    Here's the mail server stats from yesterday on one server:
    108125 sbl-xbl.spamhaus.org
      29350 dynablock.njabl.org
      11938 dul.dnsbl.sorbs.net
        1586 dsn.rfc-ignorant.org
        1465 web.dnsbl.sorbs.net
          181 rhsbl.sorbs.net
          133 http.dnsbl.sorbs.net
          108 cbl.abuseat.org
            83 socks.dnsbl.sorbs.net
            63 relays.ordb.org
              2 misc.dnsbl.sorbs.net
              1 smtp.dnsbl.sorbs.net

    Over 40,000 rejected messages from dynamic IP ranges. (I can't use the SORBS composite list because of their RBLs has a habit of blocking yahoo, hotmail, etc. I'd love to block them but my customers don't agree...)

    I have yet to hear a single solitary complaint from anyone who had a message rejected by a dynamic range RBL, though I have had complaints about several other RBLs. We stopped using Spamcop's RBL because of too many complaints from customers.

    And since when is abuse not a reason to close something off? Let me paraphrase: "Why aren't all servers open relays? Abuse by malcontents is not a legitimate reason." or "Why should I validate the input in my web application? Abuse by malcontents is not a legitimate reason." - We're talking about a security hole here, not fair use rights.

    Spam is, unfortunately, not going away anytime soon. So we have to do whatever we can to block it and keep customers happy.