CentOS - Oct 2006 - spam control

Gents,

I have added the following to /etc/mail/sendmail.mc and rebuilt it
trying to control spam. I still get about 25 spam messages a day.
Is there something else that can help control spam?

Thanks

jerry
---------------------------
dnl #
dnl # dnsbl - DNS based Blackhole List/Black List/Rejection list
dnl # See http://www.sendmail.org/m4/features.html#dnsbl
dnl #
FEATURE(`dnsbl', `bl.spamcop.net',     `"Spam blocked see: 
http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
FEATURE(`dnsbl', `relays.ordb.org',    `"Spam blocked see: 
http://ordb.org/lookup/?host="$&{client_addr}')dnl
FEATURE(`dnsbl', `cbl.abuseat.org',    `"Spam blocked see: 
http://cbl.abuseat.org/lookup.cgi?ip="$&{client_addr}')dnl
FEATURE(`dnsbl', `sbl.spamhaus.org',   `"Spam blocked see: 
http://spamhaus.org/query/bl?ip="$&{client_addr}')dnl
FEATURE(`dnsbl', `list.dsbl.org',      `"Spam blocked see: 
http://dsbl.org/listing?"$&{client_addr}')dnl
dnl #

On 10/24/06, Jerry Geis <geisj at pagestation.com>
wrote:
> Gents,
>
> I have added the following to /etc/mail/sendmail.mc and rebuilt it
> trying to control spam. I still get about 25 spam messages a day.
> Is there something else that can help control spam?
spamassassin. It's even provided in the base distro.

-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell

centos-bounces at centos.org <> scribbled on Tuesday, October 24, 2006
9:22
PM:
> Gents,
> 
> I have added the following to /etc/mail/sendmail.mc and
> rebuilt it trying to control spam. I still get about 25 spam
> messages a day.
> Is there something else that can help control spam?
> 
> Thanks
MailScanner

http://www.mailscanner.info

Mike

Jerry Geis wrote:
> Gents,
>
> I have added the following to /etc/mail/sendmail.mc and rebuilt it
> trying to control spam. I still get about 25 spam messages a day.
> Is there something else that can help control spam?
Running spamassassin + clamav and a few RBLs seemed to make a big dent 
in it for me, but a fair amount of crap still gets through.  Frankly, I 
guess I'll never understand the mindset of the spammer.  They go out of 
their way to circumvent spam controls for people who *obviously* don't 
want to receive those ads.  It's like me telling my mum I don't like 
liver so she goes out of her way to sneak it into my diet knowing I'll 
gag on each bite.  (no, my mum really knows I hate liver and doesn't do 
that...heh)

I wish the penalties for polluting the internet were half as potent as 
those for polluting the ocean.  Perhaps then we'd see some improvement.

Cheers,

On Tue, 24 Oct 2006, Jerry Geis wrote:
> Gents,
>
> I have added the following to /etc/mail/sendmail.mc and rebuilt it 
> trying to control spam. I still get about 25 spam messages a day. Is 
> there something else that can help control spam?
CentOS provides spamassassin 3.0.6, but I've installed spamassassin 
3.1.7 and spamass-milter from rpmforge. Running your spam scanner as a 
milter allows you to reject egregious during the SMTP transaction.

I haven't done as much tuning as I'd like, but my current setup 
includes

INPUT_MAIL_FILTER(
   `clamav-milter',
   `S=local:/var/clamav/clmilter.sock, F=T, T=S:3m;R:3m')
INPUT_MAIL_FILTER(
   `spamassassin',
   `S=unix:/var/run/spamass.sock, F=, T=C:15m;S4m;R:4m;E:10m')
define(
   `confMILTER_MACROS_CONNECT',
   `b, j, _, {daemon_name}, {if_name}, {if_addr}')
FEATURE(`dnsbl', `sbl-xbl.spamhaus.org',
   `"554 Mail rejected -
http://www.spamhaus.org/query/bl?ip="$&{client_addr}')


The percentage of messages rejected during SMTP transactions breaks 
down (for me) like this:

   74% == spamhaus
   21% == spamassassin
    2% == unresolvable sender domain
   <1% == clamav

There's a range of spam (scores 5.0 - 10.0) that's accepted for 
delivery but marked as spam; people can procmail those as they see 
fit.

I think the spamhaus numbers get inflated because the sending servers 
are typically bots that are set to try delivery several times before 
giving up.

-- 
Paul Heinlein <> heinlein at madboa.com <> www.madboa.com

> MailScanner
> 
> http://www.mailscanner.info
> 
I must second this suggestion, MailScanner puts all the pieces together,
and at least in my instance, filters 98%+ of the spam.

> > What RBL's, if any, do you use if we may ask?
> 
> I currently use:
> 
> sbl-xbl.spamhaus.org
> dnsbl.ahbl.org
> list.dsbl.org
> dnsbl.sorbs.net
> bl.spamcop.net
> dnsbl.njabl.org
> spews.dnsbl.sorbs.net
> cbl.abuseat.org
> relays.ordb.org
Just FYI, it's my understanding that the cbl.abuseat.org list is
included in the sbl-xbl.spamhaus.org list so you can save yourself the
DNS query. Also, the use of spamcop should (in my opinion) be suggested
with a caveat that the user read up on their own description of their
criteria for blocking mail. I have seen large email providers and even
ISPs etc blocked by this list, even if temporarily.

Just my 2 cents,

Alex

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Oct 24, 2006 at 10:22:26PM -0400, Jerry Geis
wrote:
> Gents,
> 
> I have added the following to /etc/mail/sendmail.mc and rebuilt it
> trying to control spam. I still get about 25 spam messages a day.
> Is there something else that can help control spam?
> 
> Thanks
> 
> jerry
> ---------------------------
> dnl #
> dnl # dnsbl - DNS based Blackhole List/Black List/Rejection list
> dnl # See http://www.sendmail.org/m4/features.html#dnsbl
> dnl #
> FEATURE(`dnsbl', `bl.spamcop.net',     `"Spam blocked see: 
> http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
> FEATURE(`dnsbl', `relays.ordb.org',    `"Spam blocked see: 
> http://ordb.org/lookup/?host="$&{client_addr}')dnl
> FEATURE(`dnsbl', `cbl.abuseat.org',    `"Spam blocked see: 
> http://cbl.abuseat.org/lookup.cgi?ip="$&{client_addr}')dnl
> FEATURE(`dnsbl', `sbl.spamhaus.org',   `"Spam blocked see: 
> http://spamhaus.org/query/bl?ip="$&{client_addr}')dnl
> FEATURE(`dnsbl', `list.dsbl.org',      `"Spam blocked see: 
> http://dsbl.org/listing?"$&{client_addr}')dnl
> dnl #
There have been a lot of replies (some very good) on this subject
already, but I feel I have to drop my 2 cents on this subject, since
spam control is a good part of what I do.

It is fairly trivial to get to a point where you have a spam control
system with 75% efficiency (with 1% to 2% false positives). Just
implementing RBLs, greylisting and spamassassin will do that. SPF
might also help a bit here.

Wish a bit more work, you can get to 85% efficiency, keeping the same
level of false positives (rate limiting and various access control
rules).

After that point, it starts to get ugly. We currently manage to have
96% efficiency (false positives around 0.001%), and thats a daily
battle. Spam traps and new rules almost every day (5 days a week, at
least).

For those interested, these are the RBLs I use:
         sbl-xbl.spamhaus.org
         relays.ordb.org
         dnsbl.njabl.org

Dropped spamcop some months ago.

[]s

- -- 
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFP34lpdyWzQ5b5ckRAgRhAJ9NFSojm5DdbqjnCmIHSgFkNOlpWwCgueH4
NrEicr/sHZG4kH7CHrSO8qQ=3nva
-----END PGP SIGNATURE-----

> After that point, it starts to get ugly. We currently manage 
> to have 96% efficiency (false positives around 0.001%), and 
> thats a daily battle. Spam traps and new rules almost every 
> day (5 days a week, at least).
> 
> For those interested, these are the RBLs I use:
>          sbl-xbl.spamhaus.org
>          relays.ordb.org
>          dnsbl.njabl.org
> 
> Dropped spamcop some months ago.
> 
> []s
> 
> - -- 
> Rodrigo Barbosa
One other thing that it may be good to point out is the course that the
postfix group seems to be taking which is sanity checking incoming email
before the DATA state. This is well worth checking out and I would guess
that any well-maintained MTA would support this type of thing. So your
rbl checks/helo checks/hostname and mx checks happen before the mail is
received. This greatly reduces the amount of processing time on the MTA
and allows it to handle far more mail in these spam-predominant times.
You don't want to block most of your spam with a perl script IMHO.
On our MTA, between the aforementioned and greylisting we block enough
spam for it to be manageable on the back end with very, very few
false-positives and close to zero maintenance. I'm sure that if we
wanted to block more we could spend a lot more time setting up
traps/writing SpamAssassin rules etc. But we're quite happy with this
setup.

FYI, rbls we use are:
relays.ordb.org
list.dsbl.org
sbl-xbl.spamhaus.org <-- best one
dul.dnsbl.sorbs.net

the last being the only one I've seen any false positives on and only 2
since we set it up. YMMV.

alex

Jerry Geis wrote:
> Gents,
>
> I have added the following to /etc/mail/sendmail.mc and rebuilt it
> trying to control spam. I still get about 25 spam messages a day.
> Is there something else that can help control spam?
>
> Thanks
>
> jerry
> ---------------------------
> dnl #
> dnl # dnsbl - DNS based Blackhole List/Black List/Rejection list
> dnl # See http://www.sendmail.org/m4/features.html#dnsbl
> dnl #
> FEATURE(`dnsbl', `bl.spamcop.net',     `"Spam blocked see: 
> http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
> FEATURE(`dnsbl', `relays.ordb.org',    `"Spam blocked see: 
> http://ordb.org/lookup/?host="$&{client_addr}')dnl
> FEATURE(`dnsbl', `cbl.abuseat.org',    `"Spam blocked see: 
> http://cbl.abuseat.org/lookup.cgi?ip="$&{client_addr}')dnl
> FEATURE(`dnsbl', `sbl.spamhaus.org',   `"Spam blocked see: 
> http://spamhaus.org/query/bl?ip="$&{client_addr}')dnl
> FEATURE(`dnsbl', `list.dsbl.org',      `"Spam blocked see: 
> http://dsbl.org/listing?"$&{client_addr}')dnl
> dnl #
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
This question is probably inappropriate for this list, but maybe someone 
can answer it.

Let's pretend I have a network behind a firewall. And let's pretend that
the users behind that firewall are both beyond my control, and have a 
non-zero population of idiots.  And further, let's pretend that these 
idiots have done something to land my firewall's internet IP on a blacklist.

So now lets pretend I have a different system on the internet, running 
sendmail, that I would like to use to relay mail out through, for myself 
and a few carefully selected non-idiot users.  And lets further pretend 
that this server is a secondary MX for a whole bunch of domains and so 
gets pounded with spam.

OK, I set up this server so that it grants RELAY permission in 
/etc/mail/access to the IP address that is on the blacklist and 
everything works.

Now I see the above post and think that adding dnsbl features to this 
sendmail might be a good way of reducing inbound spam.

So my question is: if my system has granted RELAY permission to a system 
which is in a dnsbl used by the sendmail configuration, does the 
sendmail RELAY, or does it deny the connection attempt?

Thanks for wading through this completely hypothetical situation.

:)

John Hinton wrote:
> 
> I don't think my users would be too happy with greylisting, unless it 
> was done only on blocklist, as they have come to enjoy the immediate 
> delivery of email. Also, greylisting has the potential of 
> hurting other 
> ISPs, clogging their systems, just because they signed up a 
> few 'stupid 
> users' who got the latest virus/trojan. If you think back to 
> some of the 
> more successful viruses, mailservers everywhere suffered with many 
> choking and going down. Adding to their mail queues isn't so nice.
While I have had a couple of mailservers that were sending legitimate
mail complain about this (greylisting all mail), the vast majority have
had no problem with it. I use the postgrey script (has it's own yum repo
too :) and after a 5 minute delay the first time a triplet
(client/sender/recipient) is seen it is auto-whitelisted. And the
greylisting happens after all sanity checks and rbls. Vastly reduced
spam from spambots which tend to just blast the mail out with no concern
for the response. But I only have 200+ mailboxes and around 15-20k
emails a day, so YMMV.
I think the bottom line is that you have to pick your MTA/Content filter
and then get on the mailing list and pay attention. It's an on-going war
and there is no set-it and forget-it.

alex

> So my question is: if my system has granted RELAY permission 
> to a system 
> which is in a dnsbl used by the sendmail configuration, does the 
> sendmail RELAY, or does it deny the connection attempt?
> 
> Thanks for wading through this completely hypothetical situation.
> 
I think you would be served by doing some googling on backscatter. Any
time you have a "backup mx" server that does not do recipient
validation
for the domains it serves not only is it going to receive a lot of spam,
it is going to be producing a lot. This is exactly the type of thing
that lands IP addresses in blacklists in my experience.
That being said you should be able to whitelist the IP of the
blacklisted host before you do the rbl-checking. I know how to do this
with postfix but not sendmail. I am not a sendmail user, but there are
some sendmail users on the list who may be willing to help there.

My guess is that if you post to the mailing list of the MTA in question
you may raise their ire a bit as you seem to be trying to solve a
problem further downstream than you should be (idiots on your network).

I would fix your local problem (if you can).

alex