Proper way to attach Spamassassin to Postfix?
There was just a thread about attaching Spamassassin to Sendmail. I am running postfix. I went through the steps in Kmail of creating the Spamassassin filters as outlined in the Kmail manual. Is there anything else I need to do, besides doing sa-learn --spam --dir ~/Mail/Spam/cur/ once in a while. I still appear to be getting a lot of SPAM SPAM, SPAM, SPAM, SPAM :-) john -- ############################################# # John N. Alegre # Andante Systems # Web Hosting # Web Site Development # www.johnalegre.net #############################################
Sat, 25 Sep 2004, by listhub@libros.andante.mn.org:
There was just a thread about attaching Spamassassin to Sendmail.
I am running postfix. I went through the steps in Kmail of creating the Spamassassin filters as outlined in the Kmail manual.
Is there anything else I need to do, besides doing
sa-learn --spam --dir ~/Mail/Spam/cur/
once in a while. I still appear to be getting a lot of SPAM
Learn how to use Postfix to reject mail based on RBL, unknown hostnames etc. It is far more effective then trying to delete spam after you accepted it. See the postfix site for examples.
SPAM, SPAM, SPAM, SPAM :-)
spam is written in lowercase, the other thing is the canned meat variety. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. + ICQ: 277217131 SUSE 9.1 + Jabber: gurp@nedlinux.nl Kernel 2.6.5 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
On Saturday 25 September 2004 11:46 am, Theo v. Werkhoven wrote:
Sat, 25 Sep 2004, by listhub@libros.andante.mn.org:
There was just a thread about attaching Spamassassin to Sendmail.
I am running postfix. I went through the steps in Kmail of creating the Spamassassin filters as outlined in the Kmail manual.
Is there anything else I need to do, besides doing
sa-learn --spam --dir ~/Mail/Spam/cur/
once in a while. I still appear to be getting a lot of SPAM
Learn how to use Postfix to reject mail based on RBL, unknown hostnames etc. It is far more effective then trying to delete spam after you accepted it. See the postfix site for examples.
Actually, that proves to be largely in-effective for a lot of spam. A great deal of spam gets thru RBLs because it takes several days for these things to trigger, and it also requires VERY careful selection of which RBL you use, because some of them will list mailservers of large ISP based on a SINGLE report. The OP was on the right track, Spamassassin is by far the most effective and prudent way to go about this. -- _____________________________________ John Andersen
* John Andersen
On Saturday 25 September 2004 11:46 am, Theo v. Werkhoven wrote:
Learn how to use Postfix to reject mail based on RBL, unknown hostnames etc. It is far more effective then trying to delete spam after you accepted it. See the postfix site for examples.
Actually, that proves to be largely in-effective for a lot of spam.
A great deal of spam gets thru RBLs because it takes several days for these things to trigger, and it also requires VERY careful selection of which RBL you use, because some of them will list mailservers of large ISP based on a SINGLE report.
The OP was on the right track, Spamassassin is by far the most effective and prudent way to go about this.
No, you need to use the two in tandem. I stop about seventy percent of uce/spam with RDLs and very nearly all of the rest with spamassassin and razor. In a two day period I had 331 rejected RBL and 76 by spamassassin 3.00 with no false pos's or neg's. I can provide the logs if necessary. The new spamassassin 3.0 is *much* better than 2.64, IMNSHO. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
On Saturday 25 September 2004 16:15, Patrick Shanahan wrote:
In a two day period I had 331 rejected RBL and 76 by spamassassin 3.00 with no false pos's or neg's. I can provide the logs if necessary.
Here are you referring to the RBL screen in postfix, as you mentioned in a earlier thread? john -- ############################################# # John N. Alegre # Andante Systems # Web Hosting # Web Site Development # www.johnalegre.net #############################################
* John N. Alegre
On Saturday 25 September 2004 16:15, Patrick Shanahan wrote:
In a two day period I had 331 rejected RBL and 76 by spamassassin 3.00 with no false pos's or neg's. I can provide the logs if necessary.
Here are you referring to the RBL screen in postfix, as you mentioned in a earlier thread?
This is correct, but it is not a screen, it is a parameter in /etc/postfix/main.cf -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
John Andersen wrote: [snip]
A great deal of spam gets thru RBLs because it takes several days for these things to trigger, and it also requires VERY careful selection of which RBL you use, because some of them will list mailservers of large ISP based on a SINGLE report.
The OP was on the right track, Spamassassin is by far the most effective and prudent way to go about this.
FWIW, does anyone know if the new 3.0 version of Spamassassin works OK with the existing version of Amavis? That's what I use to tie everything together (with Spamassassin 2.6x and HBEDV+ Antivir) with Postfix. I only really started to reduce the amount of spam that got through Spamassassin by adding my own filter files to /etc/mail/spamassassin, written for the kind of spam I receive. This has proved pretty darn effective. That, and adding high scores to usual suspects like hotmail, yahoo or comcast and any geographic domain - ch, ro, ru, br, kr, etc. - outside of North America and western Europe. But then I am a solo user and so probably don't have the throughput to make the Bayes stuff all that useful - too small a sample, I expect. With tweaking like this, I reckon that Spamassassin has canned around 99 per cent of my spam for at least a year now. :) Fish
El Sáb 25 Sep 2004 16:27, Mark Crean escribió:
FWIW, does anyone know if the new 3.0 version of Spamassassin works OK with the existing version of Amavis? That's what I use to tie everything together (with Spamassassin 2.6x and HBEDV+ Antivir) with Postfix.
I use amavis-new together with SpamAssassin 3.0 and ClamAV and it's working just fine. Regards, -- Andreas Philipp Noema Ltda. Bogotá, D.C. - Colombia
Sat, 25 Sep 2004, by jsa@pen.homeip.net:
On Saturday 25 September 2004 11:46 am, Theo v. Werkhoven wrote:
Sat, 25 Sep 2004, by listhub@libros.andante.mn.org:
There was just a thread about attaching Spamassassin to Sendmail.
I am running postfix. I went through the steps in Kmail of creating the Spamassassin filters as outlined in the Kmail manual.
Is there anything else I need to do, besides doing
sa-learn --spam --dir ~/Mail/Spam/cur/
once in a while. I still appear to be getting a lot of SPAM
Learn how to use Postfix to reject mail based on RBL, unknown hostnames etc. It is far more effective then trying to delete spam after you accepted it. See the postfix site for examples.
Actually, that proves to be largely in-effective for a lot of spam.
Then you've obviously never seen a well configured Postfix server in action against all the hosts that try to deliver their excrements. For me it's stopping about 95% of the attempts (~90 a day), SA is doing the rest.
A great deal of spam gets thru RBLs because it takes several days for these things to trigger, and it also requires VERY careful selection
It's not only RBLs, but it doesn't take long for a new site to get a nice cosy place in bl.spamcop.net.
of which RBL you use, because some of them will list mailservers of large ISP based on a SINGLE report.
That's why there's a 'warn-reject' keyword for the smtpd_*_restrictions, and easy ways to whitelist domains and clients.
The OP was on the right track, Spamassassin is by far the most effective and prudent way to go about this.
SA *is* effective, but stopping the enemy at the gates is better. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. + ICQ: 277217131 SUSE 9.1 + Jabber: gurp@nedlinux.nl Kernel 2.6.5 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
The Saturday 2004-09-25 at 21:46 +0200, Theo v. Werkhoven wrote:
Learn how to use Postfix to reject mail based on RBL, unknown hostnames etc. It is far more effective then trying to delete spam after you accepted it.
Humm... That way, I'm prety sure you will also reject my emails, because both my providers are often blacklisted, because I use dynamic IPs, and because I have no real hostname. However, I'm certainly no spammer. And no, I can not change those things. SpamAssassin requires more resources, true. But it is also fairer. And I believe it can also do rbl checks, giving a score to them, with a chance for other negative scores to act - and thus allow _me_ to email. -- Cheers, Carlos Robinson
* Carlos E. R.
The Saturday 2004-09-25 at 21:46 +0200, Theo v. Werkhoven wrote:
Learn how to use Postfix to reject mail based on RBL, unknown hostnames etc. It is far more effective then trying to delete spam after you accepted it.
Humm... That way, I'm prety sure you will also reject my emails, because both my providers are often blacklisted, because I use dynamic IPs, and because I have no real hostname. However, I'm certainly no spammer.
I use RBLs and do not loose your mails, AFAICS. I have you with two different addresses in my /etc/postfix/access list as *OK* <grin>. We went thru this before. But the only mails that I lost from you were direct to me before adding you to the 'access' list. I never lost mail to the list with your address. This was also right after isp's stopped accepting direct (unrelayed) outgoing mail. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
The Saturday 2004-09-25 at 20:11 -0500, Patrick Shanahan wrote:
Humm... That way, I'm prety sure you will also reject my emails, because both my providers are often blacklisted, because I use dynamic IPs, and because I have no real hostname. However, I'm certainly no spammer.
I use RBLs and do not loose your mails, AFAICS. I have you with two different addresses in my /etc/postfix/access list as *OK* <grin>.
I know, I know. But that is an exception :-) If I want to email somebody I have never contacted before, and they use that method, they will not get my email, and worse, I may not know about it. For example, I don't know if Theo would receive it - I guess this time he did, because the email comes from the suse server, not from me.
This was also right after isp's stopped accepting direct (unrelayed) outgoing mail.
I'm forced to send email myself. Even if I could relay through one of my providers, they are often blacklisted, so it doesn't help. -- Cheers, Carlos Robinson
* Carlos E. R.
I'm forced to send email myself. Even if I could relay through one of my providers, they are often blacklisted, so it doesn't help.
free imap accounts are available from Novell, myrealbox.com, and you can send mail via smtp.myrealbox.com in /etc/postfix/transport: myrealbox.com smtp:smtp.myrealbox.com of course, requires a return address ...myrealbox.com -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
The Sunday 2004-09-26 at 10:05 -0500, Patrick Shanahan wrote:
I'm forced to send email myself. Even if I could relay through one of my providers, they are often blacklisted, so it doesn't help.
free imap accounts are available from Novell, myrealbox.com, and you can send mail via smtp.myrealbox.com in /etc/postfix/transport: myrealbox.com smtp:smtp.myrealbox.com
of course, requires a return address ...myrealbox.com
Question. Are they spanish? Can I send using _any_ from address through them? In case of they having a problem sending, how fast do they tell me? The last one is because, sending my self, I inmediately know if it got to the recipient domain server. Using a relay, I may be told in four hours there is a delay, and 5 days later that it was impossible. Too bad. -- Cheers, Carlos Robinson
* Carlos E. R.
The Sunday 2004-09-26 at 10:05 -0500, Patrick Shanahan wrote:
of course, requires a return address ...myrealbox.com
Question. Are they spanish?
<grin> NO.
Can I send using _any_ from address through them?
No. above
In case of they having a problem sending, how fast do they tell me?
I don't know. I have only had a problem once and it was about a 30 hour delay. Everything passes, I have never, to my knowledge, lost anything.
The last one is because, sending my self, I inmediately know if it got to the recipient domain server. Using a relay, I may be told in four hours there is a delay, and 5 days later that it was impossible. Too bad.
This *is* _free_. -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
The Sunday 2004-09-26 at 20:17 -0500, Patrick Shanahan wrote:
Question. Are they spanish?
<grin> NO.
:-)
Can I send using _any_ from address through them?
No. above
That is a real problem. You see, I have several addresses, and some of them, like the sourceforge one, or the ieee one, do not have an smtp server (and most nor a pop server either, they act as redirectors). To send with my "from" set to "something at sourceforge" I have to use my own postfix, or a good or permissive relay. Of course, a permissive one is not often good, for other reasons.
In case of they having a problem sending, how fast do they tell me?
I don't know. I have only had a problem once and it was about a 30 hour delay. Everything passes, I have never, to my knowledge, lost anything.
It has happened to me, often. The problem when using my provider smtp (two providers, not only tiscali) is that many times I never know there was a problem, till my correspondent complains I did not sent him the expected file or whatever.
The last one is because, sending my self, I inmediately know if it got to the recipient domain server. Using a relay, I may be told in four hours there is a delay, and 5 days later that it was impossible. Too bad.
This *is* _free_.
I know, I appreciate the idea. :-) I just try to explain the difficulties. I sometimes have to use one of my providers smtp server, but then, is only one mail in a very long time (fortunately), and have to send it from Mozilla, setting it up temporarily not to use the local server but a remote one. I know I can set up different transports for postfix based on recipient, but the transport chosen must be selected from a pool based on the sender address as well. That I still don't know if it is possible, and how. Let me clarify further the issue. I connect using a modem. The providers I use are also telephone companies. It happens that in Spain, telephone calls are charged by the second (first minute in advance), and that applies to internet dialup. Thus, the providers get their money through the phone charges of the dialup calls. In that environment, the "accounts" themselves are free. There is no written contract signed by both sides. The user can be anonymous, in the sense that the given name can be false. It is possible to pay "flat rate", a month in advance, allowing to use inet from 18:00 to 8:00, usually (ie, non peak hours). The performance is very similar, and not really cheap. I get only what they offer. Not being fully reliable, I have got two accounts at two different companies (terra and tiscali). I have to be able to work with either one transparently. That means I have to use postfix to be able to send from one account when connected via the other account, and also, to "send from" the rest of the accounts that don't belong to any provider. There being no contract, they are not under any obligation to accept email coming from an IP that it's not theirs, nor with a different "from" address. Or use only mozilla to send (and possible receive as well, pop before smtp auth) using a diferent smtp server of each account. -- Cheers, Carlos Robinson
On Mon, 27 Sep, 2004 at 16:35:22 +0200, Carlos E. R. wrote: <snip>
I just try to explain the difficulties. I sometimes have to use one of my providers smtp server, but then, is only one mail in a very long time (fortunately), and have to send it from Mozilla, setting it up temporarily not to use the local server but a remote one.
I know I can set up different transports for postfix based on recipient, but the transport chosen must be selected from a pool based on the sender address as well. That I still don't know if it is possible, and how.
I'm not sure I understand this entirely, so... Can you not just use whichever provider you dial in to's mail server as relay? I mean, you 'know' which provider you're dialling in to. So wouldn't it be relatively simple to change transport as part of the dial-up? ...just a thought /Jon -- Just say "know!"
The Tuesday 2004-09-28 at 07:06 +0200, Jon Clausen wrote:
I'm not sure I understand this entirely, so...
Can you not just use whichever provider you dial in to's mail server as relay?
I mean, you 'know' which provider you're dialling in to. So wouldn't it be relatively simple to change transport as part of the dial-up?
...just a thought
Probably. I thought of that as well. I would have to do some scripting, because now the provider is decided when I call wvdial. It would require modifying postfix configuration on the fly... But it wouldn't solve all problems. For example, I use some accounts that are no real accounts, but mail redirectors, like a sourceforge alias. My ISP smtp servers do not like sending with the from address set differently. Another problem is that some authenticate using pop before smtp: how do you do that with postfix? The easiest method is what I currently use: let postfix send mail on its own. I have more control, and I immediately know if it works or fails. These cheap smtp servers sometimes do not inform of problems. It is quite seldom that I have problems with this method. What I wanted to prepare, just in case, is to select a transport for those cases when I can not email directly, and only for those addresses, selecting my relay based on the from of my address - just as if I was sending through mozilla. I heard that something of the sort is doable: I'll have to study it. -- Cheers, Carlos Robinson
Sun, 26 Sep 2004, by robin1.listas@tiscali.es:
The Saturday 2004-09-25 at 21:46 +0200, Theo v. Werkhoven wrote:
Learn how to use Postfix to reject mail based on RBL, unknown hostnames etc. It is far more effective then trying to delete spam after you accepted it.
Humm... That way, I'm prety sure you will also reject my emails, because both my providers are often blacklisted, because I use dynamic IPs, and because I have no real hostname. However, I'm certainly no spammer.
Of course you're not, but for me the usage of these RBLs is the best and most certain way of stopping spam from entering my mailbox(es). Making exceptions is easy enough though, and there's only been one occassion where I saw a false positive (mail with a hotmail address that didn't come from a hotmail host). Asking the "victims" to re-send and explaining why their mail was refused was enough to solve that problem.
And no, I can not change those things.
Sorry to hear that. Being associated with a spam-supporting provider doesn't make life online easier.
SpamAssassin requires more resources, true. But it is also fairer. And I believe it can also do rbl checks, giving a score to them, with a chance for other negative scores to act - and thus allow _me_ to email.
Either way, someone has to decide how much one false positive is worth any number of false negatives. I have no bussiness account, so I can decide that I'd rather lose one or two mails because of a false positive, then seeing lots of UCE in my boxes. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. + ICQ: 277217131 SUSE 9.1 + Jabber: gurp@nedlinux.nl Kernel 2.6.5 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
The Sunday 2004-09-26 at 16:03 +0200, Theo v. Werkhoven wrote:
And no, I can not change those things.
Sorry to hear that. Being associated with a spam-supporting provider doesn't make life online easier.
No, they don't. It is not as simple as that. A provider with customers counted by the hundred of thousands can not easily control what their customers do. Even when they act, they will do so slowly, and by that time the spammer will have another account. -- Cheers, Carlos Robinson
Sun, 26 Sep 2004, by robin1.listas@tiscali.es:
The Sunday 2004-09-26 at 16:03 +0200, Theo v. Werkhoven wrote:
And no, I can not change those things.
Sorry to hear that. Being associated with a spam-supporting provider doesn't make life online easier.
No, they don't. It is not as simple as that.
A provider with customers counted by the hundred of thousands can not easily control what their customers do. Even when they act, they will do so slowly, and by that time the spammer will have another account.
My provider has 150.000 customers (ok, it's a 'small' operation compared to tiscali, wanadoo etc), but it's also one of the cleanest ISP with a practicaly spotless reputation, and that's mainly because they do /not/ take days or weeks to decide if a customer should be cut off when they get complaints or when they see a virus problem with that customer. An AUP should give the ISP the mandate to act immediatly at the first sign of trouble (which it does in my ISP's case), not weeks later and/or after consulting with a shitload of lawyers. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. + ICQ: 277217131 SUSE 9.1 + Jabber: gurp@nedlinux.nl Kernel 2.6.5 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
The Sunday 2004-09-26 at 23:00 +0200, Theo v. Werkhoven wrote:
My provider has 150.000 customers (ok, it's a 'small' operation compared to tiscali, wanadoo etc), but it's also one of the cleanest ISP with a practicaly spotless reputation, and that's mainly because they do /not/ take days or weeks to decide if a customer should be cut off when they get complaints or when they see a virus problem with that customer.
It doesn't matter. Anybody can get a new account after one is cancelled in minutes, hours at worst. However, if an IP of any spanish provider is doing anything delictive, a court order can identify the person. Of course, you have to demonstrate that he is doing something delictive. -- Cheers, Carlos Robinson
* Carlos E. R.
However, if an IP of any spanish provider is doing anything delictive, a court order can identify the person. Of course, you have to demonstrate that he is doing something delictive.
<grin> delictive adv. not lictive lictive ???? <bigger grin> -- Patrick Shanahan Registered Linux User #207535 http://wahoo.no-ip.org @ http://counter.li.org HOG # US1244711 Photo Album: http://wahoo.no-ip.org/photos
The Monday 2004-09-27 at 16:39 +0200, I wrote:
delictive adv. not lictive
lictive ????
<bigger grin>
Ah, I forgot to spell check :-)
[perhaps I should have used "criminal", acording to jdictionary]
Talking of the devil... I got a bounce, from "ms.com" (. Reason given:
|Delivery to the following recipients failed.
|
| suse-linux-e@suse.com
...
|Diagnostic-Code: smtp;553 5.3.0
Mon, 27 Sep 2004, by robin1.listas@tiscali.es:
The Sunday 2004-09-26 at 23:00 +0200, Theo v. Werkhoven wrote:
My provider has 150.000 customers (ok, it's a 'small' operation compared to tiscali, wanadoo etc), but it's also one of the cleanest ISP with a practicaly spotless reputation, and that's mainly because they do /not/ take days or weeks to decide if a customer should be cut off when they get complaints or when they see a virus problem with that customer.
It doesn't matter. Anybody can get a new account after one is cancelled in minutes, hours at worst.
For a new broadband xDSL connection? I seriously doubth that, not in the lowlands anyway.
However, if an IP of any spanish provider is doing anything delictive, a court order can identify the person. Of course, you have to demonstrate that he is doing something delictive.
Same here, but not for something like spamming afaik. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. + ICQ: 277217131 SUSE 9.1 + Jabber: gurp@nedlinux.nl Kernel 2.6.5 + MSN: twe-msn@ferrets4me.xs4all.nl See headers for PGP/GPG info. +
The Tuesday 2004-09-28 at 00:08 +0200, Theo v. Werkhoven wrote:
It doesn't matter. Anybody can get a new account after one is cancelled in minutes, hours at worst.
For a new broadband xDSL connection? I seriously doubth that, not in the lowlands anyway.
No, I was not talking about dsl, but modem. That's what I use. DSL needs some hardware to be setup at the exchange, and if that is ready, it also needs some configuration. Not automatic, therefore it requires a contract.
However, if an IP of any spanish provider is doing anything delictive, a court order can identify the person. Of course, you have to demonstrate that he is doing something delictive.
Same here, but not for something like spamming afaik.
If it were delictive, yes. Demonstrating that would be a problem, though. Perhaps if they announce kids pornography, or dangerous or forbidden medication. Perhaps false publicity, or scams. I heard this summer something about the EU council or whatever taking some kind of stance against spam. I'd love to see some real good coming out of it, but I'm not optimistic. Hum! aspell says that "delictive" does not exist. My mind was playing tricks? That's what Patrick was saying, I didn't understand. Should I use "criminal" instead? Too strong, perhaps... -- Cheers, Carlos Robinson
Carlos wrote regarding 'Re: [SLE] Proper way to attach Spamassassin to Postfix?' on Sat, Sep 25 at 19:31:
The Saturday 2004-09-25 at 21:46 +0200, Theo v. Werkhoven wrote:
Learn how to use Postfix to reject mail based on RBL, unknown hostnames etc. It is far more effective then trying to delete spam after you accepted it.
Humm... That way, I'm prety sure you will also reject my emails, because both my providers are often blacklisted, because I use dynamic IPs, and because I have no real hostname. However, I'm certainly no spammer.
And no, I can not change those things.
SpamAssassin requires more resources, true. But it is also fairer. And I believe it can also do rbl checks, giving a score to them, with a chance for other negative scores to act - and thus allow _me_ to email.
Not all RBLs suck. :) Anyway, if an ISP allows outgoing port 25 from arbitrary users, or allows relaying from any host (not just their clients), I don't want their mail. A proper ISP will provide a mail relay that's only available to their users, and will terminate accounts as soon as any spam report is deemed valid. It only takes a few minutes to look over the mail server logs to see if a particular user sent a message through the ISP's mail server, and since a good ISP will probably block outgoing port 25 from most/all users, that's all it takes. I drop several thousand messages/day through specific rules (I don't accept any mail from Korea, for example) and using relays.ordb.org as an RBL. They only add actual open relays, and it's my opinion that anyone running an open relay should be blocked. There is 0 reason to run an open relay, ever. It sucks to be stuck behind a crummy ISP, though. Drop me a line if you want access to an authenticated relay, Carlos. :) --Danny
The Monday 2004-09-27 at 13:08 -0500, Danny Sauer wrote:
SpamAssassin requires more resources, true. But it is also fairer. And I believe it can also do rbl checks, giving a score to them, with a chance for other negative scores to act - and thus allow _me_ to email.
Not all RBLs suck. :) Anyway, if an ISP allows outgoing port 25 from arbitrary users, or allows relaying from any host (not just their clients), I don't want their mail. A proper ISP will provide a mail relay that's only available to their users, and will terminate accounts as soon as any spam report is deemed valid. It only takes a few minutes to look over the mail server logs to see if a particular user sent a message through the ISP's mail server, and since a good ISP will probably block outgoing port 25 from most/all users, that's all it takes.
If you mean that port 25 should be firewalled at the ISP, then I would not be able to use other SMTP server than the one provided by them, and my liberty to use internet would be destroyed. RBL is a double edge knife. I very much understand the problem, and, of course, it clears a lot of spam. But, in the process, it also clears some legitimate email - probably mine, if I had to email you direct. Perhaps just a few emails, but you can not know, because they are rejected. That's why I prefer RBL activated inside amavis-new or spamassassin. The SuSE list server does that. It is a score system, I have a chance. Thanks to that, I can participate here. My ISPs, as far as I know, do not allow anybody to relay. No. However, they do allow anybody to get an account. No papers are signed, its automated. Once you have an account, you can send spam. They (terra, tiscali, and a few others) have users counting by the hundred thousands. They can not screen filter their users before they get an account. I'd prefer they did! Thus, once somebody does send spam, it is very easy to have the whole ISP blacklisted. Of course, being large and powerful is part of the problem. Phoning them means using one of those numbers that charge extra. Emailing is impossible, there is no address: they want to charge for listening to clients (the explanation can be known if you read my email to Patrick). All this means that, not being prompt answers to complaints emailed to "abuse" or "postmaster", they are blacklisted easily. Too bad. On the other hand, all connections here are logged, by law. Knowing the IP you can know the login and the phone number, and thus, the person. But you need a court order. Then, many users have ADSL, or cable. They originate virus, mostly: I suppose their contract is terminated if they send spam. I hope. That said, I don't receive spam sent from here, in Spanish. Most spam I receive is in english, so it originates from abroad. Statistics say most of the world spam comes from (and is targeted to) the states. Also, if not listed on an RBL, I am dialup, so I go into another list.
I drop several thousand messages/day through specific rules (I don't accept any mail from Korea, for example) and using relays.ordb.org as an RBL. They only add actual open relays, and it's my opinion that anyone running an open relay should be blocked. There is 0 reason to run an open relay, ever.
On that I agree. I have to. Fortunately for you, you don't have business with that part of the world. But I don't think that listing whole ranges is fair, and that is often the case with rbls.
It sucks to be stuck behind a crummy ISP, though. Drop me a line if you want access to an authenticated relay, Carlos. :)
Thanks, but while I can use my own postfix, I'll do so, I have more control. Only about once in a year I have to use a relay server, I'm fortunate that most of my correspondents do not use rbl, of have me whitelisted. (If my correspondents in Spain blacklisted Terra, they would be out of business, they could not be emailed by half of Spain). The proper way to go would be to convince legislators at most countries to take real action against spam. It is doable, by them. Utopia! -- Cheers, Carlos Robinson
Carlos wrote regarding 'Re: [SLE] Proper way to attach Spamassassin to Postfix?' on Mon, Sep 27 at 16:42:
The Monday 2004-09-27 at 13:08 -0500, Danny Sauer wrote:
SpamAssassin requires more resources, true. But it is also fairer. And I believe it can also do rbl checks, giving a score to them, with a chance for other negative scores to act - and thus allow _me_ to email.
Not all RBLs suck. :) Anyway, if an ISP allows outgoing port 25 from arbitrary users, or allows relaying from any host (not just their clients), I don't want their mail. A proper ISP will provide a mail relay that's only available to their users, and will terminate accounts as soon as any spam report is deemed valid. It only takes a few minutes to look over the mail server logs to see if a particular user sent a message through the ISP's mail server, and since a good ISP will probably block outgoing port 25 from most/all users, that's all it takes.
If you mean that port 25 should be firewalled at the ISP, then I would not be able to use other SMTP server than the one provided by them, and my liberty to use internet would be destroyed.
I think that port 25 should be blocked, but that it should be opened back up on request of a user. That's how my home ISP does it, and it works well. If the ISP provides a sane relay service for its users, then they can scan outgoing mail for viruses and let the users know that they're sending junk. Then again, that'd mean that ISPs were helping the internet for free, and most ISPs don't care about things that they don't get paid for doing...
RBL is a double edge knife. I very much understand the problem, and, of course, it clears a lot of spam. But, in the process, it also clears some legitimate email - probably mine, if I had to email you direct. Perhaps just a few emails, but you can not know, because they are rejected.
If your ISP doesn't provide relaying, then they're not in the open relay database. I do log everything that gets rejected, and I do look over the logs periodically. I've *never* seen a legitimate email bounced because of that rule.
That's why I prefer RBL activated inside amavis-new or spamassassin. The SuSE list server does that. It is a score system, I have a chance. Thanks to that, I can participate here.
I use other RBLs in spamassassin, but since I've had such good luck with ordbs, I save bandwidth by using that one at the earliest stage possible. This is not advice for others - merely a summary of what works for my employer's email traffic and my personal traffic. Anyone should definately watch their logs and understand their traffic profile before deciding to block anything. If I was running an ISP, I'd probably not use any RBL at the mail server level, for exactly the reasons you list. :) --Danny
The Monday 2004-09-27 at 17:46 -0500, Danny Sauer wrote:
If you mean that port 25 should be firewalled at the ISP, then I would not be able to use other SMTP server than the one provided by them, and my liberty to use internet would be destroyed.
I think that port 25 should be blocked, but that it should be opened back up on request of a user. That's how my home ISP does it, and it works well. If the ISP provides a sane relay service for its users, then they can scan outgoing mail for viruses and let the users know that they're sending junk. Then again, that'd mean that ISPs were helping the internet for free, and most ISPs don't care about things that they don't get paid for doing...
Mmm... interesting idea. I doubt a large provider for dial up can do it (block 25), though. It means configuring on the fly some kind of firewall, because you never know on which access router he is going to connect, not even on what phone exchange. As for virus scanning, I know tiscali does on the income pop server, if you pay for it. As for doing it free... X-) However, there are some mail redirectors that do have antispam and antivirus features. For example, the ieee one.
RBL is a double edge knife. I very much understand the problem, and, of course, it clears a lot of spam. But, in the process, it also clears some legitimate email - probably mine, if I had to email you direct. Perhaps just a few emails, but you can not know, because they are rejected.
If your ISP doesn't provide relaying, then they're not in the open relay database. I do log everything that gets rejected, and I do look over the logs periodically. I've *never* seen a legitimate email bounced because of that rule.
Tiscali was so blacklisted somewhere this summer, that i could not post to sourceforge with my own alias there. Once, I was rejected browsing sourceforge web pages for a similar reason, when connecting through terra. They do not relay, but anybody can get an account there prety fast, connect with a modem and send a thousand garbage mails in a brief time. That's why I assume the are blacklisted now and then.
That's why I prefer RBL activated inside amavis-new or spamassassin. The SuSE list server does that. It is a score system, I have a chance. Thanks to that, I can participate here.
I use other RBLs in spamassassin, but since I've had such good luck with ordbs, I save bandwidth by using that one at the earliest stage possible. This is not advice for others - merely a summary of what works for my employer's email traffic and my personal traffic. Anyone should definately watch their logs and understand their traffic profile before deciding to block anything. If I was running an ISP, I'd probably not use any RBL at the mail server level, for exactly the reasons you list. :)
Ok :-) I see you do it carefully. -- Cheers, Carlos Robinson
Hi Carlos, On Tue, 28 Sep 2004 02:46:20 +0200 (CEST) UTC (9/27/2004, 7:46 PM -0500 UTC my time), Carlos E. R. in part wrote: [snip] C> Mmm... interesting idea. I doubt a large provider for dial up can do it C> (block 25), though. It means configuring on the fly some kind of firewall, C> because you never know on which access router he is going to connect, not C> even on what phone exchange. Yes, they (ISPs) can do it very easily. All ISPs are assigned a block of IP addresses for their service, and these (depending on size of ISP) Class B, etc., are further subdivided into subnets. ISP routers/firewalls can very easily block IP ranges for any port as they wish within their assigned range, trivially. Phone exchange or access routers plays no roll in this case, as the client must be assigned to use an IP address which was assigned to the ISP. <g> They can even define certain IP blocks in their control for DSL customers, and certain blocks for dial-up customers, and limit port 25 subjectively if they wish.. for example... AOL has these blocks for dial up use (they have others too) 172.178.0.0/16 172.179.0.0/16 172.183.0.0/16 172.206.0.0/16 A lot of spam used to come from them until they started blocking 25. I now see none from them as a matter of fact, over the last several months. -- Gary
The Monday 2004-09-27 at 20:47 -0500, Gary wrote:
C> Mmm... interesting idea. I doubt a large provider for dial up can do it C> (block 25), though. It means configuring on the fly some kind of firewall, C> because you never know on which access router he is going to connect, not C> even on what phone exchange.
Yes, they (ISPs) can do it very easily. All ISPs are assigned a block of IP addresses for their service, and these (depending on size of ISP) Class B, etc., are further subdivided into subnets. ISP routers/firewalls can very easily block IP ranges for any port as they wish within their assigned range, trivially. Phone exchange or access routers plays no roll in this case, as the client must be assigned to use an IP address which was assigned to the ISP. <g> They can even define certain IP blocks in their control for DSL customers, and certain blocks for dial-up customers, and limit port 25 subjectively if they wish..
Ah, but you missed part of the point :-) The point was to block port 25 by default, except for some clients requesting it. I think that doing that, ie, blocking or not blocking, based on the login fo the user is not so easy. The hardware I know would certainly make it difficult, a thousand users logged into the same access router and going out through the same ethernet cable... how do you selectively firewall some ports and not another based on login data (dial up, remember)? ie, one IP has it blocked, another would not. Data for this would be fed by the radius server. Maybe I haven't mentioned it before, but I worked for a time for a big provider, telehone network side :-) Doable... perhaps. Economic... I wonder. They do not have any kind of firewall now, the network is transparent.
for example... AOL has these blocks for dial up use (they have others too)
172.178.0.0/16 172.179.0.0/16 172.183.0.0/16 172.206.0.0/16
A lot of spam used to come from them until they started blocking 25. I now see none from them as a matter of fact, over the last several months.
I don't deny that. But they would block my writing here, if I were their client. -- Cheers, Carlos Robinson
Hi Carlos, On Wed, 29 Sep 2004 02:19:31 +0200 (CEST) UTC (9/28/2004, 7:19 PM -0500 UTC my time), Carlos E. R. in part wrote:
range, trivially. Phone exchange or access routers plays no roll in this case, as the client must be assigned to use an IP address which was assigned to the ISP. <g> They can even define certain IP blocks in their control for DSL customers, and certain blocks for dial-up customers, and limit port 25 subjectively if they wish..
C> Ah, but you missed part of the point :-) Okay, thanks for the explanation below. C> The point was to block port 25 by default, except for some clients C> requesting it. Okay, Carlos, I'm with you now :) C> I think that doing that, ie, blocking or not blocking, based on the login C> fo the user is not so easy. The hardware I know would certainly make it C> difficult, a thousand users logged into the same access router and going C> out through the same ethernet cable... how do you selectively firewall C> some ports and not another based on login data (dial up, remember)? ie, C> one IP has it blocked, another would not. Data for this would be fed by C> the radius server. agreed very difficult doing it hardware-wise, given the above, as you mention, and a very good challenge. Let's try another approach... premise... block all dialup SMTP port 25 to start... Then open it up (the ISP SMTP server) for dial-up users who have SMTP auth... a very simple software solution... ;) I know of one big ISP here, who blocks SMTP sending via their dialups.. very typical... However, they do allow SMTP sending through their SMTP servers, if client auths via SMTP... and you can send not just using their domain name (your ISP email address), but you can send using any FQDN... The key here is SMTP Auth.. to open up 25... and then use their SMTP servers. Well, that takes care of outbound email.... now the only problem is inbound SMTP .. LOL.... but, since it is a dial-up... most dial-up users would not be using their own email servers anyway at least for inbound mail :) so... only problem left would be inbound SMTP for DSL customers .... LOL... several DSL customers here are not blocked on 25 in or outbound ... your mileage may vary.. C> Maybe I haven't mentioned it before, but I worked for a time for a C> big provider, telehone network side :-) hee, hee... that *does* help :) C> Doable... perhaps. Economic... I wonder. No doubt about it, doing it hardware wise, would not be economic I believe... A low cost, easily implemented software solution is more practical.
for example... AOL has these blocks for dial up use (they have others too)
172.178.0.0/16 172.179.0.0/16 172.183.0.0/16 172.206.0.0/16
A lot of spam used to come from them until they started blocking 25. I now see none from them as a matter of fact, over the last several months.
C> I don't deny that. But they would block my writing here, if I were their C> client. I guess ;) ... unless you have SMTP auth. -- Gary
Let's try another approach... premise... block all dialup SMTP port 25 to start... Then open it up (the ISP SMTP server) for dial-up users who have SMTP auth... a very simple software solution... ;)
I know of one big ISP here, who blocks SMTP sending via their dialups.. very typical... However, they do allow SMTP sending through their SMTP servers, if client auths via SMTP... and you can send not just using their domain name (your ISP email address), but you can send using any FQDN... The key here is SMTP Auth.. to open up 25... and then use their SMTP servers.
Yes, that's the typical solution. It forces users to use their provider smtp server, and not any other one. It's limiting freedom. For whatever reasons some users may not want - or can not - use that server. For example, let me think... yap: suppose you need to relay using your bussiness smtp server, so that, even if outside, you can email internal only addresses, or simply, be authenticated as a bussiness mail. Firewalling the users is tricky. It may be good for some things, bad for others. The big ISP I use here do not have any firewalling at all, the network is transparent. Like a piece of ethernet cable. That's why I get port scans, and many attempts to connect to port 445 (Microsoft-DS), to name one.
Well, that takes care of outbound email.... now the only problem is inbound SMTP .. LOL.... but, since it is a dial-up... most dial-up users would not be using their own email servers anyway at least for inbound mail :) so... only problem left would be inbound SMTP for DSL customers .... LOL... several DSL customers here are not blocked on 25 in or outbound ... your mileage may vary..
No, of course, inbound smtp has no sense in dialup. No need to block it, because the IP is dynamic, therefore very dificult to use. Just imagine, the line goes down, you reconnect, you get another IP, and some poor user with windows starts getting smtp connections in your stead X-) DSL is diferent, I have friends with DSL, a .org domain, http server, smtp, pop, ftp, etc. A small server, that is. It is probably a small bussines DSL, but the difference here is simply contractual, not technical: both are on the same pool. -- Cheers, Carlos Robinson
On Wed, Sep 29, 2004 at 02:20:22PM +0200 or thereabouts, Carlos E. R. wrote:
I know of one big ISP here, who blocks SMTP sending via their dialups.. very typical... However, they do allow SMTP sending through their SMTP servers, if client auths via SMTP... and you can send not just using their domain name (your ISP email address), but you can send using any FQDN... The key here is SMTP Auth.. to open up 25... and then use their SMTP servers.
Yes, that's the typical solution. It forces users to use their provider smtp server, and not any other one. It's limiting freedom. For whatever reasons some users may not want - or can not - use that server. For
Agreed it is limiting freedom, but there are work arounds.
example, let me think... yap: suppose you need to relay using your bussiness smtp server, so that, even if outside, you can email internal only addresses, or simply, be authenticated as a bussiness mail.
easy to do... just set up another instance of your mail server running at a different, non-standard port... use pop-before SMTP, or SMTP auth for authentication into your server for outside users to utilize.. this is then transferred to your main internal server using port 25, using SMTP routing... which is then routed either local for local mail, or routed to the ISP SMTP server to send externally. Internal and external addresses are easily handled. Your outside people then just setup their email client to SMTP at the non-standard port you have setup on the second server... a done deal.... I set this up all the time for clients. As far as authenticating as a business email, the From: address and envelope from both show your company name or whatever FQDN you use other than your ISP email name, even though it is routed externally through your ISP's SMTP server... A more detailed view of email headers just show that it was relayed through your ISP SMTP server... no big deal. Most people do not read all the headers anyway, and certainly not for business email.
Firewalling the users is tricky. It may be good for some things, bad for others. The big ISP I use here do not have any firewalling at all, the network is transparent. Like a piece of ethernet cable. That's why I get port scans, and many attempts to connect to port 445 (Microsoft-DS), to name one.
yah, same here, 445, and 139, as is everybody I suspect... I get about 200-300 hits an hour... Most ISPs leave it up to the client to do what is necessary to protect themselves, rather than subjectively block ports.
because the IP is dynamic, therefore very dificult to use. Just imagine, the line goes down, you reconnect, you get another IP, and some poor user with windows starts getting smtp connections in your stead X-)
hee, hee... I love it.. :)
DSL is diferent, I have friends with DSL, a .org domain, http server, smtp, pop, ftp, etc. A small server, that is. It is probably a small bussines DSL, but the difference here is simply contractual, not technical: both are on the same pool.
ah, very much agreed... contractual = more money :) -- Gary
On Sat, 25 Sep 2004 13:35:29 -0500, you wrote:
There was just a thread about attaching Spamassassin to Sendmail.
I am running postfix. I went through the steps in Kmail of creating the Spamassassin filters as outlined in the Kmail manual.
Kmail???? Did you configure spamassassin to postfix? I'm running postfix, amavisd-new, spamassassin 3.0, clam & f-prot. We get 1-2 spams per day - sitewide, although I'm still retraining bayes after upgrading from SA 2.64. Mike- -- If you can keep your head while those around you are losing theirs... You may have a great career as a network administrator ahead! -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
participants (12)
-
Andreas Philipp -
Carlos E. R. -
Danny Sauer -
Gary -
Gary -
John Andersen -
John N. Alegre -
Jon Clausen -
Mark Crean -
Michael W Cocke -
Patrick Shanahan -
Theo v. Werkhoven