Hello, Thanks to some nice people on here and other forums I have pretty much finalized my whole mail system on centos 6.x.
With all the checks, greylisting, dev/null of any 8+ spam level SA, I still get a few mails.
It seems like everytime I enable a new protectant, the mail stops spamming for a few hours...then the spammers decide I am worthy of using better methods against me..and more come. LOL.
I am down to just 10-15 a day. Anything that gets through all that I set up now goes to a spammers list that I add to the access file of postfix.
http://bobhoffman.com/spammers.html
that is the link to my list. I am trying to sort them out into political, real estate, bulk spammers, etc. The worst part is the bulk emailers are not on any black list. It is very hard to find their mail MX until they actually send you one. Many will be blocked, then a new alternate of theirs comes through.
I could not find a list of bulk commercial spammers so I thought I would start one. As I progress it will become more defined, but right now a big list with some categories after it.
Hope it helps.
On 03/29/2012 03:00 PM, Bob Hoffman wrote:
You won't be able to track them easily because they hop around from network to network. Sometimes I can recognize them by seeing the same spams repeatedly, also, different IP addresses connecting and guessing passwords for the same list of users. But I rarely get those anymore since I have blocked pop/imap logins from outside of the US.
You can report them to spamcop.net and that may help to provide some incentive for ISPs to kick spammers off their network.
The way that I finally got rid of all the residual spam that makes it through greylisting, SPF, spamassassin, clamav is to handout unique mail addresses and use black/whitelists. So for example if I assign an email address for incoming mail from a mailing list and then setup a whitelist entry that only allows that address to receive email from the mailservers that serve that mailing list and then blacklist all other incoming mail to that address it is very effective. With a decent whitelist/blacklist tool it's fairly easy to implement. I used to get literally hundreds of spams a day and now I probably average about 2 per week.
You can also get on the spamassassin mailing list and add more plugins and work on tuning the spamassassin config. You can also play with sa-learn. For me though the black/whitelisting works quite well.
Nataraj
On 3/29/2012 11:26 PM, Nataraj wrote:
mostly down to just the bulk commercial spammers. Usually spam dev/null them but decided to disable spam assassin and go after a nice list. Only got two mails in the last 12 hours, so it is cool. I get lots of political and real estate spammers due to the jobs I have had and my mail being on their lists...a list you can never get off. So listing them was the perfect thing. so without spamassassin, going good so far. Almost nothing.
when I get one or two a day I just add them to the list..lol
I am happy to not have hundreds a day anymore...so happy.
On Fri, March 30, 2012 5:26 am, Nataraj wrote:
so, for example, if you unsubscribed from this list and, after that, I wanted either to:
1) contact you directly to know more about your antispam setup 2) offer you a job as system administrator since you are so skilled
and I sent such email to the address you use to post to this list (the only contact info I have), not only you would never receive it, but (if you implement this server-wide) ALL your email USERS would stop receiving legitimate email from me?
Am I missing something? If not, yours is a smart solution, indeed.
On 30.3.2012 05:26, Nataraj wrote:
But how to tell which mailservers are "serving" that mailing list? That's the thing SPF or similar is supposed to do, isn't it? Don't tell me you are looking at the MX Records! Incoming and Outgoing Mailservers are not the same necessarily.
On 3/30/2012 7:48 AM, Markus Falb wrote:
clients...senders...helo... from the logs and the mailings. Usually in the bulk commercial 'legitimate' spammers there entire system is configured correctly, as are their headers, to avoid spamassassin and common mail screenings. From that you slowly whittle them down. From this I have found certain bulk mailers, especially political and real estate, have a certain grouping of outgoing relays...like 'ala'mail.net, 'ala'mode.com, vocus.com, vocsmail.com, etc...
and once I got all the others out it was very evident based on the layout of the mail who is sending it...basically like 4 or 5 types... Kinda cool to start seeing the patterns.
On 03/30/2012 04:48 AM, Markus Falb wrote:
My white/blacklisting software happens to allow regular expressions as well as IP addresses and has the capability to match on one or more of the following fields in the message:
envelope sender envelope recipient helo name remote IP address Remote hostname
When it matches on remote hostname, it does a reverse dns lookup. I already have my mailserver configured so that It will not accept mail from any site for which the forward and reverse dns entries do not match. So I can create a whitelist entry which allows .*.centos.org or .*@centos.org.
Yes, it limits the ability for people to contact me off list, but people that need to reach me seem to find a way. There is a price for everything. If you happen to own a 3 letter domain name that was around from the days of the original arpanet, and you have had a bad enough spam problem, then it may be worthwhile to pay that price. I am on a fair number of mailing lists and find that spammers do harvest addresses on these lists.
Generally when I join a new list, I just create the unique email address, but don't do the whitelist/blacklist thing until I start seeing spam to that address, so I can tell which lists or people that I gave my email address too was harvested or leaked.
I've see my email address leaked to spammers from presumably secure sites like major banks and financial institutions, various websites where I've made online purchases, etc. It is unbelievable how insecure these supposedly secure sites are. On two occasions I reported to a major financial institution that they had leaked my email address and after several months got back a notice that they had found that the security of their systems had been compromised, but assured me that it affected only my email address and not my bank account or other personal information.
Yes it is the case that I generally do not recommend this technique to inexperienced user. For my users I do the best I can with greylisting, spamassassin, etc. For users who do not highly publicize their email address this is usually enough. I have one client though that advertises their customer service email address and has a massive spam problem. I told them that the best way to solve that was to create a properly designed web page for customer service requests that was protected from automated submission methods.
There are also tools that implement auto-whitelisting, that will send out an auto-response requiring the user to send back a confirmation or click on a web page and be automatically whitelisted. Some people are strongly opposed to this method because it will generate more spam to what ever return address is given in the spam that you do receive. This would not work so well for things like receiving a confirmation message for your online purchase from amazon.com.
Nataraj
Nataraj
-
Bob Hoffman -
M. Fioretti -
Markus Falb -
Nataraj