Okay I've changed Rsyslog to it's original state. If I want to setup a cronjob, what scripts do I need to run? Only the two scripts?
Just those two scripts, yes. Actually, the postgrey script isn't extremely necessary unless you're just wanting to see what it's doing/has done over the past day specifically. The other script will mention greylisting as well as other methods and their rates. I quit using both scripts after about two weeks because it was so successful. Didn't need mailbox clutter showing me how well it was cleaning up other clutter!
I would recommend removing ", reject_rbl_client multihop.dsbl.org" from your Postfix main.cf. It has been fully deactivated and will cause a second delay (not much) right now. Should its DNS be dropped entirely, might be a big staller.
HI, is there any chance to enbable/disable greylisting for each mailbox/domain? I guess it would work by adding each mailbox to the postgrey whitelist file, but is there a plugin for ispconfig to do this.? greetings
No plugin for ISPC3 is available at this point. But, just edit "/etc/postgrey/whitelist_recipients" and add the mailboxes you wish to exclude. For example, if you want to exclude "[email protected]" add that exact email address. Or, if you want to exclude all abuse emails on every domain, just add "abuse@" to the file. It's one email address per line.
crypted: Have you seen the following and what do you think of implementing in addition? http://www.wbitt.com/my-howtos/150-tightening-spam-control-on-ispconfig-server.html http://www.howtoforge.com/postfix_spf
Before I give much of a response, are you still having SPAM issues? I literally have 99.8% spam filtration. The reason for asking is that the more things we stick into our spam filtering plan, the more load the server will have in handling all incoming mail and the increased risk of delivery delays for time sensitive traffic on production systems.
I do have a lot of spam still but much less than before. One note though...I never implemented your spam email honey pot trick which I think is an excellent idea...and I as you can see from my signature, I'm starting it now. All the bulk spam coming through now seems to come in waves to people on a list somewhere...so if I can get my honeypot email on the same list, it should take care of it.
If the normal measures don't work, or aren't stopping the spam entirely to your liking, then SPF could be useful. Also, SPF is being adopted globally by many tech companies and governments. So, that's a cool deal. Remember SPF does use DNS entries to assist in validity checks. I'll make a reminder to write a new HOWTO including SPF in the near future.
Possibility of blocking IP's or ranges using IPTables I have implemented the spam blocking you have suggested here and it is doing a great job so far. One thing I am thinking it would be nice to do is to somehow have an automated process that takes the IP addresses of offending spam senders and then adds it to an iptables filter. For example, I have seen thousands of messages coming through from a several IPs in the Ukraine all from ukrtel.net. (Dictionary spamming) They are all getting caught by either greylisting or the blacklists. What I want to know is if there is an easy way to block these major offenders at the firewall level, so that their mail never even makes it to postfix to be rejected. There are a few I have identified that I wouldn't mind blocking the ISPs whole netblocks, if I could figure out what ranges they own. My server at the moment is actually handling it all at the moment, but I also only have about 1/3 of the domains on it that it will eventually host for email. I'd like to reduce the load of what it has now as much as possible before I add more to it. Thanks in advance for any ideas.
drewb0y have you thought about modifying the postgrey information script in my second or third post? Instead of having it email, you could have it out to a file and parse to count recurrences. Maybe an if/then that 5+ occurrences in a day = ipfilter rule?
I'm using fail2ban to block spammers. (rule: postfix-spamers550) http://www.howtoforge.com/forums/showthread.php?t=28781
Thanks Edge, I just implemented that and within the first 5 minutes it banned 14 different IP addresses.I still plan to implement the country blocking somehow, but this should help for a while. I did increase the fail2ban timeout to 20 minutes instead of 10 as well.
Hmmm That has definite possibilities, but I would have no idea how to implement that. My programming skills basically extend as far as copying something already done and modifying it for my situation.
I completely forgot about fail2ban, thanks Edge. I'll add that to my list of things to add to a new HOWTO in the near future. Thankfully, we have a great group of us here to throw things around to build the best (free) method for fighting spam on our ISPCONFIG-based servers.
I totally agree with you crypted. Working on solutions together is fantastic. I implemented IPtables blocking by country now and posted a how to on it separately here. HOWTO: Implement iptables blocking by Country
My spam has greatly dropped but I still get hit each night...(I swear my users sign up on spam lists just to piss me off) Even though we move a ton of email into the Junk folder and train SA each night, plenty of spam still gets through. It seems many are those damned image spam. I think there is an image spam filter, (without setting up an awesome spamsnake), has anyone implemented that in our setup here (not spamsnake) on a "perfect server". I'm curious about the extra server load and how well it works. Also, I beleive spamassassin is updated when ispconfig is, so I haven't upgraded to the newest SA yet and waiting for the next ispc release. Is everyone using the default with ispc (3.2.5) or has anyone gone past what is installed and is running the latest SA 3.3.1?
HEre is on sample that isn't an image spam, but it does represent a huge number that get through...notice the spam tag. And I'll get a bunch in a row from the same fake domain. We manually move these into junk folders and "learn" nightly but I don't think there is enough info for SA to learn anything. If you want, PM me, and I'll forward one directly to you to see if yours filters. Code: +OK 2628 octets follow. Return-Path: <MAILER-DAEMON> Delivered-To: [email protected] Received: from localhost (localhost [127.0.0.1]) by ns1.heredns.com (Postfix) with ESMTP id BBAFE10B42DC for <[email protected]>; Tue, 15 Feb 2011 07:36:41 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at ns1.heredns.com X-Spam-Flag: NO X-Spam-Score: -2.499 X-Spam-Level: X-Spam-Status: No, score=-2.499 tagged_above=-100 required=2.88 tests=[BAYES_00=-2.599, RDNS_NONE=0.1] Received: from ns1.heredns.com ([127.0.0.1]) by localhost (ns1.heredns.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BwsAmpARgQ1p for <[email protected]>; Tue, 15 Feb 2011 07:36:41 -0800 (PST) Received: by ns1.heredns.com (Postfix, from userid 5000) id 9A56110B42D8; Tue, 15 Feb 2011 07:36:41 -0800 (PST) Delivered-To: [email protected] Received: from localhost (localhost [127.0.0.1]) by ns1.heredns.com (Postfix) with ESMTP id 8FB5310B42DC for <[email protected]>; Tue, 15 Feb 2011 07:36:41 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at ns1.heredns.com Received: from ns1.heredns.com ([127.0.0.1]) by localhost (ns1.heredns.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4hB6JyN8jwL9 for <[email protected]>; Tue, 15 Feb 2011 07:36:41 -0800 (PST) X-Greylist: delayed 604 seconds by postgrey-1.31 at ns1.heredns.com; Tue, 15 Feb 2011 07:36:41 PST Received: from gqep.proulseraw.com (unknown [174.36.86.118]) by ns1.heredns.com (Postfix) with ESMTP id 2766010B42D8 for <[email protected]>; Tue, 15 Feb 2011 07:36:41 -0800 (PST) Message-ID: <[email protected]> Date: Tue, 15 Feb 2011 09:20:59 -0600 To: <[email protected]> From: "Karen Miller" <[email protected]> Mime-Version: 1.0 Subject: Earn your share of this $59 billion industry User-Agent: Cert - OutMode/2.0 tigww/2.73b3 X-Mailer: Firefox / 3.2 Accept-Language: en - us Content-Language: en - us Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: inline X-EsetId: 06519D20EC8831375713 Internet Job Locator: #1 site for online jobs For more information and to view positions click here: http://gqep.proulseraw.com/2438b36396769379324611396256dab50136a9 Thank you for visiting the Locator Unsubscribe: http://gqep.proulseraw.com/2438b36396769379324612396256dab50136a9 or send mail to: unsubscribe 2764 N. Green Valley Pkwy Suite 394 Henderson, NV 89014 Click this link to unsubscribe: http://gqep.proulseraw.com/396256dab50136a912438b36396769379 I'll look for an image one and post here as well.
It's been complete hell here, so sorry for not responding for so long but I didn't forget! Are you still having image spam problems? I'm working on a new mixed guide to integrate several types of protection against bad robots, email harvesters, and so forth into Apache. Testing out each piece of the puzzle one by one on my end before I finish the HOWTO and distribute it.
