[Dovecot] anti-spam+anti-malware suggestions
Hello people,
I am using now qmail in cluster with LDAP + Interscan Messaging Security Suite from Trendmicro.
I need to develop a new solution with:
- postfix
- dovecot
- anti-spam
- anti-malware.
I am thankful any help or suggestion for anti-spam and anti-malware.
Thanks in advance!
-- :) cumprimentos
José Luís Faria Network Eng./Administrador de Sistemas Departamento de Informática Universidade do Minho Braga, Portugal
On 10/20/10 12:20 PM, Jose Luis Faria wrote:
I am using now qmail in cluster with LDAP + Interscan Messaging Security Suite from Trendmicro.
I need to develop a new solution with:
- postfix
- dovecot
- anti-spam
- anti-malware.
I am thankful any help or suggestion for anti-spam and anti-malware.
I'm running this combination at several sites with great success:
- postfix
- dovecot
- SpamAssassin
- ClamAV
- amavisd-newAmavisd-new is an interface to SpamAssassin and ClamAV, as well as other scanners if desired. After the initial pain of getting it running, I've concluded that there's really no other reasonable way to do it.
-Dave-- Dave McGuire Port Charlotte, FL
I'm runnning dovecot + dovecot-antispam + dspam + exim. Dovecot-antispam trains in background the DSPAM when the users move the messages to another folder, I have a knowledge base always updated. It works fine.
On Wed, Oct 20, 2010 at 2:48 PM, Dave McGuire mcguire@neurotica.com wrote:
On 10/20/10 12:20 PM, Jose Luis Faria wrote:
I am using now qmail in cluster with LDAP + Interscan Messaging Security Suite from Trendmicro.
I need to develop a new solution with:
- postfix
- dovecot
- anti-spam
- anti-malware.
I am thankful any help or suggestion for anti-spam and anti-malware.
I'm running this combination at several sites with great success:
- postfix - dovecot - SpamAssassin - ClamAV - amavisd-new
Amavisd-new is an interface to SpamAssassin and ClamAV, as well as other scanners if desired. After the initial pain of getting it running, I've concluded that there's really no other reasonable way to do it.
-Dave
-- Dave McGuire Port Charlotte, FL
check postgrey , it works great with postfix . http://www.debuntu.org/postfix-and-postgrey-a-proactive-approach-to-spam-fil...
postgrey should I think be used in addition to the other suggestions.
since we started using postgrey the amount of work done by our other anti-spam software, spamassassin , was cut at least 90% .
On Wed, Oct 20, 2010 at 1:18 PM, Fabricio Archanjo farchanjo@gmail.com wrote:
I'm runnning dovecot + dovecot-antispam + dspam + exim. Dovecot-antispam trains in background the DSPAM when the users move the messages to another folder, I have a knowledge base always updated. It works fine.
On Wed, Oct 20, 2010 at 2:48 PM, Dave McGuire mcguire@neurotica.com wrote:
On 10/20/10 12:20 PM, Jose Luis Faria wrote:
I am using now qmail in cluster with LDAP + Interscan Messaging Security Suite from Trendmicro.
I need to develop a new solution with:
- postfix
- dovecot
- anti-spam
- anti-malware.
I am thankful any help or suggestion for anti-spam and anti-malware.
I'm running this combination at several sites with great success:
- postfix - dovecot - SpamAssassin - ClamAV - amavisd-new
Amavisd-new is an interface to SpamAssassin and ClamAV, as well as other scanners if desired. After the initial pain of getting it running, I've concluded that there's really no other reasonable way to do it.
-Dave
-- Dave McGuire Port Charlotte, FL
On Wed, Oct 20, 2010 at 05:20:20PM +0100, Jose Luis Faria wrote:
I am using now qmail in cluster with LDAP + Interscan Messaging Security Suite from Trendmicro.
I need to develop a new solution with:
- postfix
- dovecot
- anti-spam
- anti-malware.
Currently, I am using a setup with Postfix + Dovecot as well.
We're using these DNSBL blacklists: zen.spamhaus.org b.barracudacentral.org cbl.abuseat.org bl.spamcop.net dnsbl.njabl.org
Postfix's address verification is also quite useful for popular domains like gmail.com, hotmail.com, yahoo.com, etc.
This blocks over half of the spam we receive. Greylisting isn't really effective (we tested it and compared the stats), so we dropped it.
We're using SpamAssassin right now, but we might migrate to bogofilter as it is more accurate and uses less resources.
-- Denny Lin
Denny Lin wrote on 10/20/2010:
Currently, I am using a setup with Postfix + Dovecot as well.
We're using these DNSBL blacklists: zen.spamhaus.org b.barracudacentral.org cbl.abuseat.org bl.spamcop.net dnsbl.njabl.org
info:
it's not needed to use cbl.abuseat.org AND zen.spamhaus.org because
the data from cbl is included in zen.
Link: http://cbl.abuseat.org/faq.html
-- Daniel
On 2010-10-20 10:18 PM, Denny Lin wrote:
Postfix's address verification is also quite useful for popular domains like gmail.com, hotmail.com, yahoo.com, etc.
If you mean you are using *sender* address verification on these domains, you will eventually get blacklisted by them if your system has much traffic from them. Most Mail Admins consider blanket SAV as an abuse of their systems.
SAV (sender address verification) should be used sparingly, and only with domains/systems that are ok with you using it.
--
Best regards,
Charles
Does someone run dspam or just me?? I like very much this antispam solution.
On 10/21/10, Charles Marcus CMarcus@media-brokers.com wrote:
On 2010-10-20 10:18 PM, Denny Lin wrote:
Postfix's address verification is also quite useful for popular domains like gmail.com, hotmail.com, yahoo.com, etc.
If you mean you are using *sender* address verification on these domains, you will eventually get blacklisted by them if your system has much traffic from them. Most Mail Admins consider blanket SAV as an abuse of their systems.
SAV (sender address verification) should be used sparingly, and only with domains/systems that are ok with you using it.
--
Best regards,
Charles
-- Sent from my mobile device
On 2010-10-21 9:37 AM, Fabricio Archanjo wrote:
Does someone run dspam or just me?? I like very much this antispam solution.
I *much* prefer ASSP myself...
Vastly easier to install/configure than dspam, and more effective too imnsho, *especially out of the box, but even also after dspam is properly trained...
--
Best regards,
Charles
On 10/21/2010 07:37 AM, Fabricio Archanjo wrote:
Does someone run dspam or just me?? I like very much this antispam solution.
I use it with Eugene's port/fork of dovecot-antispam to dovecot 2.0. I use it with amavisd. I use postfix in the mix. On machines where people don't care about dangerous file extensions and rewrapping virus containing emails instead of just erasing them, I will use clamav-milter.
I find it works VERY well.
Trever
"Yesterday is gone. Tomorrow is too far for me. Today is what I have, and what I fight for." -- Unknown
On Thu, Oct 21, 2010 at 09:26:46AM -0400, Charles Marcus wrote:
On 2010-10-20 10:18 PM, Denny Lin wrote:
Postfix's address verification is also quite useful for popular domains like gmail.com, hotmail.com, yahoo.com, etc.
If you mean you are using *sender* address verification on these domains, you will eventually get blacklisted by them if your system has much traffic from them. Most Mail Admins consider blanket SAV as an abuse of their systems.
SAV (sender address verification) should be used sparingly, and only with domains/systems that are ok with you using it.
Oh yeah, I forgot to mention that. A better solution would be to check the rDNS or SPF record and do sender verification if it doesn't match.
-- Denny Lin
On Thu, 21 Oct 2010 21:52:38 +0800 Denny Lin dennylin93@hs.ntnu.edu.tw articulated:
Oh yeah, I forgot to mention that. A better solution would be to check the rDNS or SPF record and do sender verification if it doesn't match.
Actually, "SPF" has been going out of vogue for awhile now and sensible mail admins do not make accept/deny decisions entirely on pass/fail of SPF tests. Many SAs are finding it causes more problems than it solves. When added to the fact that its use is by no means universal, its continued use is seriously in doubt. In other words, "Use at your own risk." There are, as has been pointed out, better methods available.
-- Jerry ✌ Dovecot.user@seibercom.net
Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header.
"The reason we start a war is to fight a war, win a war, thereby causing no more war."
George W. Bush
October 3, 2000
Boston, Massachusetts. First Presidential DebateOn Thu, Oct 21, 2010 at 10:18:46AM -0400, Jerry wrote:
On Thu, 21 Oct 2010 21:52:38 +0800 Denny Lin dennylin93@hs.ntnu.edu.tw articulated:
Oh yeah, I forgot to mention that. A better solution would be to check the rDNS or SPF record and do sender verification if it doesn't match.
Actually, "SPF" has been going out of vogue for awhile now and sensible mail admins do not make accept/deny decisions entirely on pass/fail of SPF tests. Many SAs are finding it causes more problems than it solves. When added to the fact that its use is by no means universal, its continued use is seriously in doubt. In other words, "Use at your own risk." There are, as has been pointed out, better methods available.
True, that's why I only use it to verify whether sender verification should be done (at least it can tell me if the mail was sent from Gmail servers, etc.).
-- Denny Lin
Jose Luis Faria put forth on 10/20/2010 11:20 AM:
Hello people,
I am using now qmail in cluster with LDAP + Interscan Messaging Security Suite from Trendmicro.
I need to develop a new solution with:
- postfix
- dovecot
- anti-spam
- anti-malware.
I am thankful any help or suggestion for anti-spam and anti-malware.
Thanks in advance!
This will kill a huge amount of bot spam without dnsbl queries or greylisting, both of which can be resource hogs and add serious latency:
http://www.hardwarefreak.com/fqrdns.pcre
Use the "everything under smtpd_recipient_restrictions" style of Postfix main.cf:
/etc/postfix/main.cf
smtpd_recipient_restrictions permit_mynetworks permit_sasl_authenticated reject_unauth_destination ... ... check_client_access pcre:/etc/postfix/fqrdns.pcre ... ...
Ask for assistance on the Postfix users list: postfix-users@postfix.org
You'll get more expert advice than you will know what to do with. ;)
-- Stan
"Stan Hoeppner" stan@hardwarefreak.com wrote on 21.10.2010 10:29:50:
This will kill a huge amount of bot spam without dnsbl queries or greylisting, both of which can be resource hogs and add serious latency:
Stan, nice one. I'm wondering from where did you compile this one?
Regards, Miha
-- It's time to get rid of your current e-mail client ... ... and start using si.Mail.
It's small & free. ( http://www.simail.si/ )
Miha Vrhovnik put forth on 10/21/2010 3:01 PM:
"Stan Hoeppner" stan@hardwarefreak.com wrote on 21.10.2010 10:29:50:
This will kill a huge amount of bot spam without dnsbl queries or greylisting, both of which can be resource hogs and add serious latency:
Stan, nice one. I'm wondering from where did you compile this one?
It was donated to me, and by default the community, by an anonymous poster to the spam-l mailing list, quite some time ago. We were having a discussion about blocking dynamic/generic rDNS hosts. Many of us were using really coarse regexes that others felt would catch alot of ham sources instead of just broadband/dynamic bots.
So, this generous gentleman donated his rDNS regex file. He was subbed with a gmail alias so there's no way to identify him (as I'm sure he prefers). Given the fully qualified nature and quality of the regexes and the fact there's over 1600 of them, and due to some of his posts, it leads me to believe he works for a major ISP/telco/etc in the US. Regardless of who he is, I'm really glad he donated this. It sure has given many a regex handicapped mail OP some seriously good additional a/s capability and saved many folk much time who are/were trying to build something similar from scratch.
Originally it was distributed as a Postfix regexp file. I ran it through PCRE and found a bunch of errors. I corrected those so it now runs as a PCRE without errors and with the added speed benefit of Postfix' PCRE engine.
Thanks again to the anonymous OP who shared this with us. :)
-- Stan
On Fri, Oct 22, 2010 at 05:58:46AM -0500, Stan Hoeppner wrote:
It was donated to me, and by default the community, by an anonymous poster to the spam-l mailing list, quite some time ago. We were having a discussion about blocking dynamic/generic rDNS hosts. Many of us were using really coarse regexes that others felt would catch alot of ham sources instead of just broadband/dynamic bots.
Some of my friends prefer way to put dynamic hosts (and hosts which don't provide real domainname/IP literal with HELO/EHLO) into graylisting. This way gives some failover to mistakes within list of dynamic hosts and there is no conflict with large mail systems which sends outbond mail from different hosts (they moustly have reverse DNS records not matching lists).
Sorry for offtopic.
Dmitri V. Ivanov put forth on 10/22/2010 11:01 AM:
On Fri, Oct 22, 2010 at 05:58:46AM -0500, Stan Hoeppner wrote:
It was donated to me, and by default the community, by an anonymous poster to the spam-l mailing list, quite some time ago. We were having a discussion about blocking dynamic/generic rDNS hosts. Many of us were using really coarse regexes that others felt would catch alot of ham sources instead of just broadband/dynamic bots.
Some of my friends prefer way to put dynamic hosts (and hosts which don't provide real domainname/IP literal with HELO/EHLO) into graylisting. This way gives some failover to mistakes within list of dynamic hosts and there is no conflict with large mail systems which sends outbond mail from different hosts (they moustly have reverse DNS records not matching lists).
Sorry for offtopic.
I think most of us that use something like this pcre also use greylisting. I use super selective Postgrey, well after all other checks, as a safety net of sorts.
-- Stan
Jose Luis Faria wrote on 10/20/2010:
Hello people,
I am using now qmail in cluster with LDAP + Interscan Messaging
Security Suite from Trendmicro.I need to develop a new solution with:
- postfix
- dovecot
- anti-spam
- anti-malware.
I am thankful any help or suggestion for anti-spam and anti-malware.
you can use several blacklists or header/body checks to block spam or
malware to save your ressources. Another useful feature is the
upcoming Postfix server "postscreen" - this feature will be available
in Postfix 2.8.
Info: http://www.postfix.org/POSTSCREEN_README.html
Some header checks and maybe zen.spamhaus.org should block 85-95% of
spam. All other messages can be scanned with
spamassassin/amavisd/clamav or other commercial products.
To block malware you could also look at: http://www.malwarepatrol.net/
Start with some good Postfix restrictions and then you can extend your
setup with other filters/blacklists...
-- Daniel
On 10/20/2010 9:20 AM, Jose Luis Faria wrote:
Hello people,
I am using now qmail in cluster with LDAP + Interscan Messaging Security Suite from Trendmicro.
I need to develop a new solution with:
- postfix
- dovecot
- anti-spam
- anti-malware.
I am thankful any help or suggestion for anti-spam and anti-malware.
Thanks in advance!
You can try a front end spam filter service and not have to deal with it at all. http://www.junkemailfilter.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384
Am 25.10.2010 um 19:40 schrieb Marc Perkel:
On 10/20/2010 9:20 AM, Jose Luis Faria wrote:
Hello people,
I am using now qmail in cluster with LDAP + Interscan Messaging Security Suite from Trendmicro.
I need to develop a new solution with:
- postfix
- dovecot
- anti-spam
- anti-malware.
I am thankful any help or suggestion for anti-spam and anti-malware.
Thanks in advance!
You can try a front end spam filter service and not have to deal with it at all. http://www.junkemailfilter.com
The best anti-spam system is ASSP. Install it, train it and you have 99.8% of all spam eliminated on the server. We use it since years with very good results.
Robert M. Münch Mobil: +49 177 245 2802
Smarter|Better|Faster
Saphirion Ltd & Co KG Schumannstr. 3 D - 76185 Karlsruhe Tel : +49 721 5978501 Fax: +49 721 5978502
Registergericht: Amtsgericht Mannheim HRA 105339
Alleinige persönlich haftende Gesellschafterin: Quiyo Verwaltungs Limited Registered Office: 76 High Street, Newport Pagnell, Milton Keynes, MK 16 8AQ, Great Britain. Company Number: 5705018 Vertretungsberechtigter Geschäftsführer: Robert M. Münch
Umsatzsteuer-Identifikationsnummer gemäß § 27 a Umsatzsteuergesetz: DE 24939452. Inhaltlich Verantwortlicher gemäß § 10 Absatz 3 MDStV: Robert M. Münch (Anschrift wie oben)
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.0.2 (Build 13) Charset: iso-8859-1
wsBVAwUBTMXgEHSQa/BbHGLwAQlZagf/a36cq4Y+sf6dqW8oOcQDBhohDedMEuoi HH6MmKw2Xvvcy4g6FS4nvsTwKhQyl7EVd2RP9rfUNbxeaisINnF4HMf7l1bWAzlL kjJ8RjKieis2bYBanyaQ7OpWddkvpgvMc0m25c3zNhvMaO26CO8f1/59UcrgOb8r F8V1KdJbwcLL/UVHCPVnMwm9uKlEdh5t4YFCjdo2eplgzhaPDYk0mw7N8929ZmlN uDVHd2xPMnyNFl3rUsQPCAanDCL/Z3anYo8pXhAR49B6ZxjF11V/zYZj2yOjWXiM /I9CVsyyyD4YalCVphZSqZpAa0luVQxMVV7hoOFKlCcmke49CN2a4A== =wgDg -----END PGP SIGNATURE-----
I use, spamassassin, postfix , mailscanner, dovecot
before i use postgrey, but it was giving to many problens because we scaled for many host.
I am loking for sqlgrey now to test it.
[]'sf.rique
On Mon, Oct 25, 2010 at 5:52 PM, "Robert M. Münch" < robert.muench@saphirion.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384
Am 25.10.2010 um 19:40 schrieb Marc Perkel:
On 10/20/2010 9:20 AM, Jose Luis Faria wrote:
Hello people,
I am using now qmail in cluster with LDAP + Interscan Messaging Security Suite from Trendmicro.
I need to develop a new solution with:
- postfix
- dovecot
- anti-spam
- anti-malware.
I am thankful any help or suggestion for anti-spam and anti-malware.
Thanks in advance!
You can try a front end spam filter service and not have to deal with it at all. http://www.junkemailfilter.com
The best anti-spam system is ASSP. Install it, train it and you have 99.8% of all spam eliminated on the server. We use it since years with very good results.
Robert M. Münch Mobil: +49 177 245 2802
Smarter|Better|Faster
Saphirion Ltd & Co KG Schumannstr. 3 D - 76185 Karlsruhe Tel : +49 721 5978501 Fax: +49 721 5978502
Registergericht: Amtsgericht Mannheim HRA 105339
Alleinige persönlich haftende Gesellschafterin: Quiyo Verwaltungs Limited Registered Office: 76 High Street, Newport Pagnell, Milton Keynes, MK 16 8AQ, Great Britain. Company Number: 5705018 Vertretungsberechtigter Geschäftsführer: Robert M. Münch
Umsatzsteuer-Identifikationsnummer gemäß § 27 a Umsatzsteuergesetz: DE 24939452. Inhaltlich Verantwortlicher gemäß § 10 Absatz 3 MDStV: Robert M. Münch (Anschrift wie oben)
-----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.0.2 (Build 13) Charset: iso-8859-1
wsBVAwUBTMXgEHSQa/BbHGLwAQlZagf/a36cq4Y+sf6dqW8oOcQDBhohDedMEuoi HH6MmKw2Xvvcy4g6FS4nvsTwKhQyl7EVd2RP9rfUNbxeaisINnF4HMf7l1bWAzlL kjJ8RjKieis2bYBanyaQ7OpWddkvpgvMc0m25c3zNhvMaO26CO8f1/59UcrgOb8r F8V1KdJbwcLL/UVHCPVnMwm9uKlEdh5t4YFCjdo2eplgzhaPDYk0mw7N8929ZmlN uDVHd2xPMnyNFl3rUsQPCAanDCL/Z3anYo8pXhAR49B6ZxjF11V/zYZj2yOjWXiM /I9CVsyyyD4YalCVphZSqZpAa0luVQxMVV7hoOFKlCcmke49CN2a4A== =wgDg -----END PGP SIGNATURE-----
Il giorno 20/ott/2010, alle ore 18.20, Jose Luis Faria ha scritto:
Hello people,
I am using now qmail in cluster with LDAP + Interscan Messaging Security Suite from Trendmicro.
I need to develop a new solution with:
- postfix
- dovecot
- anti-spam
- anti-malware.
I am thankful any help or suggestion for anti-spam and anti-malware.
Thanks in advance!
—
+1 for ASSP. I’ve installed it three months ago, left it in learning mode for two weeks, then set it up, then after a month refined configuration. 99.97% spam blocked here!
Regards A.
participants (16)
-
"Robert M. Münch"
-
Andre
-
Charles Marcus
-
Daniel Luttermann
-
Dave McGuire
-
Denny Lin
-
Dmitri V. Ivanov
-
Fabricio Archanjo
-
Henrique Fernandes
-
Jerry
-
Jose Luis Faria
-
Marc Perkel
-
Miha Vrhovnik
-
Robert Fantini
-
Stan Hoeppner
-
Trever L. Adams