Loading ...
Sorry, an error occurred while loading the content.

Posfix: deliver to spam folder analog of reject_rbl_client

Expand Messages
  • Покотиленко Костик
    Hi, I have the following postfix configuration: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname,
    Message 1 of 29 , Oct 26, 2010
    • 0 Attachment
      Hi,

      I have the following postfix configuration:

      smtpd_recipient_restrictions =
      permit_mynetworks,
      permit_sasl_authenticated,
      reject_unknown_client_hostname,
      reject_unknown_hostname,
      reject_non_fqdn_hostname,
      reject_non_fqdn_helo_hostname,
      reject_invalid_helo_hostname,
      check_recipient_access hash:/etc/postfix/recipients_access,
      check_client_access cidr:/etc/postfix/access_noauth,
      reject_unauth_destination,
      check_client_access hash:/etc/postfix/rbl_whitelist,
      check_sender_access hash:/etc/postfix/rbl_sender_whitelist,
      reject_rbl_client list.dsbl.org,
      reject_rbl_client zen.spamhaus.org,
      reject_rbl_client spam.dnsbl.sorbs.net,
      reject_rbl_client recent.spam.dnsbl.sorbs.net,
      check_sender_access hash:/etc/postfix/rhsbl_sender_domain_whitelist,
      reject_rhsbl_client dbl.spamhaus.org,
      reject_rhsbl_helo dbl.spamhaus.org,
      reject_non_fqdn_sender,
      reject_rhsbl_sender dsn.rfc-ignorant.org,
      reject_rhsbl_sender dbl.spamhaus.org,
      check_sender_access hash:/etc/postfix/sender_access,
      reject_unverified_sender,
      reject_unverified_recipient,
      reject_unlisted_recipient,
      check_sender_access hash:/etc/postfix/maps/verify_domain

      which is working fine but...

      sorbs.net is very agressive, many ISPs get blocked for several years and
      are not willing to delist b/c sorbs doesn't offer free delist for them.

      So there is problem with false-positives. There are not much of them,
      but all cases needs additional investigation.

      >From other side this combination (spamhaus.org + sorbs.net) doesn't pass
      spam almost at all, they even doesn't leave anything for spamassassin,
      so I don't want to remove checks.

      So the question is: how it is possible to direct SPAM mail to a user's
      imap spam folder?

      Postfix works with cyrus by lmtp. I googled alot for this question and
      the only way of doing this I was able to find is to use procmail +
      maildrop.

      If there is a way to set specific header instead of rejecting mail it
      would be easy to move tagged mail to spam folder by SEIVE filters. This
      would be prefered variant.

      --
      ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË <casper@...>
    • Покотиленко Костик
      I m now trying to move all RBL and RHSBL checks to policyd-weight. In policyd-weight I set $ADD_X_HEADER = 1 and very high score so it never match. Then I
      Message 2 of 29 , Oct 26, 2010
      • 0 Attachment
        I'm now trying to move all RBL and RHSBL checks to policyd-weight. In
        policyd-weight I set "$ADD_X_HEADER = 1" and very high score so it never
        match.

        Then I plan to parse "X-policyd-weight" header with sieve script on
        cyrus to move spam to separate imap folder. Header looks like this:

        X-policyd-weight: using cached result; rate: -6.6

        If somebody tried this or have better solution please share your
        experiense.

        ÷ ÷ÔÏ, 26/10/2010 × 14:11 +0300, ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË ÐÉÛÅÔ:
        > Hi,
        >
        > I have the following postfix configuration:
        >
        > smtpd_recipient_restrictions =
        > permit_mynetworks,
        > permit_sasl_authenticated,
        > reject_unknown_client_hostname,
        > reject_unknown_hostname,
        > reject_non_fqdn_hostname,
        > reject_non_fqdn_helo_hostname,
        > reject_invalid_helo_hostname,
        > check_recipient_access hash:/etc/postfix/recipients_access,
        > check_client_access cidr:/etc/postfix/access_noauth,
        > reject_unauth_destination,
        > check_client_access hash:/etc/postfix/rbl_whitelist,
        > check_sender_access hash:/etc/postfix/rbl_sender_whitelist,
        > reject_rbl_client list.dsbl.org,
        > reject_rbl_client zen.spamhaus.org,
        > reject_rbl_client spam.dnsbl.sorbs.net,
        > reject_rbl_client recent.spam.dnsbl.sorbs.net,
        > check_sender_access hash:/etc/postfix/rhsbl_sender_domain_whitelist,
        > reject_rhsbl_client dbl.spamhaus.org,
        > reject_rhsbl_helo dbl.spamhaus.org,
        > reject_non_fqdn_sender,
        > reject_rhsbl_sender dsn.rfc-ignorant.org,
        > reject_rhsbl_sender dbl.spamhaus.org,
        > check_sender_access hash:/etc/postfix/sender_access,
        > reject_unverified_sender,
        > reject_unverified_recipient,
        > reject_unlisted_recipient,
        > check_sender_access hash:/etc/postfix/maps/verify_domain
        >
        > which is working fine but...
        >
        > sorbs.net is very agressive, many ISPs get blocked for several years and
        > are not willing to delist b/c sorbs doesn't offer free delist for them.
        >
        > So there is problem with false-positives. There are not much of them,
        > but all cases needs additional investigation.
        >
        > >From other side this combination (spamhaus.org + sorbs.net) doesn't pass
        > spam almost at all, they even doesn't leave anything for spamassassin,
        > so I don't want to remove checks.
        >
        > So the question is: how it is possible to direct SPAM mail to a user's
        > imap spam folder?
        >
        > Postfix works with cyrus by lmtp. I googled alot for this question and
        > the only way of doing this I was able to find is to use procmail +
        > maildrop.
        >
        > If there is a way to set specific header instead of rejecting mail it
        > would be easy to move tagged mail to spam folder by SEIVE filters. This
        > would be prefered variant.
        >
        --
        ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË <casper@...>
      • Покотиленко Костик
        Can somebody comment on this please. ... -- ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË
        Message 3 of 29 , Oct 27, 2010
        • 0 Attachment
          Can somebody comment on this please.

          ÷ ÷ÔÏ, 26/10/2010 × 18:20 +0300, ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË ÐÉÛÅÔ:
          > I'm now trying to move all RBL and RHSBL checks to policyd-weight. In
          > policyd-weight I set "$ADD_X_HEADER = 1" and very high score so it never
          > match.
          >
          > Then I plan to parse "X-policyd-weight" header with sieve script on
          > cyrus to move spam to separate imap folder. Header looks like this:
          >
          > X-policyd-weight: using cached result; rate: -6.6
          >
          > If somebody tried this or have better solution please share your
          > experiense.
          >
          > ÷ ÷ÔÏ, 26/10/2010 × 14:11 +0300, ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË ÐÉÛÅÔ:
          > > Hi,
          > >
          > > I have the following postfix configuration:
          > >
          > > smtpd_recipient_restrictions =
          > > permit_mynetworks,
          > > permit_sasl_authenticated,
          > > reject_unknown_client_hostname,
          > > reject_unknown_hostname,
          > > reject_non_fqdn_hostname,
          > > reject_non_fqdn_helo_hostname,
          > > reject_invalid_helo_hostname,
          > > check_recipient_access hash:/etc/postfix/recipients_access,
          > > check_client_access cidr:/etc/postfix/access_noauth,
          > > reject_unauth_destination,
          > > check_client_access hash:/etc/postfix/rbl_whitelist,
          > > check_sender_access hash:/etc/postfix/rbl_sender_whitelist,
          > > reject_rbl_client list.dsbl.org,
          > > reject_rbl_client zen.spamhaus.org,
          > > reject_rbl_client spam.dnsbl.sorbs.net,
          > > reject_rbl_client recent.spam.dnsbl.sorbs.net,
          > > check_sender_access hash:/etc/postfix/rhsbl_sender_domain_whitelist,
          > > reject_rhsbl_client dbl.spamhaus.org,
          > > reject_rhsbl_helo dbl.spamhaus.org,
          > > reject_non_fqdn_sender,
          > > reject_rhsbl_sender dsn.rfc-ignorant.org,
          > > reject_rhsbl_sender dbl.spamhaus.org,
          > > check_sender_access hash:/etc/postfix/sender_access,
          > > reject_unverified_sender,
          > > reject_unverified_recipient,
          > > reject_unlisted_recipient,
          > > check_sender_access hash:/etc/postfix/maps/verify_domain
          > >
          > > which is working fine but...
          > >
          > > sorbs.net is very agressive, many ISPs get blocked for several years and
          > > are not willing to delist b/c sorbs doesn't offer free delist for them.
          > >
          > > So there is problem with false-positives. There are not much of them,
          > > but all cases needs additional investigation.
          > >
          > > >From other side this combination (spamhaus.org + sorbs.net) doesn't pass
          > > spam almost at all, they even doesn't leave anything for spamassassin,
          > > so I don't want to remove checks.
          > >
          > > So the question is: how it is possible to direct SPAM mail to a user's
          > > imap spam folder?
          > >
          > > Postfix works with cyrus by lmtp. I googled alot for this question and
          > > the only way of doing this I was able to find is to use procmail +
          > > maildrop.
          > >
          > > If there is a way to set specific header instead of rejecting mail it
          > > would be easy to move tagged mail to spam folder by SEIVE filters. This
          > > would be prefered variant.
          > >
          --
          ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË <casper@...>
        • Stan Hoeppner
          ... Why do you want to accept spam and save it somewhere instead of rejecting the SMTP connection? If you re doing anti-spam correctly, the few that make it
          Message 4 of 29 , Oct 27, 2010
          • 0 Attachment
            ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË put forth on 10/27/2010 7:20 AM:
            > Can somebody comment on this please.
            >
            > ÷ ÷ÔÏ, 26/10/2010 × 18:20 +0300, ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË ÐÉÛÅÔ:
            >> I'm now trying to move all RBL and RHSBL checks to policyd-weight. In
            >> policyd-weight I set "$ADD_X_HEADER = 1" and very high score so it never
            >> match.
            >>
            >> Then I plan to parse "X-policyd-weight" header with sieve script on
            >> cyrus to move spam to separate imap folder. Header looks like this:

            Why do you want to accept spam and save it somewhere instead of
            rejecting the SMTP connection? If you're doing anti-spam correctly, the
            few that make it through are easily dealt with in the inbox. Setting up
            "spam" or "junk" folders is adding unneeded complexity. Most users
            never check their "spam" folders, if they exist.

            >>> which is working fine but...
            >>>
            >>> sorbs.net is very agressive, many ISPs get blocked for several years and
            >>> are not willing to delist b/c sorbs doesn't offer free delist for them.
            >>>
            >>> So there is problem with false-positives. There are not much of them,
            >>> but all cases needs additional investigation.

            This is exactly why many OPs no longer use SORBS, myself included.
            Their listing and delisting policies don't fit well with the modern
            world. Listing MTA IPs at Gorilla mailers (Gmail, Yahoo, Hotmail, etc)
            due to a small spam run hitting SORBS traps is a stupid idea. This is
            absolutely the worst possible way to try to deal with spam coming from
            such operations. The listing are always too late to stop the spam run
            from reaching SORBS clients, so all this does is end up blocking tons of
            ham.

            >>> >From other side this combination (spamhaus.org + sorbs.net) doesn't pass
            >>> spam almost at all, they even doesn't leave anything for spamassassin,
            >>> so I don't want to remove checks.

            That may be, but look at the damage SORBS is doing. You're expending
            all of this effort to minimize "false positives" generated by SORBS.
            Instead of jumping through all these hoops to minimize the damage SORBS
            is doing to your operation, simply stop using SORBS' lists and use other
            measures to pick up the slack. Barracuda's BRBL is probably just as
            effective, and without the large number of FPs.

            >>> So the question is: how it is possible to direct SPAM mail to a user's
            >>> imap spam folder?

            The answer is don't do this. Reject the spam during the SMTP connection.

            Try this out for a week or two:

            1. Comment out your SORBS entries in main.cf
            2. Implement reject_rbl_client b.barracudacentral.org
            See http://www.barracudacentral.org/rbl as sign up is required
            3. Implement this dynamic/generic (residential/zombie) blocking PCRE
            check_client_access pcre:/etc/postfix/fqrdns.pcre
            http://www.hardwarefreak.com/fqrdns.pcre

            Put the PCRE check before all of your RBL checks. Local table lookups
            are infinitely faster than DNS queries, so if the PCRE table can block a
            client spam MTA, it's much faster to do so than perform a DNS lookup to
            accomplish the same task. Post feedback here as to how well this works
            for you. Others here have had tremendous success merely by adding this
            PCRE alone. It's not magic but it kills a lot of spam connections from
            zombies, including many IP not listed on any "dialup/dynamic" lists such
            as the PBL and SORBS dyn list.

            --
            Stan
          • Noel Butler
            ... That is complete FUD, yes, I know what their website says, but knowing the people behind them I can assure you it has never been demanded, it is a
            Message 5 of 29 , Oct 27, 2010
            • 0 Attachment
              On Tue, 2010-10-26 at 14:11 +0300, Покотиленко Костик wrote:


              sorbs.net is very agressive, many ISPs get blocked for several years and
              are not willing to delist b/c sorbs doesn't offer free delist for them.
              
              

              That is complete FUD, yes, I know what their website says, but knowing the people behind them I can assure you it has never been demanded, it is a deterrent, a request to their ticketing system is all it takes to get out, please don't fall for the mistruths by those who have been in SORBS, infact, better to ask yourself why they were in there in the first place.


              So there is problem with false-positives. There are not much of them,
              but all cases needs additional investigation.
              
              

              Very little indeed in the eight or so years we have been using them.

              Their spam trap is aggressive, but thats better than to do things like spamhaus have done and publicly state they will never list gmail, because  I tell you know, gmail accounts for about 15% of spam and crap that SA deals with here.

              >From other side this combination (spamhaus.org + sorbs.net) doesn't pass
              spam almost at all, they even doesn't leave anything for spamassassin,
              so I don't want to remove checks.
              
              

              That's a bad thing, SA is very good, but it is a resource hog on busy servers, so the less work it has to do, the better.

              So the question is: how it is possible to direct SPAM mail to a user's
              imap spam folder?
              
              

              Use something like amavisd or MailScanner, add a specific spam header, and use sieve

              If there is a way to set specific header instead of rejecting mail it
              would be easy to move tagged mail to spam folder by SEIVE filters. This
              would be prefered variant.
              
              

              An example sieve script we use on internal mail which is only imap would be


              require ["fileinto"];
              if header :contains "X-Spam-Status" ["Yes,"] {
              fileinto "Junk";
              stop;
              }

              We do not offer imap to end users, as they are all pop3, but there is no reason this wont work the same if you only offer imap, if you also permit pop3, then it gets tricky, it can be done so the users get the spam, but it's hardly worth the effort since it defeats your intended purpose, at least for pop3 users anyway.

            • John Peach
              On Thu, 28 Oct 2010 11:17:00 +1000 ... ... because we have so-called educated professionals who fall for phishing scams on a regular basis, despite regular
              Message 6 of 29 , Oct 27, 2010
              • 0 Attachment
                On Thu, 28 Oct 2010 11:17:00 +1000
                Noel Butler <noel.butler@...> wrote:

                > On Tue, 2010-10-26 at 14:11 +0300, Покотиленко Костик wrote:
                >
                >
                >
                > > sorbs.net is very agressive, many ISPs get blocked for several years and
                > > are not willing to delist b/c sorbs doesn't offer free delist for them.
                > >
                >
                >
                > That is complete FUD, yes, I know what their website says, but knowing
                > the people behind them I can assure you it has never been demanded, it
                > is a deterrent, a request to their ticketing system is all it takes to
                > get out, please don't fall for the mistruths by those who have been in
                > SORBS, infact, better to ask yourself why they were in there in the
                > first place.
                >

                ... because we have so-called educated professionals who fall for
                phishing scams on a regular basis, despite regular warnings about the
                same.
                We have given up trying to do anything with SORBS - caveat emptor.


                [snip]

                --
                John
              • Al Zick
                Hi, ... I removed several rbl myself a few days ago. It is very frustrating when you can t get your email because it is rejected. It also doesn t make the
                Message 7 of 29 , Oct 27, 2010
                • 0 Attachment
                  Hi,



                  sorbs.net is very agressive, many ISPs get blocked for several years and
                  are not willing to delist b/c sorbs doesn't offer free delist for them.
                  
                  

                  So there is problem with false-positives. There are not much of them,
                  but all cases needs additional investigation.
                  

                  I removed several rbl myself a few days ago. It is very frustrating when you can't get your email because it is rejected. It also doesn't make the sender very happy.

                  So the question is: how it is possible to direct SPAM mail to a user's
                  imap spam folder?
                  
                  This is basically what I do with procmail and bogofilter (although, I have had some problems with it lately). You can also use rblcheck with procmail, but I can't find documentation on how to use it with postfix. I believe that you need postfix to pass the IP address of the mail server to procmail/rblcheck. I am not sure why it can't use what is in the header. 


                  Use something like amavisd or MailScanner, add a specific spam header, and use sieve

                  If there is a way to set specific header instead of rejecting mail it
                  would be easy to move tagged mail to spam folder by SEIVE filters. This
                  would be prefered variant.
                  
                  

                  An example sieve script we use on internal mail which is only imap would be


                  require ["fileinto"];
                  if header :contains "X-Spam-Status" ["Yes,"] {
                  fileinto "Junk";
                  stop;
                  }

                  I have found 2 packages:
                  dovecot-sieve
                  libsieve

                  Could you tell me which one you are using with the example above?

                  Sincerely,
                  Al


                • Noel Butler
                  ... Right, so, how is THAT a false positive, it is a justifiable listing if they became part of the problem. I have an automated script that runs over all of
                  Message 8 of 29 , Oct 27, 2010
                  • 0 Attachment
                    On Wed, 2010-10-27 at 22:15 -0400, John Peach wrote:
                    On Thu, 28 Oct 2010 11:17:00 +1000
                    Noel Butler <noel.butler@...> wrote:
                    
                    > On Tue, 2010-10-26 at 14:11 +0300, Покотиленко Костик wrote:
                    > 
                    > 
                    > 
                    > > sorbs.net is very agressive, many ISPs get blocked for several years and
                    > > are not willing to delist b/c sorbs doesn't offer free delist for them.
                    > > 
                    > 
                    > 
                    > That is complete FUD, yes, I know what their website says, but knowing
                    > the people behind them I can assure you it has never been demanded, it
                    > is a deterrent, a request to their ticketing system is all it takes to
                    > get out, please don't fall for the mistruths by those who have been in
                    > SORBS, infact, better to ask yourself why they were in there in the
                    > first place.
                    > 
                    
                    ... because we have so-called educated professionals who fall for
                    phishing scams on a regular basis, despite regular warnings about the
                    same.
                    


                    Right, so, how is THAT a false positive, it is a justifiable listing if they became part of the problem.

                    I have an automated script that runs over all of our mail servers log files daily searching for IP's that send to
                    known spamtrap addresses and also on my private server (this domain), addresses that never existed, and can't exist (marked as 'baduser' in our adduser scripts), those it finds are automatically entered into our local DNSBL which is used  by other Uni's, ISP's and corporations over here, publicly accessible, but not advertised. I get a daily diff so I see the new entries, but I don't review/host/whois them, its just an interesting "count how many new entries" really and its typically 8 to 15 a day, and, AFAIC, they can stay in there forever because they are clearly miscreants.

                  • Noel Butler
                    ... We use Dovecot 1.2.x (Although 2.0 is stable branch, many of us feel it really is not stable for large production use). The best method is dovecot-sieve
                    Message 9 of 29 , Oct 27, 2010
                    • 0 Attachment
                      On Wed, 2010-10-27 at 21:48 -0500, Al Zick wrote:

                      internal mail which is only imap would be


                      require ["fileinto"];
                      if header :contains "X-Spam-Status" ["Yes,"] {
                      fileinto "Junk";
                      stop;
                      }


                      I have found 2 packages:
                      dovecot-sieve
                      libsieve


                      Could you tell me which one you are using with the example above?



                      We use Dovecot 1.2.x (Although 2.0 is stable branch, many of us feel it really is not stable for large production use).
                      The best method is dovecot-sieve  (cmusieve entry in plugin section of say LDA etc), it also doesn't require the constant patch/rebuild every time you upgrade dovecot.



                    • Покотиленко Костик
                      Hehe, noticed I ve got just 2 replies on my thread from Noel Butler, rest is missing: ......... Oct 28 11:30:50 darkstar postfix/smtpd[17528]: NOQUEUE: reject:
                      Message 10 of 29 , Oct 28, 2010
                      • 0 Attachment
                        Hehe, noticed I've got just 2 replies on my thread from Noel Butler,
                        rest is missing:

                        .........
                        Oct 28 11:30:50 darkstar postfix/smtpd[17528]: NOQUEUE: reject: RCPT
                        from camomile.cloud9.net[168.100.1.3]: 554 5.7.1 Service unavailable;
                        Client host [168.1
                        00.1.3] blocked using spam.dnsbl.sorbs.net;
                        from=<owner-postfix-users@...> to=<casper@...>
                        proto=ESMTP helo=<camomile.cloud9.net>
                        .........

                        # grep NOQUEUE mail.log | grep 'postfix-users' | wc -l
                        41

                        This is 2 days log, I missed 41 message from this list. I've started to
                        think I'm ignored on this list, but no, this is just SORBS ignores one
                        of list's server.

                        Now I have to copy/past from the web archives to continue the thread.

                        ÷ þÔ×, 28/10/2010 × 14:28 +1000, Noel Butler ÐÉÛÅÔ:
                        > On Wed, 2010-10-27 at 22:15 -0400, John Peach wrote:
                        > > On Thu, 28 Oct 2010 11:17:00 +1000
                        > > Noel Butler <noel.butler@...> wrote:
                        > >
                        > > > On Tue, 2010-10-26 at 14:11 +0300, ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË wrote:
                        > > >
                        > > >
                        > > >
                        > > > > sorbs.net is very agressive, many ISPs get blocked for several years and
                        > > > > are not willing to delist b/c sorbs doesn't offer free delist for them.
                        > > > >
                        > > >
                        > > >
                        > > > That is complete FUD, yes, I know what their website says, but knowing
                        > > > the people behind them I can assure you it has never been demanded, it
                        > > > is a deterrent, a request to their ticketing system is all it takes to
                        > > > get out, please don't fall for the mistruths by those who have been in
                        > > > SORBS, infact, better to ask yourself why they were in there in the
                        > > > first place.
                        > > >
                        > >
                        > > ... because we have so-called educated professionals who fall for
                        > > phishing scams on a regular basis, despite regular warnings about the
                        > > same.
                        >
                        >
                        > Right, so, how is THAT a false positive, it is a justifiable listing
                        > if they became part of the problem.
                        >
                        > I have an automated script that runs over all of our mail servers log
                        > files daily searching for IP's that send to
                        > known spamtrap addresses and also on my private server (this domain),
                        > addresses that never existed, and can't exist (marked as 'baduser' in
                        > our adduser scripts), those it finds are automatically entered into
                        > our local DNSBL which is used by other Uni's, ISP's and corporations
                        > over here, publicly accessible, but not advertised. I get a daily diff
                        > so I see the new entries, but I don't review/host/whois them, its just
                        > an interesting "count how many new entries" really and its typically 8
                        > to 15 a day, and, AFAIC, they can stay in there forever because they
                        > are clearly miscreants.
                        >
                        --
                        ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË <casper@...>
                      • Noel Butler
                        ... LOL, hrmm Q, is the postfix lists the only mail coming from camomile.cloud9.net? or do these servers host other stuff as well ... On Thu, 2010-10-28 at
                        Message 11 of 29 , Oct 28, 2010
                        • 0 Attachment
                          On Thu, 2010-10-28 at 12:37 +0300, Покотиленко Костик wrote:
                          Hehe, noticed I've got just 2 replies on my thread from Noel Butler,
                          rest is missing:
                          
                          

                          LOL, hrmm Q, is the postfix lists the only mail coming from camomile.cloud9.net? or do these servers host other stuff as well

                          .........
                          Oct 28 11:30:50 darkstar postfix/smtpd[17528]: NOQUEUE: reject: RCPT
                          from camomile.cloud9.net[168.100.1.3]: 554 5.7.1 Service unavailable;
                          Client host [168.1
                          00.1.3] blocked using spam.dnsbl.sorbs.net;
                          from=<owner-postfix-users@...> to=<casper@...>
                          proto=ESMTP helo=<camomile.cloud9.net>
                          .........
                          
                          

                        • Покотиленко Костик
                          ... Well, the idea is to reject by DNSBLs which are proven to not produce FPs, and in addition just mark SPAM by agressive DNSBLs, then move marked to SPAM
                          Message 12 of 29 , Oct 28, 2010
                          • 0 Attachment
                            > ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË put forth on 10/27/2010 7:20 AM:
                            > > Can somebody comment on this please.
                            > >
                            > > ÷ ÷ÔÏ, 26/10/2010 × 18:20 +0300, ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË ÐÉÛÅÔ:
                            > >> I'm now trying to move all RBL and RHSBL checks to policyd-weight. In
                            > >> policyd-weight I set "$ADD_X_HEADER = 1" and very high score so it never
                            > >> match.
                            > >>
                            > >> Then I plan to parse "X-policyd-weight" header with sieve script on
                            > >> cyrus to move spam to separate imap folder. Header looks like this:
                            >
                            > Why do you want to accept spam and save it somewhere instead of
                            > rejecting the SMTP connection? If you're doing anti-spam correctly, the
                            > few that make it through are easily dealt with in the inbox. Setting up
                            > "spam" or "junk" folders is adding unneeded complexity. Most users
                            > never check their "spam" folders, if they exist.

                            Well, the idea is to reject by DNSBLs which are proven to not produce FPs,
                            and in addition just mark SPAM by agressive DNSBLs, then move marked to
                            SPAM folder.

                            We are supporting IT for several corporations in Ukraine. Here it's hard
                            to many to do things right.

                            Wierd example: PR manager can't get mail from advertising company - it turns
                            that mail was not accepted b/c:

                            a. mail was send directly from company's public ip which is DSL (shouldn't send direct)
                            b. advertising company's mail server doesn't have revers DNS
                            c. doesn't send proper hello
                            d. advertising company's ip black listed by sorbs
                            ...

                            You say to PR manager, it's their fault, their mail system doesn't set up properly.
                            PR manager tells you that everybody except us in this city can get mail from them.
                            And this is true.

                            Here I have 2 options: either I add whitelist or PR manager moves to
                            mail.ru/yahoo.com/gmail.com...

                            Also, some "smart" users getting the rules of this game fast, they tell - I've sent
                            a message and waiting for replay, please add this address to a whitelist :)

                            Whitelists are growing fast in my experience, so I'm looking for solutions which work
                            well and doesn't need much attention from my side. Most should work automatic, rest is
                            left to user's attention. I should only support this ballance.

                            > >>> which is working fine but...
                            > >>>
                            > >>> sorbs.net is very agressive, many ISPs get blocked for several years and
                            > >>> are not willing to delist b/c sorbs doesn't offer free delist for them.
                            > >>>
                            > >>> So there is problem with false-positives. There are not much of them,
                            > >>> but all cases needs additional investigation.
                            >
                            > This is exactly why many OPs no longer use SORBS, myself included.
                            > Their listing and delisting policies don't fit well with the modern
                            > world. Listing MTA IPs at Gorilla mailers (Gmail, Yahoo, Hotmail, etc)
                            > due to a small spam run hitting SORBS traps is a stupid idea. This is
                            > absolutely the worst possible way to try to deal with spam coming from
                            > such operations. The listing are always too late to stop the spam run
                            > from reaching SORBS clients, so all this does is end up blocking tons of
                            > ham.

                            This worth experementing. In my experience sorbs blocks much more spam (not
                            blocked by the rest) than producing FP. That's why I'm looking for solution
                            to make those FPs easy recoverable.

                            Several months statistic on my own mailbox shows that without sorbs I was
                            getting 3-10 spams a day. With sorbs I recover 1-5 messages a week for
                            entire ~200 users. Well, this is not counting 41 blocked messages from
                            this list this week.

                            > >>> >From other side this combination (spamhaus.org + sorbs.net) doesn't pass
                            > >>> spam almost at all, they even doesn't leave anything for spamassassin,
                            > >>> so I don't want to remove checks.
                            >
                            > That may be, but look at the damage SORBS is doing. You're expending
                            > all of this effort to minimize "false positives" generated by SORBS.
                            > Instead of jumping through all these hoops to minimize the damage SORBS
                            > is doing to your operation, simply stop using SORBS' lists and use other
                            > measures to pick up the slack. Barracuda's BRBL is probably just as
                            > effective, and without the large number of FPs.

                            This worth trying, thanks.

                            > >>> So the question is: how it is possible to direct SPAM mail to a user's
                            > >>> imap spam folder?
                            >
                            > The answer is don't do this. Reject the spam during the SMTP connection.

                            This is costy in management.

                            > Try this out for a week or two:
                            >
                            > 1. Comment out your SORBS entries in main.cf
                            > 2. Implement reject_rbl_client b.barracudacentral.org
                            > See http://www.barracudacentral.org/rbl as sign up is required
                            > 3. Implement this dynamic/generic (residential/zombie) blocking PCRE
                            > check_client_access pcre:/etc/postfix/fqrdns.pcre
                            > http://www.hardwarefreak.com/fqrdns.pcre

                            Who's supporting this file?

                            > Put the PCRE check before all of your RBL checks. Local table lookups
                            > are infinitely faster than DNS queries, so if the PCRE table can block a
                            > client spam MTA, it's much faster to do so than perform a DNS lookup to
                            > accomplish the same task. Post feedback here as to how well this works
                            > for you. Others here have had tremendous success merely by adding this
                            > PCRE alone. It's not magic but it kills a lot of spam connections from
                            > zombies, including many IP not listed on any "dialup/dynamic" lists such
                            > as the PBL and SORBS dyn list.
                            >
                            > --
                            > Stan
                          • Покотиленко Костик
                            ... camomile.cloud9.net[168.100.1.3] is the only server of this list which is being blocked till this moment. ... -- ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË
                            Message 13 of 29 , Oct 28, 2010
                            • 0 Attachment
                              ÷ þÔ×, 28/10/2010 × 19:59 +1000, Noel Butler ÐÉÛÅÔ:
                              > On Thu, 2010-10-28 at 12:37 +0300, ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË wrote:
                              > > Hehe, noticed I've got just 2 replies on my thread from Noel Butler,
                              > > rest is missing:
                              > >
                              >
                              > LOL, hrmm Q, is the postfix lists the only mail coming from
                              > camomile.cloud9.net? or do these servers host other stuff as well

                              camomile.cloud9.net[168.100.1.3] is the only server of this list which
                              is being blocked till this moment.

                              > > .........
                              > > Oct 28 11:30:50 darkstar postfix/smtpd[17528]: NOQUEUE: reject: RCPT
                              > > from camomile.cloud9.net[168.100.1.3]: 554 5.7.1 Service unavailable;
                              > > Client host [168.1
                              > > 00.1.3] blocked using spam.dnsbl.sorbs.net;
                              > > from=<owner-postfix-users@...> to=<casper@...>
                              > > proto=ESMTP helo=<camomile.cloud9.net>
                              > > .........
                              > >
                              >
                              --
                              ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË <casper@...>
                            • Покотиленко Костик
                              ... See other posts ... That s what I m saying. I m now suspecting SA almost useless, thinking about trying to turn it off and see if something changes. I ll
                              Message 14 of 29 , Oct 28, 2010
                              • 0 Attachment
                                > On Tue, 2010-10-26 at 14:11 +0300, ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË wrote:
                                >
                                >
                                > > sorbs.net is very agressive, many ISPs get blocked for several years
                                > > and are not willing to delist b/c sorbs doesn't offer free delist
                                > > for them.
                                >
                                > That is complete FUD, yes, I know what their website says, but knowing
                                > the people behind them I can assure you it has never been demanded, it
                                > is a deterrent, a request to their ticketing system is all it takes to
                                > get out, please don't fall for the mistruths by those who have been in
                                > SORBS, infact, better to ask yourself why they were in there in the
                                > first place.

                                > > So there is problem with false-positives. There are not much of
                                > > them, but all cases needs additional investigation.
                                >
                                > Very little indeed in the eight or so years we have been using them.
                                >
                                > Their spam trap is aggressive, but thats better than to do things like
                                > spamhaus have done and publicly state they will never list gmail,
                                > because I tell you know, gmail accounts for about 15% of spam and
                                > crap that SA deals with here.

                                See other posts

                                > > >From other side this combination (spamhaus.org + sorbs.net) doesn't
                                > > pass spam almost at all, they even doesn't leave anything for
                                > > spamassassin, so I don't want to remove checks.
                                >
                                > That's a bad thing, SA is very good, but it is a resource hog on busy
                                > servers, so the less work it has to do, the better.

                                That's what I'm saying. I'm now suspecting SA almost useless, thinking
                                about trying to turn it off and see if something changes. I'll review
                                SA's logs first when have time.

                                > > So the question is: how it is possible to direct SPAM mail to a
                                > > user's imap spam folder?
                                >
                                > Use something like amavisd or MailScanner, add a specific spam header,
                                > and use sieve

                                amavisd doesn't make DNSBL checks as I see, it can only make some basic
                                checks and use external SA and antivirus.

                                > > If there is a way to set specific header instead of rejecting mail
                                > > it would be easy to move tagged mail to spam folder by SEIVE
                                > > filters. This would be prefered variant.
                                >
                                > An example sieve script we use on internal mail which is only imap
                                > would be
                                >
                                >
                                > require ["fileinto"];
                                > if header :contains "X-Spam-Status" ["Yes,"] {
                                > fileinto "Junk";
                                > stop;
                                > }

                                This is simple, I have this. If somebody can tell how to write a script
                                which will move to spam folder a message which have >1.0 score (rate) on
                                this header:

                                X-policyd-weight: using cached result; rate: -6.6

                                or

                                X-policyd-weight: NOT_IN_DYN_PBL_SPAMHAUS=0
                                NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5
                                NOT_IN_IX_MANITU=0 CL_IP_EQ_FROM_MX=-3.1; rate: -7.6; <client=[hidden]>
                                <helo=[hidden]> <from=[hidden]> <to=[hidden]>

                                This require regexp which I'm not too familiar with.

                                > We do not offer imap to end users, as they are all pop3, but there is
                                > no reason this wont work the same if you only offer imap, if you also
                                > permit pop3, then it gets tricky, it can be done so the users get the
                                > spam, but it's hardly worth the effort since it defeats your intended
                                > purpose, at least for pop3 users anyway.

                                I was thinking about this. We support corporate users, so they all can
                                be given instruction on how they should use the service. But mostly
                                things are simplier, they use it as you set it up :)
                              • Покотиленко Костик
                                ... See other posts. In this specific local situation those listings viewed as false positive. ... Supporting own BL is too much effort for many tasks.
                                Message 15 of 29 , Oct 28, 2010
                                • 0 Attachment
                                  > On Wed, 2010-10-27 at 22:15 -0400, John Peach wrote:
                                  > > On Thu, 28 Oct 2010 11:17:00 +1000 Noel Butler <noel.butler <at>
                                  > > ausics.net> wrote: > On Tue, 2010-10-26 at 14:11 +0300, ðÏËÏÔÉÌÅÎËÏ
                                  > > ëÏÓÔÉË wrote: > > > > > sorbs.net is very agressive, many ISPs get
                                  > > blocked for several years and > > are not willing to delist b/c
                                  > > sorbs doesn't offer free delist for them. > > > > > That is complete
                                  > > FUD, yes, I know what their website says, but knowing > the people
                                  > > behind them I can assure you it has never been demanded, it > is a
                                  > > deterrent, a request to their ticketing system is all it takes to >
                                  > > get out, please don't fall for the mistruths by those who have been
                                  > > in > SORBS, infact, better to ask yourself why they were in there in
                                  > > the > first place. > ... because we have so-called educated
                                  > > professionals who fall for phishing scams on a regular basis,
                                  > > despite regular warnings about the same.
                                  >
                                  >
                                  > Right, so, how is THAT a false positive, it is a justifiable listing
                                  > if they became part of the problem.

                                  See other posts. In this specific local situation those listings viewed
                                  as false positive.

                                  > I have an automated script that runs over all of our mail servers log
                                  > files daily searching for IP's that send to
                                  > known spamtrap addresses and also on my private server (this domain),
                                  > addresses that never existed, and can't exist (marked as 'baduser' in
                                  > our adduser scripts), those it finds are automatically entered into
                                  > our local DNSBL which is used by other Uni's, ISP's and corporations
                                  > over here, publicly accessible, but not advertised. I get a daily diff
                                  > so I see the new entries, but I don't review/host/whois them, its just
                                  > an interesting "count how many new entries" really and its typically 8
                                  > to 15 a day, and, AFAIC, they can stay in there forever because they
                                  > are clearly miscreants.

                                  Supporting own BL is too much effort for many tasks.
                                • Noel Butler
                                  ... This was created because there are many many front end smtp servers, saved replicating access lists across all, once it is setup, it runs itself. ...
                                  Message 16 of 29 , Oct 28, 2010
                                  • 0 Attachment
                                    On Thu, 2010-10-28 at 14:13 +0300, Покотиленко Костик wrote:

                                    
                                    > I have an automated script that runs over all of our mail servers log
                                    > files daily searching for IP's that send to
                                    > known spamtrap addresses and also on my private server (this domain),
                                    > addresses that never existed, and can't exist (marked as 'baduser' in
                                    > our adduser scripts), those it finds are automatically entered into
                                    > our local DNSBL which is used  by other Uni's, ISP's and corporations
                                    > over here, publicly accessible, but not advertised. I get a daily diff
                                    > so I see the new entries, but I don't review/host/whois them, its just
                                    > an interesting "count how many new entries" really and its typically 8
                                    > to 15 a day, and, AFAIC, they can stay in there forever because they
                                    > are clearly miscreants.
                                    
                                    Supporting own BL is too much effort for many tasks.
                                    
                                    

                                    This was created because there are many many front end smtp servers, saved replicating access lists across all,
                                    once it is setup, it runs itself.


                                  • John Peach
                                    On Thu, 28 Oct 2010 14:28:42 +1000 ... I never said it was a false positive. Just that it s a waste of time trying to get delisted; we gave up with that years
                                    Message 17 of 29 , Oct 28, 2010
                                    • 0 Attachment
                                      On Thu, 28 Oct 2010 14:28:42 +1000
                                      Noel Butler <noel.butler@...> wrote:

                                      > On Wed, 2010-10-27 at 22:15 -0400, John Peach wrote:
                                      >
                                      > > On Thu, 28 Oct 2010 11:17:00 +1000
                                      > > Noel Butler <noel.butler@...> wrote:
                                      > >
                                      > > > On Tue, 2010-10-26 at 14:11 +0300, Покотиленко Костик wrote:
                                      > > >
                                      > > >
                                      > > >
                                      > > > > sorbs.net is very agressive, many ISPs get blocked for several
                                      > > > > years and are not willing to delist b/c sorbs doesn't offer
                                      > > > > free delist for them.
                                      > > > >
                                      > > >
                                      > > >
                                      > > > That is complete FUD, yes, I know what their website says, but
                                      > > > knowing the people behind them I can assure you it has never been
                                      > > > demanded, it is a deterrent, a request to their ticketing system
                                      > > > is all it takes to get out, please don't fall for the mistruths
                                      > > > by those who have been in SORBS, infact, better to ask yourself
                                      > > > why they were in there in the first place.
                                      > > >
                                      > >
                                      > > ... because we have so-called educated professionals who fall for
                                      > > phishing scams on a regular basis, despite regular warnings about
                                      > > the same.
                                      >
                                      >
                                      >
                                      > Right, so, how is THAT a false positive, it is a justifiable listing
                                      > if they became part of the problem.
                                      >
                                      I never said it was a false positive. Just that it's a waste of time
                                      trying to get delisted; we gave up with that years ago.


                                      --
                                      John
                                    • Jerry
                                      On Thu, 28 Oct 2010 07:52:27 -0400 ... If you mean years ago literally, then I might suggest that you revisit it. The Times They Are a-Changin courtesy of
                                      Message 18 of 29 , Oct 28, 2010
                                      • 0 Attachment
                                        On Thu, 28 Oct 2010 07:52:27 -0400
                                        John Peach <postfix@...> articulated:

                                        > I never said it was a false positive. Just that it's a waste of time
                                        > trying to get delisted; we gave up with that years ago.

                                        If you mean "years ago"literally, then I might suggest that you revisit
                                        it. "The Times They Are a-Changin'" courtesy of Bob Dylan is certainly
                                        appropriate here.

                                        --
                                        Jerry ✌
                                        postfix-user@...
                                        _____________________________________________________________________
                                        TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
                                        TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
                                      • Wietse Venema
                                        ... This illustrates what you get when blocking all mail from an ISP just because some customer sent some email that hit some spamtrap. Such an approach makes
                                        Message 19 of 29 , Oct 28, 2010
                                        • 0 Attachment
                                          Noel Butler:
                                          > On Thu, 2010-10-28 at 12:37 +0300, ??????????? ?????? wrote:
                                          >
                                          > > Hehe, noticed I've got just 2 replies on my thread from Noel Butler,
                                          > > rest is missing:
                                          >
                                          > LOL, hrmm Q, is the postfix lists the only mail coming from
                                          > camomile.cloud9.net? or do these servers host other stuff as well
                                          >
                                          > > .........
                                          > > Oct 28 11:30:50 darkstar postfix/smtpd[17528]: NOQUEUE: reject: RCPT
                                          > > from camomile.cloud9.net[168.100.1.3]: 554 5.7.1 Service unavailable;
                                          > > Client host [168.1
                                          > > 00.1.3] blocked using spam.dnsbl.sorbs.net;
                                          > > from=<owner-postfix-users@...> to=<casper@...>
                                          > > proto=ESMTP helo=<camomile.cloud9.net>
                                          > > .........

                                          This illustrates what you get when blocking all mail from an ISP
                                          just because some customer sent some email that hit some spamtrap.

                                          Such an approach makes sense only if receiving one spam message is
                                          a bigger problem than losing a larger amount of legitimate email.

                                          Wietse
                                        • /dev/rob0
                                          ... snip ... In all this thread, no one that I have seen has yet mentioned that DSBL has been defunct since 2008, over two years! ... snip ... In that time,
                                          Message 20 of 29 , Oct 28, 2010
                                          • 0 Attachment
                                            On Tue, Oct 26, 2010 at 02:11:59PM +0300, ??????????? ?????? wrote:
                                            > I have the following postfix configuration:
                                            >
                                            > smtpd_recipient_restrictions =
                                            snip
                                            > reject_rbl_client list.dsbl.org,

                                            In all this thread, no one that I have seen has yet mentioned that
                                            DSBL has been defunct since 2008, over two years!

                                            > reject_rbl_client zen.spamhaus.org,
                                            snip
                                            > reject_rhsbl_client dbl.spamhaus.org,
                                            > reject_rhsbl_helo dbl.spamhaus.org,

                                            In that time, Spamhaus launched the Zen multi list including the new
                                            PBL, and the new DBL RHSBL. Clearly, you are keeping up with some of
                                            the changes in the antispam world, but somehow you managed to miss
                                            all the warnings in your logs about the failed list.dsbl.org lookups.

                                            Shameless plug: I'm going to recommend that anyone who manages an
                                            antispam system consider joining an antispam mailing list, more
                                            specifically this one, SDLU:
                                            http://spammers.dontlike.us/

                                            SDLU is a descendent of the old SPAM-L list which, like DSBL, also
                                            closed in May 2008. Traffic on SDLU is low, usually far less than
                                            what you will see on this list.

                                            SDLU is still new, established in September, following what might be
                                            termed a "political dispute" on another SPAM-L descendent list,
                                            spam-l.com. That list is still functioning, but I cannot personally
                                            recommend it, for reasons which would be off-topic here.
                                            --
                                            Offlist mail to this address is discarded unless
                                            "/dev/rob0" or "not-spam" is in Subject: header
                                          • mouss
                                            ... - hmmm. if you refer to the delisting fee, this has changed. there s no fee anymore. - if the problem you have is recent, then you should know sorbs had
                                            Message 21 of 29 , Oct 28, 2010
                                            • 0 Attachment
                                              Le 26/10/2010 13:11, Покотиленко Костик a écrit :
                                              > [snip]
                                              >
                                              > sorbs.net is very agressive, many ISPs get blocked for several years and
                                              > are not willing to delist b/c sorbs doesn't offer free delist for them.

                                              - hmmm. if you refer to the delisting fee, this has changed. there's no
                                              fee anymore.
                                              - if the problem you have is recent, then you should know sorbs had some
                                              problems recently. should be fixed by now.
                                              - This might be undocumented, but sorbs have a"safe" sublist:
                                              safe.dnsbl.sorbs.net
                                              - finally, you can use sorbs in spamassassin instead of at smtp time

                                              [snip]
                                            • Stan Hoeppner
                                              ... Ahh, I see. You live in one of those internet neighborhoods. ... And whitelists that never stop growing are often the most popular solution, as you ve
                                              Message 22 of 29 , Oct 28, 2010
                                              • 0 Attachment
                                                ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË put forth on 10/28/2010 5:31 AM:

                                                > a. mail was send directly from company's public ip which is DSL (shouldn't send direct)
                                                > b. advertising company's mail server doesn't have revers DNS
                                                > c. doesn't send proper hello
                                                > d. advertising company's ip black listed by sorbs

                                                Ahh, I see. You live in one of "those" internet neighborhoods.

                                                > Whitelists are growing fast in my experience, so I'm looking for solutions which work
                                                > well and doesn't need much attention from my side. Most should work automatic, rest is
                                                > left to user's attention. I should only support this ballance.

                                                And whitelists that never stop growing are often the most popular
                                                solution, as you've done. Have you tried a content filter such as
                                                SpamAssassin, turning off the client dnsbl function and relying on Bayes
                                                and rhsbl checks of header/body domains? SA's built in tagging function
                                                would allow you to easily filter to user spam folder with sieve,
                                                procmail, or maildrop. This setup might help you eliminate the FPs or
                                                drop them into the spam folder instead of rejecting them.

                                                > This worth experementing. In my experience sorbs blocks much more spam (not
                                                > blocked by the rest) than producing FP. That's why I'm looking for solution
                                                > to make those FPs easy recoverable.

                                                Until hearing from you, I'd never heard an OP state that SORBS was so
                                                effective at catching spam the other dnsbls did not that they were
                                                willing to accept and deal with the FP rate of SORBS. Maybe this is due
                                                to your location in eastern Europe?

                                                > Several months statistic on my own mailbox shows that without sorbs I was
                                                > getting 3-10 spams a day. With sorbs I recover 1-5 messages a week for
                                                > entire ~200 users. Well, this is not counting 41 blocked messages from
                                                > this list this week.

                                                This is good example of why SORBS sucks and why the FPs are not
                                                acceptable. They list the postfix-users outbound list server IP
                                                (probably shared with other lists) due to a trap hit(s), even though the
                                                ham ratio is 100% on most days. I'm sure there was no "spam run" but
                                                merely a couple of hits. Again, bad policy, and why I haven't used
                                                SORBS for years.

                                                Usually when I sign up for a mailing list I manually add a whitelist
                                                entry, or I just let my auto whitelisting script take care of it.

                                                > This worth trying, thanks.

                                                I'm not saying BRBL is a great dnsbl, but from what I hear from other
                                                OPs it's pretty decent and as good or better than SORBS without the high
                                                FPs. I tried it out for a while but it wasn't catching much so I dumped
                                                it. Most dnsbls don't catch much spam here because my other A/S
                                                countermeasures kill most of it first. dnsbls get crumbs here, same
                                                with postgrey.

                                                >>>>> So the question is: how it is possible to direct SPAM mail to a user's
                                                >>>>> imap spam folder?
                                                >>
                                                >> The answer is don't do this. Reject the spam during the SMTP connection.
                                                >
                                                > This is costy in management.

                                                If you have filters with higher accuracy that don't cause FPs it's not
                                                costly in management.

                                                >> Try this out for a week or two:
                                                >>
                                                >> 1. Comment out your SORBS entries in main.cf
                                                >> 2. Implement reject_rbl_client b.barracudacentral.org
                                                >> See http://www.barracudacentral.org/rbl as sign up is required
                                                >> 3. Implement this dynamic/generic (residential/zombie) blocking PCRE
                                                >> check_client_access pcre:/etc/postfix/fqrdns.pcre
                                                >> http://www.hardwarefreak.com/fqrdns.pcre
                                                >
                                                > Who's supporting this file?

                                                There is no support, and none needed. It's a home grown regular
                                                expression table that matches fully qualified reverse or forward DNS
                                                names of connecting clients. It targets dynamic IPs and generic static
                                                IPs of broadband providers around the world, mostly in the US and
                                                Europe, but includes some others around the world. I.e. it blocks
                                                direct senders who shouldn't be sending direct. It's much like the
                                                Spamhaus PBL regarding results, but blocks many client IPs that the PBL,
                                                SORBS DUL, and other "dynamic" dnsbls don't.

                                                If you don't trust it because no big vendor name is behind it, use sed
                                                and replace REJECT with "WARN fqrdns". Monitor its effectiveness by
                                                greping your log for "fqrdns".

                                                Put it above your RBL checks in main.cf so it gets first crack at the
                                                connections. You will likely be pleasantly surprised by the results.

                                                --
                                                Stan
                                              • Stan Hoeppner
                                                ... SDLU is a fork of spam-l.com, which itself is the direct descendant of the Lsoft SPAM-L mailing list which closed in May 2008. None of this matters to
                                                Message 23 of 29 , Oct 28, 2010
                                                • 0 Attachment
                                                  /dev/rob0 put forth on 10/28/2010 12:36 PM:

                                                  > SDLU is a descendent of the old SPAM-L list which, like DSBL, also
                                                  > closed in May 2008.

                                                  SDLU is a fork of spam-l.com, which itself is the direct descendant of
                                                  the Lsoft SPAM-L mailing list which closed in May 2008. None of this
                                                  matters to newcomers anyway, but I like keeping the historical record
                                                  straight.

                                                  What matters is there are good people with experience on both lists. I
                                                  assume this anyway, although I've not signed up for the SDLU list so I
                                                  don't who all is there. Rob's there so you're already in good company
                                                  if you choose SDLU.

                                                  What also matters is just getting engaged. Join one list or another and
                                                  participate in the spam fighting community so you can learn and
                                                  contribute techniques, tools, and experience.

                                                  You can't really make a mistake joining any one list. If it sucks, join
                                                  another. Just get involved beyond the limited A/S discussions on MTA or
                                                  IMAP server mailing lists. You'll gain insight into fighting spam that
                                                  you otherwise won't be exposed to.

                                                  --
                                                  Stan
                                                • Noel Butler
                                                  ... Really? No one I ve met who actually requested delisting was ignored or refused, sure, a few years ago it was taking a few weeks to get out of it, but it
                                                  Message 24 of 29 , Oct 28, 2010
                                                  • 0 Attachment
                                                    On Thu, 2010-10-28 at 07:52 -0400, John Peach wrote:


                                                    > Right, so, how is THAT a false positive, it is a justifiable listing
                                                    > if they became part of the problem.
                                                    > 
                                                    I never said it was a false positive. Just that it's a waste of time
                                                    trying to get delisted; we gave up with that years ago.
                                                    
                                                    

                                                    Really? No one I've met who actually requested delisting was ignored or refused, sure, a few years ago it was taking a few weeks to get out of it, but it got there in the end without pestering.

                                                    A lot of people are just spreading FUD because of them reading the requirements (which werent requirements) and never bothering to ask fearing theyd have to pay, and IIRC, it was a charity not SORBS, probably a bad idea, sometimes the scare tactic can backfire, I believe the web page is updated (or will be soon) reflecting this.

                                                    IMHO, it comes down to laziness of those admins not chasing up, what do you do when you get in spamcop, wait till your listing expires, get relisted, wait until it expires again (being a longer listing period).

                                                    SORBS only gave me one headache many many years ago, it took no time to get it resolved, and they have been ultra reliable here, they are heavily used by Australian and New Zealand ISP's, probably of little consequence to Americans though.

                                                  • Noel Butler
                                                    ... We do it here, I ve done it for 5 years or so, little problems at all given the remoteness of the addresses, the only way for it to be tried is because of
                                                    Message 25 of 29 , Oct 28, 2010
                                                    • 0 Attachment
                                                      On Thu, 2010-10-28 at 09:40 -0400, Wietse Venema wrote:

                                                      > > .........
                                                      
                                                      This illustrates what you get when blocking all mail from an ISP
                                                      just because some customer sent some email that hit some spamtrap.
                                                      
                                                      

                                                      We do it here, I've done it for 5 years or so, little problems at all given the remoteness of the addresses, the only way
                                                      for it to be tried is because of a spambot, therefore that IP = miscreant, and frankly I don't want miscreants knocking our way, and not many miscreants use their ISP's mail servers.


                                                      Such an approach makes sense only if receiving one spam message is
                                                      a bigger problem than losing a larger amount of legitimate email.
                                                      
                                                      

                                                      But how do you know its only " one " I'm sure if this IP in question was only used by you then there is no doubt it would be wrongful listing, however, majordomo is not the smartest kid of the block, hasn't been for a decade if ever, someone with a grudge could easily fire away at it causing it ending up where it is now.

                                                      Luckily the vast majority of IP's hitting spamtraps are end users/bots, so it would normally be quite rare to have a real actual mail server listed, however Gmail pushes this envelope to extreme, not so bad recently, but in the past, it has had a reputation almost as bad as the mid to late nineties AOL.


                                                    • Wietse Venema
                                                      ... Your response shows that you have no clue about the ham:spam ratio (I do have a clue: I ve been customer for 14 years and can t remember when I last
                                                      Message 26 of 29 , Oct 29, 2010
                                                      • 0 Attachment
                                                        Wietse:
                                                        > [About blocking all mail from an ISP because some customer sent spam]
                                                        > Such an approach makes sense only if receiving one spam message is
                                                        > a bigger problem than losing a larger amount of legitimate email.

                                                        Noel Butler:
                                                        > But how do you know its only " one " I'm sure if this IP in question was

                                                        Your response shows that you have no clue about the ham:spam ratio
                                                        (I do have a clue: I've been customer for 14 years and can't remember
                                                        when I last received spam that originates from their network).

                                                        This is a technical mailing list about Postfix. There is no room
                                                        here for contributions without quantitative technical content.

                                                        From now on there is a taboo on SORBS, just like SPF. Trespassers
                                                        will be shot.

                                                        Wietse
                                                      • Noel Butler
                                                        i know all you know nothing then kill the thread so people can t show you might be wrong or defend themselves, oh my. how nice, now I recall why i
                                                        Message 27 of 29 , Oct 29, 2010
                                                        • 0 Attachment


                                                          " i know all you know nothing"  then kill the thread so people can't show you might be wrong or defend themselves, oh my. how nice,  now I recall why i probably left this list last time! I hope you get that new job in the censorship office, you've got the right credentials.

                                                          and for the record, I dont give a rats ass of your opinion, if some turd is trying to pollute my networks,  I dont want them here, period!

                                                          In use of ANY anti spam method there will ALWAYS be collateral damage, regardless of what method is used. Thats why god invented whitelists.


                                                          Now I shall be silent

                                                          On Fri, 2010-10-29 at 08:42 -0400, Wietse Venema wrote:
                                                          Wietse:
                                                          > [About blocking all mail from an ISP because some customer sent spam]
                                                          > Such an approach makes sense only if receiving one spam message is
                                                          > a bigger problem than losing a larger amount of legitimate email.
                                                          
                                                          Noel Butler:
                                                          > But how do you know its only " one " I'm sure if this IP in question was
                                                          
                                                          Your response shows that you have no clue about the ham:spam ratio
                                                          (I do have a clue: I've been customer for 14 years and can't remember
                                                          when I last received spam that originates from their network).
                                                          
                                                          This is a technical mailing list about Postfix. There is no room
                                                          here for contributions without quantitative technical content.
                                                          
                                                          >From now on there is a taboo on SORBS, just like SPF.  Trespassers
                                                          will be shot.
                                                          
                                                          	Wietse
                                                          

                                                        • Noel Butler
                                                          ... Damn, hit enter too soon, I shall unsub from this list to save you the trouble, I ve learnt nothing really since I ve been here anyway :) and my only real
                                                          Message 28 of 29 , Oct 29, 2010
                                                          • 0 Attachment
                                                            On Sat, 2010-10-30 at 09:26 +1000, Noel Butler wrote:


                                                            " i know all you know nothing"  then kill the thread so people can't show you might be wrong or defend themselves, oh my. how nice,  now I recall why i probably left this list last time! I hope you get that new job in the censorship office, you've got the right credentials.

                                                            and for the record, I dont give a rats ass of your opinion, if some turd is trying to pollute my networks,  I dont want them here, period!

                                                            In use of ANY anti spam method there will ALWAYS be collateral damage, regardless of what method is used. Thats why god invented whitelists.


                                                            Now I shall be silent

                                                            Damn, hit enter too soon, I shall unsub from this list to save you the trouble, I've learnt nothing really since I've been here anyway :)
                                                            and my only real question about postfix and teh probable bug given its unnecessary double sql queries in many cases, went unanswered and ignored.

                                                            have fun kiddies


                                                          • Покотиленко Костик
                                                            For now almost a week without sorbs and wothout spam. Remebered that the metter I was installed sorbs list was many forged freemail spams. That time I ve done
                                                            Message 29 of 29 , Nov 1, 2010
                                                            • 0 Attachment
                                                              For now almost a week without sorbs and wothout spam.

                                                              Remebered that the metter I was installed sorbs list was many forged
                                                              freemail spams. That time I've done client/hello/sender match check for
                                                              a list of free mail services (discussed on this list). And I was also
                                                              advised to add sorbs, b/c all cases with forged freemails were listed
                                                              there.

                                                              So, now sorbs removed, client/hello/sender match check is working, and
                                                              no spam.

                                                              ÷ þÔ×, 28/10/2010 × 22:07 -0500, Stan Hoeppner ÐÉÛÅÔ:
                                                              > ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË put forth on 10/28/2010 5:31 AM:
                                                              >
                                                              > > a. mail was send directly from company's public ip which is DSL (shouldn't send direct)
                                                              > > b. advertising company's mail server doesn't have revers DNS
                                                              > > c. doesn't send proper hello
                                                              > > d. advertising company's ip black listed by sorbs
                                                              >
                                                              > Ahh, I see. You live in one of "those" internet neighborhoods.
                                                              >
                                                              > > Whitelists are growing fast in my experience, so I'm looking for solutions which work
                                                              > > well and doesn't need much attention from my side. Most should work automatic, rest is
                                                              > > left to user's attention. I should only support this ballance.
                                                              >
                                                              > And whitelists that never stop growing are often the most popular
                                                              > solution, as you've done. Have you tried a content filter such as
                                                              > SpamAssassin, turning off the client dnsbl function and relying on Bayes
                                                              > and rhsbl checks of header/body domains? SA's built in tagging function
                                                              > would allow you to easily filter to user spam folder with sieve,
                                                              > procmail, or maildrop. This setup might help you eliminate the FPs or
                                                              > drop them into the spam folder instead of rejecting them.
                                                              >
                                                              > > This worth experementing. In my experience sorbs blocks much more spam (not
                                                              > > blocked by the rest) than producing FP. That's why I'm looking for solution
                                                              > > to make those FPs easy recoverable.
                                                              >
                                                              > Until hearing from you, I'd never heard an OP state that SORBS was so
                                                              > effective at catching spam the other dnsbls did not that they were
                                                              > willing to accept and deal with the FP rate of SORBS. Maybe this is due
                                                              > to your location in eastern Europe?
                                                              >
                                                              > > Several months statistic on my own mailbox shows that without sorbs I was
                                                              > > getting 3-10 spams a day. With sorbs I recover 1-5 messages a week for
                                                              > > entire ~200 users. Well, this is not counting 41 blocked messages from
                                                              > > this list this week.
                                                              >
                                                              > This is good example of why SORBS sucks and why the FPs are not
                                                              > acceptable. They list the postfix-users outbound list server IP
                                                              > (probably shared with other lists) due to a trap hit(s), even though the
                                                              > ham ratio is 100% on most days. I'm sure there was no "spam run" but
                                                              > merely a couple of hits. Again, bad policy, and why I haven't used
                                                              > SORBS for years.
                                                              >
                                                              > Usually when I sign up for a mailing list I manually add a whitelist
                                                              > entry, or I just let my auto whitelisting script take care of it.
                                                              >
                                                              > > This worth trying, thanks.
                                                              >
                                                              > I'm not saying BRBL is a great dnsbl, but from what I hear from other
                                                              > OPs it's pretty decent and as good or better than SORBS without the high
                                                              > FPs. I tried it out for a while but it wasn't catching much so I dumped
                                                              > it. Most dnsbls don't catch much spam here because my other A/S
                                                              > countermeasures kill most of it first. dnsbls get crumbs here, same
                                                              > with postgrey.
                                                              >
                                                              > >>>>> So the question is: how it is possible to direct SPAM mail to a user's
                                                              > >>>>> imap spam folder?
                                                              > >>
                                                              > >> The answer is don't do this. Reject the spam during the SMTP connection.
                                                              > >
                                                              > > This is costy in management.
                                                              >
                                                              > If you have filters with higher accuracy that don't cause FPs it's not
                                                              > costly in management.
                                                              >
                                                              > >> Try this out for a week or two:
                                                              > >>
                                                              > >> 1. Comment out your SORBS entries in main.cf
                                                              > >> 2. Implement reject_rbl_client b.barracudacentral.org
                                                              > >> See http://www.barracudacentral.org/rbl as sign up is required
                                                              > >> 3. Implement this dynamic/generic (residential/zombie) blocking PCRE
                                                              > >> check_client_access pcre:/etc/postfix/fqrdns.pcre
                                                              > >> http://www.hardwarefreak.com/fqrdns.pcre
                                                              > >
                                                              > > Who's supporting this file?
                                                              >
                                                              > There is no support, and none needed. It's a home grown regular
                                                              > expression table that matches fully qualified reverse or forward DNS
                                                              > names of connecting clients. It targets dynamic IPs and generic static
                                                              > IPs of broadband providers around the world, mostly in the US and
                                                              > Europe, but includes some others around the world. I.e. it blocks
                                                              > direct senders who shouldn't be sending direct. It's much like the
                                                              > Spamhaus PBL regarding results, but blocks many client IPs that the PBL,
                                                              > SORBS DUL, and other "dynamic" dnsbls don't.
                                                              >
                                                              > If you don't trust it because no big vendor name is behind it, use sed
                                                              > and replace REJECT with "WARN fqrdns". Monitor its effectiveness by
                                                              > greping your log for "fqrdns".
                                                              >
                                                              > Put it above your RBL checks in main.cf so it gets first crack at the
                                                              > connections. You will likely be pleasantly surprised by the results.
                                                              >
                                                              --
                                                              ðÏËÏÔÉÌÅÎËÏ ëÏÓÔÉË <casper@...>
                                                            Your message has been successfully submitted and would be delivered to recipients shortly.