1 Topic by schnappi (edited by schnappi 2017-11-09 08:02:13)

  • schnappi
  • Member
  • Offline
  • Registered: 2015-02-13
  • Posts: 153

Topic: Suggestions for lots of spam email getting to inbox

One older email account gets over 100 spam messages per day that make it through the current spam filter. Greylisting is off because don't like idea of purposely delaying email.

Will greylsiting significantly cut down on spam the same way that say moving SSH from port 22 cut down on bots hitting SSH or is greylisting this just another tools that helps a little? Also in regards to greylsiting once a server passes the "greylisting test" and makes a successful delivery will that server need to go through the greylisting process every time it tries to deliver email to an iRedMail server? If greylsiting is likely to make a huge difference for spam am willing to enable it.

Secondly does anyone have suggestion for improving SpamAssasin to catch more emails? Does iRedMail already reject emails unless both DKIM and SFP pass (looking through headers it looks like it only checks DKIM but not really sure)?

Finally does anyone recommend other third party packages to deal with the spam issue effectively?

Of course could just use a local filter on Thunderbird or something but would like to address this at the server level to deal directly with the issue.

Thanks so much. Would not be able to run a mail server without iRedMail and this forum! Thanks to iRedMail am now able to run postfix servers on webservers for contact forms, ect with confidence. Would not have been able to do this without everything that learned from iRedMail.


==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Debian 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Suggestions for lots of spam email getting to inbox

schnappi wrote:

Will greylsiting significantly cut down on spam the same way that say moving SSH from port 22 cut down on bots hitting SSH or is greylisting this just another tools that helps a little? Also in regards to greylsiting once a server passes the "greylisting test" and makes a successful delivery will that server need to go through the greylisting process every time it tries to deliver email to an iRedMail server? If greylsiting is likely to make a huge difference for spam am willing to enable it.

It depends. The idea behind greylisting is, many spammers send email with a MUA-like bulk sending applications, and ignore all errors, __AND__ they don't retry if mail was rejected. In this case, those spams are rejected. A well-designed MTA will retry to deliver the email, so it will be eventually delivered. Of course if spammers use a well-designed MTA to send spams, they will bypass greylisting service too.

If sender server passes greylisting, it will be whitelisted for 30 days (check "GREYLISTING_AUTH_TRIPLET_EXPIRE =" setting in /opt/iredapd/libs/default_settings.py), of course you're free to change the days.

You can enable training mode first (set "GREYLISTING_TRAINING_MODE = True" in /opt/iredapd/setings.py -- without quotes) for few days and see how it works. if you're satisfied, remove it to actually enable it.

schnappi wrote:

Secondly does anyone have suggestion for improving SpamAssasin to catch more emails? Does iRedMail already reject emails unless both DKIM and SFP pass (looking through headers it looks like it only checks DKIM but not really sure)?

It increases spam score if DKIM/SPF checks failed, but not reject it directly.

To catch more spams with SA, a simple and quick solution is checking the spam scores of received spams, then slightly decrease the spam score in global (or per-domain, per-user) spam policy. This is easy with iRedAdmin-Pro.

Without iRedAdmin-Pro, it's also easy to change global spam score in Amavisd config file, setting "$sa_tag2_level_deflt".

schnappi wrote:

Finally does anyone recommend other third party packages to deal with the spam issue effectively?

Do you have DNSBL service enabled? e.g. zen.spamhaus.org.

3 Reply by schnappi (edited by schnappi 2017-11-11 08:34:14)

  • schnappi
  • Member
  • Offline
  • Registered: 2015-02-13
  • Posts: 153

Re: Suggestions for lots of spam email getting to inbox

This is great advice.

How does "GREYLISTING_TRAINING_MODE" differ from just turning greylisting on outright?

Going to start by tweaking SpamAssassin score but wasn't able to find "$sa_tag2_level_deflt" in /etc/amavis/conf.d/50-user
Is this the right place to be looking?

If tweaking SpamAssasin doesn't work will employ a DNSBL service. Checked a few spam emails against some of these services and most of the mail servers sending spam are already listed there so adding a DNSBL service seems like it is going to make a huge difference. But first want to see what can do with SpamAssassin.

Also already have "postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2" in postfix config file. Am assuming that "Postfix postscreen services" are disabled by default and DNSBL's need to be added under "smtpd_recipient_restrictions =" by default?

*After looking at log files found many entries such as this: "warning: dnsblog reply timeout 10s for zen.spamhaus.org
" even though thought that DNSBL's were not enabled by default. It looks like these entries go way back on two different iRedMail servers.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Suggestions for lots of spam email getting to inbox

schnappi wrote:

How does "GREYLISTING_TRAINING_MODE" differ from just turning greylisting on outright?

Training mode always passes senders.

schnappi wrote:

Going to start by tweaking SpamAssassin score but wasn't able to find "$sa_tag2_level_deflt" in /etc/amavis/conf.d/50-user

Add it manually in 50-user.

schnappi wrote:

Also already have "postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2" in postfix config file. Am assuming that "Postfix postscreen services" are disabled by default and DNSBL's need to be added under "smtpd_recipient_restrictions =" by default?

Check /etc/postfix/master.cf, is postscreen service enabled? If yes, then DNSBL is enabled too with "postscreen_dnsbl_sites =" setting.

5 Reply by schnappi (edited by schnappi 2017-11-27 03:07:04)

  • schnappi
  • Member
  • Offline
  • Registered: 2015-02-13
  • Posts: 153

Re: Suggestions for lots of spam email getting to inbox

After a few weeks of concentrated effort to reduce spam have a few observations. First turning on greylisting significantly reduced spam. Large domains (Gmail, Yahoo, ect.) are whitelisted so most emails are still delivered instantaneously.

Second it appears that DNSBL blocklists (Spamhaus and Barrucuda) are turned on by default in iRedMail as are Postscreen Services through which the DNSBL blocks are delivered. Basically really have not gotten a handle on how DNSBL works though because it seems to sometimes query one server, sometimes the other, and sometimes none at all (although think this is more due to Postfix Postscreen 10 second delays built into Postfix Postscreen Services). Interestingly the Barracuda DNSBL appears to sometimes respond to requests even without signing up (Barracuda DNSBL service asks users to signup and register their server IP). For example see many:

addr 0.0.0.0 listed by domain b.barracudacentral.org as 127.0.0.2

but other times the the Barrucuda DNSBL never gets queried at all.

There are also many log entries with the below:

warning: dnsblog reply timeout 10s for zen.spamhaus.org

A quick internet search shows that possibly the 10s delay is built into Postfix Postscreen services. Not sure as am just not familiar enough with Postfix. Just an observation.


Two concrete question disregarding the above observations. Does:

smtp      inet  n       -       y       -       1       postscreen

in postfix master.cf file mean that Postscreen services are enabled?

And is:

postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.2*2

basically the same as the default of:

postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Suggestions for lots of spam email getting to inbox

schnappi wrote:

smtp      inet  n       -       y       -       1       postscreen
in postfix master.cf file mean that Postscreen services are enabled?

Yes.

schnappi wrote:

And is:
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.2*2
basically the same as the default of:
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2

Not same.

Sometimes DNS query may get unexpected result, for example, it may return IP random IP like 202.xxx.xx.xx or 127.0.0.Y (Y >= 11). According to the DNSBL vendors, only few of 127.0.0.X are valid and replied from them, so we use "=127.0.0.[1..11]" to tell Postfix only take some action when the reply is valid.

Invalid DNSBL reply was reported by some users before. Also, in China, DNS query result may be hacked PURPOSELY by gov or DNS vendors. This is the fact happened in China (and i live in China, i have such experience).

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,793

Re: Suggestions for lots of spam email getting to inbox

schnappi wrote:

warning: dnsblog reply timeout 10s for zen.spamhaus.org

Is your server very busy? zen.spamhaus.org limits to 300,000 queries per day for FREE use, if your server is busy and exceeds the limit, you may get unexpected DNS reply or timeout.

FYI: https://www.spamhaus.org/organization/dnsblusage/

8 Reply by schnappi

  • schnappi
  • Member
  • Offline
  • Registered: 2015-02-13
  • Posts: 153

Re: Suggestions for lots of spam email getting to inbox

Would not classify server as "very busy."

Here is the best information that could find about the postscreen timeout.
http://postfix.1071664.n5.nabble.com/Un … 67589.html

Think timeout is baked into Postfix Postscreen services and not an issue. 10 seconds after seeing the message in log it will try again and work.

Now that have greylisting working spam has significantly been reduced. Recommend greylisting (or an mx records trick from http://nolisting.org/) to anyone having issues with spam (and this is coming from someone who initially wasn't a fan of greylissting) but it works.

All this being said never really figured out how to edit spamassasin to make failed SPF and DKIM play a bigger role but since greylsiting is working so well just going to move forward with spam problem 75% reduced.

@ZhangHuangbin you are more entrepreneurial and freedom loving than most even if you live in a restrictive environment.