ClueNet is looking for a new Chief Technical Admin. More information here.
Shellsnet:SN Admin BlockingSpam
From ClueWiki
(Redirected from Shellsnet Backup Old SN Admin BlockingSpam)
Important Note: This is a backed up copy of what existed on Shellsnet's old wiki.
This article is a part of the ShellsNet Old Wiki Backup index
Do not modify this page!
Contents |
[edit] Spam-Control Methods
Basic principles of spam control
- Require valid mail protocol (require helo, reject unauth pipelining, etc)
- Use dnsbls, in particular the big ones that check many lists, like spamhaus and sorbs
- Disable abused commands such as VRFY
- Reject incoming mail which has executable attachments
- Make sure postmaster (admin) is TOLD of some types of serious errors (such as lack of resources)
- Use something like http://www.suphp.org/ to make sure that email sent by scripts running under your webserver has an audit trail
- Tell your users to use http://www.sneakemail.com - or not to publish their email addresses ANYWHERE on the web.
- Consider how much of the above checks your own outgoing mail must pass
Advanced principles of spam control
- Be very careful if you use sender verification
- Consider running spamd/dspam/spamassassin, or a tarpit for mail
- Consider greylisting
- Consider a file of regexp-based header/body checks based on the spam you do get
- Consider rejecting mail from servers that claim to be YOU using HELO
[edit] MLG's anti-spam config using Postfix, provided for example
[edit] MLG's /etc/postfix/main.cf
address_verify_map = btree:/etc/postfix/verify
#notify_classes = bounce, policy, protocol, resource, software
notify_classes = protocol, resource, software
header_checks = regexp:/etc/postfix/acl-header
body_checks = regexp:/etc/postfix/acl-body
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_client_restrictions = permit_mynetworks,
permit
smtpd_helo_restrictions = reject_invalid_hostname,
reject_unknown_hostname,
reject_unauth_pipelining,
permit_mynetworks,
check_helo_access hash:/etc/postfix/acl-helo
smtpd_sender_restrictions = reject_unknown_sender_domain,
reject_non_fqdn_sender,
permit_mynetworks,
warn_if_reject reject_unverified_sender
#reject_unverified_sender
smtpd_recipient_restrictions = reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/acl-recipient,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client sbl-xbl.spamhaus.org
smtpd_soft_error_limit = 2
smtpd_hard_error_limit = 20
[edit] MLG's /etc/postfix/refresh-config script
echo "refreshing /etc/aliases" postalias /etc/aliases echo "refreshing MAPS" postmap /etc/postfix/vhosts postmap /etc/postfix/acl-helo postmap /etc/postfix/acl-body postmap /etc/postfix/acl-header postmap /etc/postfix/acl-recipient postmap /etc/postfix/acl-sender echo "reloading postfix." postfix reload
[edit] MLG's /etc/postfix/acl-helo
mlg3.net REJECT You are not mlg3.net shellsnet.org REJECT You are not shellsnet.org
You can replace those domains with your own domains to reject spoofed mail.
[edit] MLG's /etc/postfix/acl-header
/name=[^>]*\.(bat|com|exe|dll)/ REJECT executable attachments prohibited /name=[^>]*\.(zip)/ REJECT zip attachments not permitted, use a different suffix or compression type
[edit] Links
- Handling spam in postfix - http://www.postfix.org/uce.html
- dspam/CGI HOWTO - http://www.freesoftwaremagazine.com/free_issues/issue_02/focus_spam_dspam/index_p7.html
