No spam???

Jorn Argelo jorn at wcborstel.com
Sat Jan 19 11:32:52 PST 2008 

John Almberg wrote:
>>> 2008-01-14 09:30:37.074087500 rblsmtpd: 123.20.89.67 pid 72121: 451
>>> http://www.spamhaus.org/query/bl?ip=123.20.89.67
>>
>> Just one comment, in my installation of SpamAssassin, it reports in
>> syslog as spamd, not at rblsmtpd. This looks like logs from the
>> rblsmtpd program that is not SpamAssasin.
>>
>> As some one mentionned, one way to prevent false positive and too
>> agressive black lists is to use them through SpamAssassin only, where
>> the black list score is only part of the spaminess. The draw back is
>> that it puts more load the server and SpamAssassin that has to
>> scrutinize every email, while dropping at the SMTP level is fast and
>> uses very low resources.
>>
>
> Ah... I see. Yes, you are correct. It is rblsmtpd that is doing the 
> filtering.
>
> One of my goals with this mail server set up (primarily pf, qmail, 
> spamassassin, maildrop, courier) was to minimize processing, since my 
> last set up got totally bogged down handling my, and my client's 
> email, frequently running with a load of 8 or more with several spam 
> per second. A real drag.
>
> This set up runs at a much lower load, and seems to do a better job 
> filtering spam.
Since you're already using PF, why not use OpenBSD spamd (not 
spamassassin) as well? You don't need rblsmtpd then, and OpenBSD spamd 
operates together with PF. Maybe rblsmtpd does as well, I don't know - I 
never tried it. Also in combination with relaydb to create your own 
blacklists it can be pretty interesting. Check out 
http://www.openbsd.org/spamd/ for additional info.

Anyway, to go a little more on the background about blacklists; we were 
troubled by a lot of "false positive" entries in the blacklists (we use 
uatraps and nixspam, and spamassassin checks on blacklists like spamhaus 
since they only allow DNS queries if you don't want to pay). We had big 
ISPs blacklisted, and seeing at the amount of mailservers they have you 
don't want to check all of that by hand. And I'm sure somebody else 
noticed Gmail's awkward way of handling outgoing e-mail. They apparently 
have one global mail queue or something and try another mail server (of 
the hundereds they have) when the delivery fails once - a horrible 
situation for greylisting.

So what we did is create a Perl script that checks every blacklisted 
entry for a PTR record and tried to give an SMTP HELO command. We filter 
the PTR record on several keywords (like dsl, dynamic, cable, ip 
address, stuff like that). If a valid PTR record or a valid SMTP HELO 
reply has been recieved we remove that entry automatically from the 
blacklist. So you still blacklist the zillions of DSL connection and 
filter out the big ISPs or other customers. Naturally you will filter 
some spammers out using this method, but we still have SpamAssassin as a 
second layer doing a fine job.(And FYI: it picks a random IP address and 
has a 1 second delay on everything it checks - we don't want to cause a 
fuss at ISPs with a lot of blacklisted entries). There's more stuff in 
this script but the point of this e-mail is not a lecture of that :P

Anyway, ever since we put this script into place we got zero complains 
about blacklists, while still effectively trapping spammers into OpenBSD 
spamd and keeping them busy.

Quite a story - I hope someone might find this info useful one way or 
another. As always, YMMV.

- Jorn

>
> -- John
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list