postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Fighting Backscatter

Re: Fighting Backscatter

From: Ned Slider <ned_at_nospam>
Date: Fri Oct 22 2010 - 15:50:47 GMT
To: postfix-users@postfix.org

On 20/10/10 04:35, Stan Hoeppner wrote:
> Jeroen Geilman put forth on 10/19/2010 8:09 PM:
>
>> You're missing some of the better spam prevention methods here, such as
>> decent HELO checks, and an RBL or two.
>>
>> I'd suggest at least adding reject_unknown_reverse_client_hostname in
>> there, as well as (testing out)
>> reject_[invalid|unknown|non_fqdn]_helo_hostname.
>
> This will probably be a big help to Steve.
>
> smtpd_recipient_restrictions =
> permit_mynetworks
> permit_sasl_authenticated,
> reject_unauth_destination
> ...
> check_client_access pcre:/etc/postfix/fqrdns.pcre
> ...
> reject_rbl_client zen.spamhaus.org
> reject_rbl_client psbl.surriel.com
> reject_rhsbl_client dbl.spamhaus.org
> reject_rhsbl_sender dbl.spamhaus.org
> reject_rhsbl_helo dbl.spamhaus.org
> check_policy_service inet:127.0.0.1:60000
>
> http://www.hardwarefreak.com/fqrdns.pcre
>
> This pcre rdns checker kills tons of bot spam from consumer IPs that
> should not be sending direct smtp mail. It picks up where the PBL
> leaves off. Zero FP rate.

Hi Stan,

I will dispute the zero FP rate. I was interested enough to pull the
file and have a quick look, and found an example FP from today's mail
spool almost immediately:

Received: from hornett-bros.co.uk
(host81-143-22-5.in-addr.btopenworld.com [81.143.22.5])

Quite simply there are a lot of legitimate servers out there running on
consumer IP space. It's not all dynamic, much of it is static and your
pcre doesn't differentiate. I'm not arguing for or against the virtues
of running/not running mail servers on consumer IP space, just
highlighting the fact that many do it and therefore your block list,
whilst no doubt highly effective, will cause FPs - i.e, it will block
ham originating from such servers. The above example has neglected to
set a PTR address for his IP and thus triggers a hit against your pcre file.

PS - love your reject_rhsbl_* dbl.spamhaus.org suggestions - those are
catching a fair amount of new snowshoe ranges yet to make it onto my
IP-based blocklists