postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Posfix: deliver to spam folder analog of reje

Re: Posfix: deliver to spam folder analog of reject_rbl_client

From: Stan Hoeppner <stan_at_nospam>
Date: Thu Oct 28 2010 - 00:33:33 GMT
To: postfix-users@postfix.org

Покотиленко Костик put forth on 10/27/2010 7:20 AM:
> Can somebody comment on this please.
>
> В Вто, 26/10/2010 в 18:20 +0300, Покотиленко Костик пишет:
>> I'm now trying to move all RBL and RHSBL checks to policyd-weight. In
>> policyd-weight I set "$ADD_X_HEADER = 1" and very high score so it never
>> match.
>>
>> Then I plan to parse "X-policyd-weight" header with sieve script on
>> cyrus to move spam to separate imap folder. Header looks like this:

Why do you want to accept spam and save it somewhere instead of
rejecting the SMTP connection? If you're doing anti-spam correctly, the
few that make it through are easily dealt with in the inbox. Setting up
"spam" or "junk" folders is adding unneeded complexity. Most users
never check their "spam" folders, if they exist.

>>> which is working fine but...
>>>
>>> sorbs.net is very agressive, many ISPs get blocked for several years and
>>> are not willing to delist b/c sorbs doesn't offer free delist for them.
>>>
>>> So there is problem with false-positives. There are not much of them,
>>> but all cases needs additional investigation.

This is exactly why many OPs no longer use SORBS, myself included.
Their listing and delisting policies don't fit well with the modern
world. Listing MTA IPs at Gorilla mailers (Gmail, Yahoo, Hotmail, etc)
due to a small spam run hitting SORBS traps is a stupid idea. This is
absolutely the worst possible way to try to deal with spam coming from
such operations. The listing are always too late to stop the spam run
from reaching SORBS clients, so all this does is end up blocking tons of
ham.

>>> >From other side this combination (spamhaus.org + sorbs.net) doesn't pass
>>> spam almost at all, they even doesn't leave anything for spamassassin,
>>> so I don't want to remove checks.

That may be, but look at the damage SORBS is doing. You're expending
all of this effort to minimize "false positives" generated by SORBS.
Instead of jumping through all these hoops to minimize the damage SORBS
is doing to your operation, simply stop using SORBS' lists and use other
measures to pick up the slack. Barracuda's BRBL is probably just as
effective, and without the large number of FPs.

>>> So the question is: how it is possible to direct SPAM mail to a user's
>>> imap spam folder?

The answer is don't do this. Reject the spam during the SMTP connection.

Try this out for a week or two:

1. Comment out your SORBS entries in main.cf
2. Implement reject_rbl_client b.barracudacentral.org
    See http://www.barracudacentral.org/rbl as sign up is required
3. Implement this dynamic/generic (residential/zombie) blocking PCRE
    check_client_access pcre:/etc/postfix/fqrdns.pcre
    http://www.hardwarefreak.com/fqrdns.pcre

Put the PCRE check before all of your RBL checks. Local table lookups
are infinitely faster than DNS queries, so if the PCRE table can block a
client spam MTA, it's much faster to do so than perform a DNS lookup to
accomplish the same task. Post feedback here as to how well this works
for you. Others here have had tremendous success merely by adding this
PCRE alone. It's not magic but it kills a lot of spam connections from
zombies, including many IP not listed on any "dialup/dynamic" lists such
as the PBL and SORBS dyn list.

-- Stan