Spam reduction with Greylisting and SpamAssassin
To reduce the amount of SPAM being seen by my wife and myself, I have been using GreyListing / SpamAssassin on our personal domain for several months. So far this combination has been very effective for us. This combination is stopping over 99% of spam (up to 99.8%).
Below are our stats for the past 4 weeks:
Spam statistics as of: 16/09/2007 Total spam: 5459 Total greylisted: 4457(90.8%) Total emails accepted by greylisting (both spam and legitimate): 451 (9.2)% Total identified spam through to end users: 1002 (20.4%) Identified SPAM: Emails greylist_delayed: 58 (1.2%), marked as spam 57 (96.6%), NOT marked as spam 2 (3.4%) emails via backup mx: 991 (20.2%), marked as spam 944 (95.2%), NOT marked as spam 48 (4.8%) Effectiveness of Greylisting / SpamAssassin: 99.1%. 50 out of 5459 not marked as spam
Spam statistics as of: 23/09/2007 Total spam: 5167 Total greylisted: 4928(90.8%) Total emails accepted by greylisting (both spam and legitimate): 499 (9.2)% Total identified spam through to end users: 239 (4.4%) Identified SPAM: Emails greylist_delayed: 99 (1.8%), marked as spam 98 (97.0%), NOT marked as spam 3 (3.0%) emails via backup mx: 151 (2.8%), marked as spam 138 (90.2%), NOT marked as spam 15 (9.8%) Effectiveness of Greylisting / SpamAssassin: 99.7%. 18 out of 5167 not marked as spam
Spam statistics as of: 30/09/2007 Total spam: 6216 Total greylisted: 5950(91.2%) Total emails accepted by greylisting (both spam and legitimate): 573 (8.8)% Total identified spam through to end users: 266 (4.1%) Identified SPAM: Emails greylist_delayed: 141 (2.2%), marked as spam 135 (95.1%), NOT marked as spam 7 (4.9%) emails via backup mx: 151 (2.3%), marked as spam 128 (84.2%), NOT marked as spam 24 (15.8%) Effectiveness of Greylisting / SpamAssassin: 99.5%. 31 out of 6216 not marked as spam
Spam statistics as of: 07/10/2007 Total spam: 7901 Total greylisted: 7712(93.0%) Total emails accepted by greylisting (both spam and legitimate): 581 (7.0)% Total identified spam through to end users: 189 (2.3%) Identified SPAM: Emails greylist_delayed: 135 (1.6%), marked as spam 134 (97.8%), NOT marked as spam 3 (2.2%) emails via backup mx: 63 (0.8%), marked as spam 55 (85.9%), NOT marked as spam 9 (14.1%) Effectiveness of Greylisting / SpamAssassin: 99.8%. 12 out of 7901 not marked as spam
<!---
The table below shows the stats for the past week. As you can see only about 0.6% of Spam is actually getting through to an end user without being tagged as Spam (and possibly being automatically handled). These numbers don't include any extra Spam handling done within our mail clients.
| Period start | 23/09/07 04:00 | |||
| Period end | 30/09/07 04:00 | |||
| Total spam rejected by greylisting | 5950 | 95.5% | ||
| SpamAssassin | ||||
| SPAM resent through greylisting | 159 | 2.6% | 146 | 91.8% |
| SPAM sent via backup MX | 124 | 2.0% | 100 | 80.6% |
| Total SPAM seen by end user | 283 | 4.5% | 246 | |
| Total SPAM for week | 6233 | |||
| Total marked as SPAM by SpamAssassin | 249 | 88.0% | ||
| Email to end user not marked as spam | 37 | 0.6% | ||
--->
One of the potential issues with our setup is that we have a backup MX which doesn't run GreyListing etc. It does run SpamAssassin though. When I first set the system up I found that a lot of spam was coming through via the backup MX. In an attempt to foil this I "hid" my backup mx record like so:
- primary mail server mx record
- primary mx record under a different name
- backup mail server mx record
- primary mx record under a different name
This was working on the theory that spammers were preferentially targeting servers other than the primary MX as they tend to be less well defended.
Unfortunately this did not work (at first), and around 25% of spam came in via the backup MX (eg 781 via backup mx / (2705 stopped by breylisting + 781) = 22% of total via backup mx
Of this 728 (93%) was successfully tagged by SpamAssassin. So the amount of spam to the end user was still reasonably low (53).
This was the norm until about 3 or so weeks ago, when the spammers virtually stopped using the backup MX for some reason. I don't know of any change on the backup MX to cause this.
The systems I am currently using are:
- Postfix mta (postfix-2.3.3-2)
- postgrey greylisting server (v 1.30)
- SpamAssasin (spamassassin-3.2.2-1.el5.rf)
For more information about greylisting, see http://www.greylisting.org
- dabailey's blog
- Login or register to post comments
Comments
Suggestion for Postfix Users
Hey All,
I suggestion for postfix users and to possibly remove the need to install spamassassin or Greylisting is adding the following into your postfix main.cf
You can add more spam servers (RBL's) in here and postfix should automatically search the servers itself. If something does slip through you can also add your own hash file with domains in it as follows
Create this file
Now dont know if it works better then spamassassin or not but I dont have spam
and i dont use spamassassin at all plus it is one line of coding rather then installing more deamons and having to do more configuration.
Brutal
SpamAssassin
SpamAssassin is an open source application that examines incoming email and categorises it as spam (or not). The project run by the Apache foundation. Their home page can be found at: http://spamassassin.apache.org/ It can integrate with a wide variety of MTAs (mail servers).
SpamAssassin works by performing a number of tests on the email and assigning points based on their outcome. If an email accrues more than a certain number of points, it is classed as Spam.
SpamAssassin is highly configurable. Each user may have their own spam threshold. They may even have their own scoring system.
There are a wide variety of tests that it performs (see: http://spamassassin.apache.org/tests_3_2_x.html for the full list)
You can also set up folders containing Spam and Ham (non Spam) for SpamAssassin to learn from. As a large proportion of email is actually spam, doing this may not be a good idea, as eventually the Bayesian filter gets poisoned and everything ends up looking like spam.
Setting up Spamassassin to work with Postfix mail server
Obtaining Spamassin
Spamassassin is available for many Linux distributions directly from the standard repositories. So, first setp is to search for Spamassassin, and install it if found.
If you can't find it in one of the standard repositories, go to the Spamassassin website (http://spamassassin.apache.org/) and obtain your copy from there.
Setup
There are a number of ways to seteup Spamassassin, I have elected to pipe the incomming email via procmail.
In the /etc/postfix/main.cf, make the mailbox_command variable to be:
NB. I am also using Dovecot IMAP server with the user mailboxes in $home/Maildir
This will cause postfix to deliver email to the local users by sending it via procmail
Edit the /etc/procmailrc file to contain (at least):
Greylisting
Greylisting is a Spam reduction technique that relies on the fact that *most* spammers aren't using a real MTA (mail server) to send out the Spam. When greylisting, the receiving mail server gives a temporary failure code to any "suspect" emails. A valid mail server will take that in it's stride and resend the message again later, whilst a spam bot will not.
The greylisting server determines which emails to challenge by checking the combination of:
If that combination hasn't been seen before, the server records that information and the date / time. The email is temporarily rejected.
There is a time to go live that is typically a server parameter. The next time that combination is seen, the time is checked again. If it is past the time to go live, the email is accepted, otherwise it is rejected again. The date / time of this subsequent combination is also recorded. Many people recommend 60 minutes at the time to go live, but I use 60 seconds. This appears to work quite satisfactorily.
There may also be a parameter to tell the server when to make each combination go "stale", so that if it hasn't been seen the the correct timeframe the server is challenged again.
Obviously, one of the down sides of greylisting is that some emails will be delayed. There is also a small chance that some emails may never be delivered.
Some / many greylisting servers can have various whitelists that can reduce any delays for legitimate emails. For example, you could automatically whitelist any emails from any know real mail server that is likely to email your domain. As they are real mail servers they *will* pass the greylisting test, so why bother them. NB. This white listing can be done by exact name match, IP match, or regex of either.
One way to obtain the list of mail servers you have contact with is to grep through your mail logs. The following code will search your logs for any mail servers that appear to be legitimate. (ie they have mx, mail, or smtp in their domain name).
egrep "client=.*mail.*|client=.*mx.*|client=.*smtp.*" /var/log/maillog* \ | awk '{print $7}' \ | awk -F = '{print $2}' | awk -F [ '{print $1}' \ | sort | uniq -uIf you want to see the frequency of access of each of these servers, you could change the line to:
egrep "client=.*mail.*|client=.*mx.*|client=.*smtp.*" /var/log/maillog* \ | awk '{print $7}' \ | awk -F = '{print $2}' | awk -F [ '{print $1}' \ | sort | uniq -c | sort -nNB. This code has been tested against postfix mail logs.
Obviously, you would make some intelligent choices of which mail servers to white-list.
Once you have your greylisting bedded down, all of your regular contacts will have their email delivered immediately, so it will be fairly un-noticable to the end user.
There are implementations of greylisting for virtually all popular email servers (including MS Exchange).
For further information see http://www.greylisting.org
It has be hypothesized that if too many people start using greylisting, the spammers will adapt. This may be the case, but at this time, they haven't. Even if they do, it will mean that the spammers will have to work considerably harder to deliver their spam.
Setting up Postgrey to work with Postfix mail server
Obtaining Postgrey
Postgrey is available for many Linux distributions directly from the standard repositories. So, first setp is to search for postgrey.
If you can't find it in one of the standard repositories, go to the Postgrey website (http://postgrey.schweikert.ch/) and obtain your copy from there.
Setup
I followed the instructions found at: http://www.howtoforge.com/greylisting_postfix_postgrey
Basicly what you need to do is:
Configure the postgrey daemon
Edit the /etc/sysconfig/postgrey file and set the command line options for the postgrey daemon
NB The --delay parameter is the number of seconds in the "time to go live" parameter.
Setup any whitelists you require
Look through your mail logs etc to determine if there are any mail servers you wish to witelist.
Some commands which may assist you in determining which mail servers to whitelist are:
egrep "client=.*mail.*|client=.*mx.*|client=.*smtp.*" /var/log/maillog* \ | awk '{print $7}' \ | awk -F = '{print $2}' | awk -F [ '{print $1}' \ | sort | uniq -uIf you want to see the frequency of access of each of these servers, you could change the line to:
egrep "client=.*mail.*|client=.*mx.*|client=.*smtp.*" /var/log/maillog* \ | awk '{print $7}' \ | awk -F = '{print $2}' | awk -F [ '{print $1}' \ | sort | uniq -c | sort -nThe file to edit is /etc/postfix/postgrey_whitelist_clients.local
The entries in the whitelist can be either explicit email hosts (or IPs) or regexes. NB. The format for a regex is
See the /etc/postfix/postgrey_whitelist_clients for examples of the standard exemptions
Here are some of the entries from my setup:
Start postgrey
Use whatever mechanism you distribution uses to start the postgrey service. At a minimum you could use:
Configure Postfix to use Postgrey
Add (or modify) the smtpd_recipient_restrictions parameter (in main.cf) to include
check_policy_service inet:127.0.0.1:60000
NB. On my Postfix configuration, this line did not exist at all, so I had to add it as follows:
NB. The port number here is the same as the port number in the postgrey setup. Technically the postgrey server could be on another machine, so the ipaddress may not be 127.0.0.1