policyd-weight and some unorthodox approaches to eliminating spam



Similar documents
CipherMail Gateway Quick Setup Guide

Postfix: Status Quo current development an overview

one million mails a day: open source software to deal with it Charly Kühnast Municipal Datacenter for the Lower Rhine Area Moers, Germany

Introduction of the S25R anti-spam system

Ciphermail Gateway Administration Guide

Implementing MDaemon as an Security Gateway to Exchange Server

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Enhanced Spam Defence

SMTP Settings. Magento Extension User Guide. Official extension page: SMTP Settings. User Guide: SMTP Settings

Migration Project Plan for Cisco Cloud Security

Articles Fighting SPAM in Lotus Domino

sendmail Cookbook Craig Hunt O'REILLY' Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo

MailFoundry Users Manual. MailFoundry User Manual Revision: MF Copyright 2005, Solinus Inc. All Rights Reserved

Setting up Microsoft Office 365

USAGE GUIDE ADAM INTERNET SPAM FILTER MANAGER

Exim4U. Server Solution For Unix And Linux Systems

Fighting Spam: Tools, Tips, and Techniques

Frequently Asked Questions for New Electric Mail Administrators 1 Domain Setup/Administration

GRAYWALL. Introduction. Installing Graywall. Graylist Mercury/32 daemon Version 1.0.0

Spam fighting with Postfix

Mail agents. Introduction to Internet Mail. Message format (2) Authenticating senders

Configuring Your Gateman Server

ORF ENTERPRISE EDITION 1. Getting the Most Out of ORF

Guardian Digital Secure Mail Suite Quick Start Guide

Ciphermail Gateway Administration Guide

ETH Zürich - Mail Filtering Service

Setting up Microsoft Office 365

MailFoundry User Manual. Page 1 of 86. Revision: MF Copyright 2007, Solinus Inc. All Rights Reserved. Page 1 of 86

Mail Avenger. David Mazières New York University

Technical Note. FORTIMAIL Configuration For Enterprise Deployment. Rev 2.1

Core Protection Suite

Linux Server Support by Applied Technology Research Center. Proxy Server Configuration

A D M I N I S T R A T O R V 1. 0

Ciphermail for BlackBerry Quick Start Guide

Comodo Antispam Gateway Software Version 1.6

Migration Manual (For Outlook Express 6)

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

Objective This howto demonstrates and explains the different mechanisms for fending off unwanted spam .

Analysis of Spam Filter Methods on SMTP Servers Category: Trends in Anti-Spam Development

Spam Testing Methodology Opus One, Inc. March, 2007

Service Launch Guide (US Customer) SEG Filtering

CS615 - Aspects of System Administration

How to set up the Integrated DNS Server for Inbound Load Balancing

. Daniel Zappala. CS 460 Computer Networking Brigham Young University

Mail system components. Electronic Mail MRA MUA MSA MAA. David Byers

ADMINISTRATORS GUIDE v6.00 Page 1

Anti Spam Best Practices

Mod 08: Exchange Online FOPE

Postfix Anti-Spam Workshop

Postfix. by Rod Roark

SaskTel Hosted Exchange Administrator Guide

EFFECTIVE SPAM FILTERING WITH MDAEMON

Exchange mailbox users can access their from anywhere using the Outlook Web Access

QMAIL & SMTP: A Secure Application for an Unsecure Protocol. Orr Dunkelman. orrd@vipe.technion.ac.il. January 27, 2004 SMTP and QMAIL Slide 1

How to make the s you Send from Outlook 2010 appear to Originate from different Addresses

Barracuda Spam Firewall User s Guide

Linux Administrator (Advance)

HPL Barracuda Spam/Virus Firewall

eprism Security Appliance 6.0 Release Notes What's New in 6.0

Configure a Mail Server

Dynamic DNS How-To Guide

Transferring Your Internet Services

Intercept Anti-Spam Quick Start Guide

NETWORK SETUP GLOSSARY

Configuring Security for SMTP Traffic

Libra Esva. Whitepaper. Glossary. How Really Works. Security Virtual Appliance. May, It's So Simple...or Is It?

Postfix Configuration and Administration

SMTPSWITCH MAILER V6 FEATURES

XGENPLUS SECURITY FEATURES...

Quick Start Guide for administrators

smtplib SMTP protocol client

Feature Comparison Guide

PostfixAdmin 3.0. Mailserver administration made easy. Christian Boltz

How to configure your Windows PC post migrating to Microsoft Office 365

Filtering Admin Guide. Guide to Administrative Functions of Spam and Virus Filtering Service

Training Guide eprism Security Appliance 4.0

Security 8.0 Administrator s Guide

Cannot send Autosupport , error message: Unknown User

Content Scanning with Exim 4

F-SECURE MESSAGING SECURITY GATEWAY

Barracuda Spam Firewall

Exchange 2007/2010 Journaling for Cryoserver

Marketing 201. How a SPAM Filter Works. Craig Stouffer Pinpointe On-Demand cstouffer@pinpointe.com (408) x125

security

SPAMfighter SMTP Anti Spam Server

MDaemon configuration recommendations for dealing with spam related issues

Certified Spam Assassin Professional VS-1114

1 You will need the following items to get started:

Xopero Backup Build your private cloud backup environment. Getting started

Transcription:

policyd-weight and some unorthodox approaches to eliminating spam LinuxForum 2007 Copenhagen, 03. March 2007

policyd-weight by Robert Felber 1 policyd-weight by Robert Felber What does it do?... and why should I use that? Using it 2 The market leader approach The SSL/TLS approach The theoretician approach The appliance The global solution It s hell...

... and why should I use that? Perl policy daemon for the Postfix MTA (2.1 and later) intended to eliminate forged envelope senders and HELOs (e.g. in bogus mails) runs before any queueing is done score based on RBLs, RHSBLs, HELO, MAIL FROM and client IP address it allows you to REJECT messages which have a score higher than allowed it caches the most frequent client/sender combinations to reduce the number of DNS queries

... and why should I use that? Why, Chandler, why? Postfix built-in checks can be too tough for poorly configured clients: one hit, and the mail gets rejected.

... and why should I use that? Fairness policyd-weight is designed to be fair: DynDNS MX users get through if their MTA is setup properly, even if their ISP net is listed in a DUL...... because its decisions whether to reject or accept a mail is based on multiple factors.

Using it Running it Check the defaults: /path/to/policyd-weight defaults Review config: $EDITOR /path/to/policyd-weight.conf Start it: /path/to/policyd-weight start

Using it Make Postfix use it smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,... whitelists... check_policy_service inet:127.0.0.1:12525

Using it Checking the logs Mar 2 22:32:01 outpost postfix/smtpd[29339]: NOQUEUE: reject: RCPT from unknown[41.251.65.17]: 550 5.7.1 <floppy@floppy.org>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: 41.251.65.17, MTA hostname: unknown[41.251.65.17] (helo/hostname mismatch); from=<floppy@floppy.org> to=<floppy@floppy.org> proto=esmtp helo=<41.251.65.17>

Using it Trust no-one $ host 41.251.65.17 Host 17.65.251.41.in-addr.arpa not found: 3(NXDOMAIN) That IP is listed in: BLARS NJABL PSBL dnsbl-2.uceprotect.net

The market leader approach The mail server is not working. Keep Outlook closed.

The market leader approach Try to see the bright side:

The market leader approach No spam! No false positives either!!

The SSL/TLS approach activate opportunistic STARTTLS encryption (smtpd_use_tls = yes) watch the amount of legitimate mail decrease But why is that?

The SSL/TLS approach Some servers want to use STARTTLS...

The SSL/TLS approach... but can t, since...

The SSL/TLS approach... the admin forgot to install a x.509 certificate!

The SSL/TLS approach STUPID!

The SSL/TLS approach It works the other way round as well!

The SSL/TLS approach You can t send mail there since your server wants to use STARTTLS but can t, since...

The SSL/TLS approach... the other admin forgot to install a x.509 certificate

The SSL/TLS approach STUPID!

The SSL/TLS approach Which braindead software allows the use of STARTTLS without a x.509 certificate?

The SSL/TLS approach It was a patched qmail installation.

The theoretician approach I ve got the perfect system. I never need to do maintenance on it, or software upgrades, patches, or anything. It s great. It never wakes me up, spammed, or gets hacked into. It s completely perfect. That was the first step in my plan to build the perfect Postfix system.

The theoretician approach The second step is to plug it in.

The appliance The appliance

The global solution Satellite Orbital Laser Use GeoIP to find the origin of the spam, then nuke the site from orbit. The Japanese military will help if asked nicely!

It s hell... Everybody has these problems