7

Without using SpamAssasin, or similar, what are your best tips for preventing spam.

Please try and provide config examples :D

Mez
  • 459
  • 1
  • 5
  • 15
  • A canonical question was asked : http://serverfault.com/questions/419407/fighting-spam-what-can-i-do-as-an-email-administrator-domain-owner-or-user –  Sep 23 '12 at 22:41

6 Answers6

10

I make use of:

  • smtpd_recipient_restrictions
  • DNS blacklists
  • local blacklists
  • header / body filters

Example:

smtpd_recipient_restrictions = permit_mynetworks,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        check_policy_service unix:private/policy,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client psbl.surriel.com,
        reject_rbl_client dnsbl.sorbs.net,
        permit

The reject_non_fqdn_hostname option catches a lot of servers, but your mileage may very depending who you receive mail from.

David
  • 101
  • 2
4

Use SPF, SpamAssassin, Razor, Pyzor, DCC, Graylist and use a setup like the other answer example:

smtpd_recipient_restrictions = permit_mynetworks,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_destination,
check_policy_service unix:private/policy,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client psbl.surriel.com,
reject_rbl_client dnsbl.sorbs.net,
permit

Alakdae
  • 1,213
  • 8
  • 21
2

Nice idea is to have two separate machines (physical or virtual) for incoming and internal/outgoing SMTP traffic. That way you can have more restrictions in place for outside messages, more strict spam/attachment control, and less restrictive rules for internal mail (for example you might consider larger message size on internal server).

Using greylisting (for example postgrey) can be an excellent idea, if you don't want to use SpamAssassin. Just put it high on smtpd_recipient_restrictions list, like that:

smtpd_recipient_restrictions =
        reject_unauth_pipelining,
        permit_mynetworks,
        permit_sasl_authenticated,
        # checks for known hostnames, addresses, clients
        check_policy_service inet:127.0.0.1:60000

And remember to change default delay time from 300 to something higher, preferably random (but not higher than 1200-1500). This way if a mail server is unknown to your SMTP, it will have to wait a couple of minutes before trying to deliver a message again, thus relieving your spam filter and greatly reducing UBE.

I also suggest acquiring good blacklist of popular spammer CIDR classes, filter out incoming server SMTP traffic (not client) from ppp or dynamic domains. That should help also.

drybjed
  • 544
  • 2
  • 7
2

Check out http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html - its a set of regex block rules for Postfix that block a high-amount of dynamic IP addresses without catching too many legit servers.

I also run postgrey (http://postgrey.schweikert.ch/) which helps catch what the regex doesn't.

ph.
  • 151
  • 3
0

My first line of defense is my firewall, and I put it to good use since it provides the highest ROI and is exceedingly simple to implement. Since I do not wish to make my network accessible to the entire world, I unapologetically block most of it (your mileage may vary, obviously). Next, replace Sendmail with Postfix -- yet another high-ROI modification. Finally, I used Jim Seymore's Postfix Anti-UCE Cheatsheet (minus some RBL and other external UCE list sites) to choose what would work best for me. I can count on one hand the number of daily UCE attempts to my mail server, and, along with some of cop1152's suggestions (to which I would add no domain catch-alls), I average less than one successful delivery per month.

Gary Chambers
  • 725
  • 4
  • 8
-4

to PREVENT spam..

Dont let your email address get out there. Keep it off lists. Dont use it to sign up for ANYTHING, use a throw-away for that.

If you see a forwared that has a thousand addresses visible DO NOT PASS IT ALONG.

Dont try to unsubscribe from SPAM using the link provided in the email. These usually just verify your email you to a bot.

If you have placed a Craigslist ad and receive some spam because of it DO NOT REPLY TO IT. The spam is likely being re-mailed from the craigslist reply-to address. It will go away sooner or later.

If you are using Outlook, DO NOT OPEN spam email. Opening these emails can activate a unique link that will verify your address to a bot.

cop1152
  • 2,626
  • 3
  • 21
  • 32