Home / server / Questions / 342790
In Process
gnarf
Asked: 2011-12-21 08:00:26 +0800 CST

Best practices for spam filtering

  • 772

I've been running an amavisd-new, spamassassin, postfix setup for a while to help crush spam on our incoming e-mail servers. The setup I'm using is a few years old at this point and its about time to rebuild on new hardware.

I was wondering if there was another approach to tackling this ever-present issue that might yield better results for our large mail system. I have no particular complaints about the current setup, other than the fact that we still are plagued by spam... :)

I'm mostly interested in free solutions, but might be willing to consider a paid software/third party service if the price is right.

Thanks in advance for any suggestions you might have.

email spam spam-filter

4 Answers

  1. I outsource to Postini. I like Postini, but I am not necessarily advocating for them. I DO advocate outsourcing your spam filtering though, for three major reasons:

    1. It saves my bandwidth - MX records point to Postini, spam goes to them, they filter, I get ham. I don't have to waste server resources or bandwidth dealing with incoming spam.
    2. I don't have to deal with making sure my heuristics are updating properly, or that I'm using the right blacklists. I have other issues that take my time that are probably more mission critical to my organization than that.
    3. It's distributed. If my network connection or power go down, or I change IP ranges, it'll queue mail for me then redirect to where I want it to go. It eliminates a single point of failure.

    And it's not THAT expensive. I think I pay about 1/month/mailbox for it. That's worth it to me, to be honest.

    • 4

  2. If you're running postfix as your MTA, configuring the right DNSBLs is 90% of the solution :)

    Also, since you say you're upgrading to latest versions, you will appreciate postfix' new SMTP triage server, postscreen.
    It handles all RBL checking in parallel, and has an extensive black- and whitelist cache, thus easing the load on the parts of the system that actually matter (postfix and spamassassin).

    • 3

  3. You should not filter Spam. You have to reject Spam. This means you have to reject the mail during SMTP dialog. If you already accepted the mails then you are responsible for final delivery. And that can bring you in big trouble if your "filter" incorrectly identified a legit mail as Spam which then was dumped into trash. But if you reject the falsely identified mail, the sender will get notified.

    So adaptr's approach is the correct one as it rejects Spam at the earliest. The second defense line should be policyd-weight which is like SpamAssassin for the data during SMTP dialog.

    The third defense line should be an optimized amavisd-new setup as before-queue content-filter. But you have to check if it can cope with your load. Receiving 20-30 mails per second at this stage is no problem.

    If you need a good DNSBL then check ix.dnsbl.manitu.net. It is optimized for recipients in Germany.

    • 2

  4. I'd recommend an appliance. This is where using something like a Barracuda Spam Firewall or a Cisco Ironport is beneficial. The idea is that these devices keep the ugliness off of your servers. They're tunable and can be tweaked to your organization's needs.

    Short of using one of the above, you can get by with what you have. I've been skipping zen.spamhaus.org since it's recently been a problem for users emailing from dynamic IP ranges (e.g. 3g/4g cards, certain ISPs). One of the value-add features of the Barracuda Spam Filter is Barracuda Central. This central reporting and spam database sits at the core of the of Barracuda's offering. It is also available to plug into mail systems like yours as an RBL. It's free, but requires registration - The RBL is b.barracudacentral.org. I'd suggest trying this and monitoring the results. I haven't had false positives while using this service.

    • 0