Did my blog help you? Please link to me!
17 Sep 09 Linux – Exim, Avenger and SpamAssassin Tips
Further to Exim, MySQL, Courier IMAP, Courier POP3 & Spamassassin – vdomain and vuser set up, I’ve recently been receiving an increasing amount of spam, and have finally decided to take some positive action. Previously, my account would get hit with about 100 to 150 per day, of which 2 or 3 might get through. Lately, this has quickly increased to about 700+ of which at least 20 to 30 have been getting through, and I’ve been doing nothing but clearing spam day and night for the past few weeks. It is, however, critital that I do not catch any genuine email – I would rather keep on the side of caution and be more generous than not.
Enter Avenger, DCC, and SpamAssassin. Avenger now listens in on port 25 on my public interface. I’ve kept the majority of the default configuration options. Specifically that it checks the sender can receive bounceback messages, it checks against various block lists that I have configured, which I think I may have gone slightly over the top with, and it also checks for SPF records, although I will not fail a message based on SPF alone as most mailer systems still don’t implement it correctly. 100 points or more is required to fail a message based on the RBLs, and here are my servers and weightings:
RBL -s 50 psbl.surriel.com
RBL -s 60 dyna.spamrats.com
RBL -s 60 bl.spamcop.net
RBL -s 40 db.wpbl.info
RBL -s 50 dnsbl.sorbs.net
RBL -s 50 dul.dnsbl.sorbs.net
RBL -s 25 aspews.ext.sorbs.net
RBL -s 25 t1.dnsbl.net.au
RBL -s 50 l2.apews.org
RBL -s 40 dnsbl-1.uceprotect.net
RBL -s 40 dnsbl-2.uceprotect.net
RBL -s 40 dnsbl-3.uceprotect.net
…As I say, possibly over the top.
Assuming that we’ve passed so far, which is a big if as far as spam goes, exim then gets piped the message. SpamAssassin processes the message first, and has been configured with DCC (Distributed Checksum Clearinghouse). This is an absolutely great system. Essentially the message is checksummed and sent to a DCC server. To clarify, the message is checksummed, this is not reversable and so your message itself is never sent. The DCC service gives each checksum it receives one point. Over a certain number, and we can assume it’s generic junk that isn’t personal to us. Be careful though, the DCC public servers shouldn’t be used for heavy duty/commercial mail servers. I’ve installed the dcc tarball, and added the following to SpamAssassin’s local.cf:
dcc_home /var/dcc
dcc_path /usr/local/bin/dccproc
add_header all DCC _DCCB_: _DCCR_
Assuming again that the message has now cleared the DCC hurdle, spamassassin will process it with it’s usual approach. I’ve made certain changes to the default configuration:
score HELO_DYNAMIC_DHCP 2
score SUBJECT_DRUG_GAP_C 5
score RDNS_DYNAMIC 2
score UNPARSEABLE_RELAY 3
score URIBL_SBL 3.5
score URIBL_WS_SURBL 3.5
score URIBL_PH_SURBL 3.5
score URIBL_OB_SURBL 3.5
score URIBL_AB_SURBL 3.5
score URIBL_JP_SURBL 3.5
user_dcc 1
That complete, I’m now not receiving more than 1 or 2 spams a day which is more than acceptable!
Tags: avenger, courier, dcc, exim, IMAP, mail avenger, MySQL, POP3, spam, spamassassin
Leave a Comment
|
I'm Adam Palmer, and I'm a Freelance Embedded Linux/Embedded Hardware enthusiast and Security Consultant. I run 'APNIC Solutions Ltd' and spend most of my time managing server clusters, and doing some PHP/MySQL development, whilst what little spare time I have is dedicated to playing with gadgets. I'm always happy to consult on or manage any Linux related, Web Application or Hosting project. Please get in touch with me! |
