Cyconet Blog » spam

Conditional greylisting (with postfix, policyd-weight and postgrey)

cyco — Fri, 03 Aug 2007 08:02:46 +0000

In case you think that greylisting might have some disadvantages but give you also some benefits, you probably have thought about to use greylisting with some conditions. For example if you checked some parameters of the mail and you (or better your mailsystem) guess it may be spam, greylisting could be very usefull.
Until now, I was using plain policyd-weight. But mails with $REJECTLEVEL <= score <= $DEFER_LEVEL where in some conditions defered (see policyd-weight default) and if they come back with the same conditions, they will be defered twice. So it makes sence to me to greylist them and if they return within $DEFER_LEVEL, they will pass cause the greylist will allow them.
At first let’s create a restriction class which we can call from policyd-weight within main.cf of postfix:

# restriction class for use with polw (DEFER_ACTION)
smtpd_restriction_classes = greylist
greylist = check_policy_service inet:127.0.0.1:60000

To call postgrey for $REJECTLEVEL <= score <= $DEFER_LEVEL you need to make use of the restriction class “greylist” and let $DEFER_STRING match all defer strings, to get them all greylisted:

# echo “\$DEFER_STRING = ‘NOT’;” >> /etc/policyd-weight.conf
# echo “\$DEFER_ACTION = ‘rc:greylist’;” >> /etc/policyd-weight.conf
# /etc/init.d/postgrey restart

Also you may have a look into The DNSBL countries.nerd.dk. This might be a way to score connections comming from well known spamming countries. But keep in mind, that there may also legitim mails comming from those! ;)

performancing.com and privacy

cyco — Thu, 28 Jun 2007 20:41:07 +0000

Today I was crawling through my mail logs for various reasons.
I was really surprised, that I saw a mail to a dedicated mailaddress which I’m using for communication with performancing.com. I was short checking, if this mailaddress is anywhere published at performancing.com, but couldn’t find anything.

A one liner over the last week of mail logs:

# zgrep performancing /var/log/mail.info* | grep clam | wc -l
26

For a address only used for communicating with one organisation (used as contact mail address) this seems a bit too much traffic and this are only the mails, which was accepted by the MTA. So the questions comes to my mind …. what happens with the addresses at performancing.com? Maybe I missed something?

Reduce spam significant

cyco — Fri, 15 Dec 2006 22:51:18 +0000

With policyd-weight you are able to reject mails before the body is received by your MTA, here postfix. No bounce mails, less wasted bandwidth and cpu time. policyd-weight scores characteristics of the mail positive or negative, is a defined value reached, it got rejected. The scores are currently:

– DNSBLs/RHSBLs
– HELO argument
– MAIL FROM: argument
– Client IP address
– DNS client/HELO/FROM entries (A/16 A/24 A/32), PTR/FQDN and Parent Domains (MX/16 MX/24 MX/32) for their correctness respectively whether they match.

It’s available in etch and bpo, installation is really easy:

# aptitude install [-t sarge-backports] policyd-weight

Remove unnecessary reject_rbl_client and reject_rhsbl_client checks from main.cf and insert the check_policy_service:

smtpd_recipient_restrictions =
        permit_mynetworks,
        ...
        reject_unauth_destination,
        check_policy_service inet:127.0.0.1:12525
        ...

You can create a “/etc/policyd-weight.conf” if you would like to adjusting scores or other policyd-weight parameters. You can get the defaults with “policyd-weight defaults”. For more informations have a look at “/usr/share/doc/policyd-weight/documentation.txt.gz” or http://policyd-weight.org.

A normal day on a backup MX with ~500 domain:

backup:~# zgrep -e “postfix.*: connect from” \
/var/log/mail.info.0 | wc -l
29936
backup:~# zgrep -e “policyd-weight.*decided action=5″ \
/var/log/mail.info.0 | wc -l
22738
backup:~# zgrep -e “postfix.*status=sent” \
/var/log/mail.info.0 | wc -l
5570

Different Postfix Access Policy Delegation

cyco — Wed, 20 Sep 2006 12:21:37 +0000

Today I got some hints how to use different Access Policy Delegation with postfix. This it opens the possibility to use diffrent check_policy_service in dependency on sender address, client ip … and so on.

Create aliases for groups of access restrictions in /etc/postfix/main.cf:

smtpd_restriction_classes = policy1,
                            policy2,
policy1 = check_policy_service inet:127.0.0.1:12525
policy2 = check_policy_service inet:127.0.0.1:12526

Create “/etc/postfix/ip_rules.cidr”:

# echo “127.0.0.1 policy1″ > /etc/postfix/ip_rules.cidr
# echo “127.0.0.2 policy1″ >> /etc/postfix/ip_rules.cidr
# echo “0.0.0.0/0 policy2″ >> /etc/postfix/ip_rules.cidr

Add “check_client_access cidr:/etc/postfix/ip_rules.cidr” at the end of “smtpd_recipient_restrictions” in /etc/postfix/main.cf

In this scenario you can have different access policies based on the client ip. It is also possible to base it on client reverse dns with help of pcre maps and recipient/sender address and hash maps

FuzzyOcr on Debian sarge

cyco — Tue, 19 Sep 2006 09:29:13 +0000

This article covers the installation of FuzzyOcr on Debian sarge including update to packages from backports.org. For informations how to install packages from bpo see here!

Update spamassassin:

# aptitude -t sarge-backports install spamassassin

Keep in mind, that there are essential changes in configuration, so you need to check it to match your needs!

Install other required packages:

# aptitude -t sarge-backports install gocr libungif-bin \
libimage-exif-perl libimage-exiftool-perl libstring-approx-perl \
imagemagick netpbm

Install and patch FuzzyOrc:

# cd /usr/local/src/
# wget \

http://users.own-hero.net/~decoder/fuzzyocr/fuzzyocr-2.3b.tar.gz

# tar xzvf fuzzyocr-2.3b.tar.gz
# wget \

http://www200.pair.com/mecham/spam/fuzzyocr-23b-hashdb-poison.patch

# cd FuzzyOcr-2.3b
# patch FuzzyOcr.pm < ../fuzzyocr-23b-hashdb-poison.patch
# cp FuzzyOcr.pm /usr/share/perl5/Mail/SpamAssassin/Plugin/
# cp FuzzyOcr.cf /etc/spamassassin/
# cp FuzzyOcr.words.sample /etc/spamassassin/FuzzyOcr.words

Configure FuzzyOcr:

# echo “loadplugin FuzzyOcr /usr/share/perl5/Mail/SpamAssassin/Plugin/FuzzyOcr.pm” \
>> /etc/spamassassin/v310.pre
# sed -i \
“s/^loadplugin\ FuzzyOcr\ FuzzyOcr.pm/#loadplugin\ FuzzyOcr\ FuzzyOcr.pm/” \
/etc/spamassassin/FuzzyOcr.cf
# sed -i \
“s/^#focr_base_score\ 4/focr_base_score\ 2/” \
/etc/spamassassin/FuzzyOcr.cf
# sed -i \
“s/^focr_logfile\ \/etc\/mail\/spamassassin/focr_logfile\ \/var\/log” \
/etc/spamassassin/FuzzyOcr.cf

For SpamAssassin less than 3.1.4:

# sed -i “s/^focr_pre314\ 0.0/focr_pre314\ 1.0/” \
/etc/spamassassin/FuzzyOcr.cf

Create Logfile:

# touch /var/log/FuzzyOcr.log
# chown nobody:nogroup /var/log/FuzzyOcr.log
# chmod 600 /var/log/FuzzyOcr.log

Verify Spamassassin config:

# spamassassin –lint

see also http://www200.pair.com/mecham/spam/image_spam.html