3

I run a mail server for several thousand users. It uses Postfix + Amavis (with SpamAssassin + Clam).

Most of the time it's a pretty happy setup, but from time to time we receive a flood of virus/phising emails, for example from field saying 'Administrator', subject something like 'Invoice attached', then a malicious zip/pdf attachment. We'll receive perhaps 5,000 of these (all from different hosts) in the space of a few hours (generally late morning), then it tails off. Presumably it's a virus being sent from infected home PCs.

SpamAssassin does a pretty good job of catching them, but it isn't exactly lightweight, and it puts a real strain on our mail server, so I'm looking for a better solution.

Short-circuiting in SA is one option. It doesn't stop SA scanning the message, but at least limits the number of rules it checks. It would still require manual intervention though (eg add a rule to score +100 then short-circuit any email with the subject /^Incoming Fax/). If I wrote a SA plugin to automatically add a short-circuiting rule (eg 'if we receive more than 10 emails in 60 seconds with the same subject, score +100 for future emails with that subject') it would be open to abuse and false positives.

I'm wondering if there would be a good way to block/rejecting/dropping these emails at the SMTP level, removing the the overhead of scanning then though SA. Automatically blocking the IP (eg through iptables or postfix rules) seems pointless, as it's generally from unique addresses. Often the subject will be slightly randomized, eg 'Incoming Fax #1234', 'Incoming Fax Received', '#321 new fax waiting'.

PGS
  • 31
  • 1

2 Answers2

1

Maybe policd-weight is an option for you. It does lightweight DNSBL lookups by simply querying DNS servers for the sending IP address and - if you have several hits on blacklists - you can simply reject mail delivery from this IP address so these blocked mails won't get through to your SpamAssassin.

The benefit of policyd-weight over the Postfix built-in DNSBL lookup mechanism is, that you can query mutliple DNSBLs and add scores for being on a DNSBL or substract scores for being on a DNSWL to reduce the risk of false-positives.

Generally I would recommend using the following DNSBLs resp. DNSWLs:

  • pbl.spamhaus.org
  • sbl-xbl.spamhaus.org
  • ix.dnsbl.manitu.net
  • list.dnswl.org (this is a whitelist for the most common mail providers)
Max
  • 31
  • 2
1

Since many years postgrey is a very good solution for me in the fight against spam/malware. It reduces the traffic load in SA/ClamAV up to 90% with almost no false positives. A good similar solution is policyd/cluebringer with a frontend for an easy configuration handling via web browser. With cbpolicyd you can also handle a throttle for outgoing mails in case of a clients account have been compromised and is sending spam.
Also consider the setup of fake MXs, it might help against spam sent from dialup zombies.

Achim Lammerts
  • 166
  • 7