Re: [exim] Spam Filtering / dnslists

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Niels Dettenbach
Date:  
À: exim-users, Odhiambo Washington
Sujet: Re: [exim] Spam Filtering / dnslists
Am Donnerstag, 8. Februar 2018, 08:16:54 CET schrieb Odhiambo Washington via
Exim-users:
> So, I have to ask what people are using these days when it comes to
> dnslists?
> And what other tools/tricks are in use that would help fight spam?


hmm,
in my experience, dnslists are just one step of effective anti spam filtering
today. We developed a complex multi-stage anti-spam system for our email
services which had to be tuned and managed actively, but with the smallest
amount of time/work possible.

I think by principle the (by far) most efficient anti-spam fighting still is
possible on MXes and not on SMTP/Mail "hops" "behind". A good DNS setup for
outgoing email to reduce/avoid bounces from "hijacked" sender addresses is
important too.

If you look for a in-exim "easy to handle" list, i could recommend
(currently):

sbl-xbl.spamhaus.org
nomail.rhsbl.sorbs.net/$sender_address_domain
cbl.abuseat.org
web.dnsbl.sorbs.net
socks.dnsbl.sorbs.net
http.dnsbl.sorbs.net
zen.spamhaus.org
b.barracudacentral.org
psbl.surriel.com

but be warned, the most effective lists contain a few (known) "false
positives" (i.e. spamhaus) of large email services (i.e. yahoo, local free
mail services), because they do not handle their large email traffic within the
DNSBLs policies (i.e. contain lot of spam). You have to watch and whitelist
them by hand in the beginning. Place i.e. a proper error message with a url
pointing to further details and a contact to you / postmaster.

But DNSBLs are just one thing - todays spammers try to get access and use
proper relays with hijacked sender addresses (to go through DMARC / SPF /
DKIM) which is important to reach i.e. gmail recipients.

DNSBL will block real email.

Our Anti-Spam solution (handling a few hunderthousands of mails by day) has
three "main stages":

    - EXIM SA (with Greylisting)
    - EXIM ACL and a few DNSBL, DMARC (SPF/DKIM)
    - Spamassassin (with compiled rluez - DCC, Pyzor2, Razor and Bayesian)
        - EXIM - AMAVIS Antivirus (with two scanners)


We use a long list of DNSBLs with a "spam propability" value on each added
(or subtracted) to/from a spam propability counter which goes into
Spamassassin. SA internally works similiar and in SA we handle DCC (and razor
+ pyzor2). You may ask at SA lists / view SA docs for more indepth details as
this would be off list here.

This means each (new) email sender generates a lot of connections (primarily
DNS). It may makes sense to have your own DNS resolvers (against root) and
possibly DCC instance.

The Bayesian Subsystem of SA as the antivirus subsystem takes significant CPU
/ system load. Be aware of local laws if you "read" the users emails (our
customers allows us to use their email content for spam analysis - check
possible local law).

Over many years now the solution works very well for our users/customers,
which (as business users) have a very low acceptance for false positives as
for (real) spam. Depending from time we get around 97%-99.5% of "real" spam
out, while the measuring there is not very sharp, because it "hits" against
the definition of "spam". If we go higher,, inacceptable false positives will
arise.

At the beginning we had to fill in a few hard whitelist entries in different
subsystems for a few very large (mostly local and freemail) email providers
which "go their own way"). If a bounce rises today to a real sender the
reason is on his side (defect email or temporary defect on the mail system on
senders side). It is important to deliver proper / helpful error messages
(without giving to much info to spammers out).

We do not have any "Spam folder" in users mailboxes as this doenst saves time
for the users.

We recommend our users to disable such in email clients as the amount of
false positives could be higher then "real" spam landing there. There will be
email which is recognized by users as "spam" which is regular list /
newsletter email the user has accepted in the past - let users marking them
as "spam" this often leads to further problems with false positives later.



hth a bit,

best regards,

Niels.
--
---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---