BallyBasic79 wrote: ↑07 Oct 2019, 19:41
Through the combination of strategic countries, ASN, and netblocks, I've reduced spam, email account attempts, and log size by 96%.
I have similar results using CC_DENY plus blocklists
SPAMDROP
SPAMEDROP
BDE
BDEALL
FULLBOGON
(all run by IPset)
Only a few ports are open on my server, the SSH port not being one of them. (The actual port used for SSH is obscure, because the number of users of it on my system is countable on one hand.) As a result, the vast majority of entries logged by iptables is from "TCP_IN BLOCKED" or "CC_DENY".
However, the open ports are of course targeted, with the email server being the main target.
My email filtering is based on the following concept:
The objective of filtering is to
a) keep out the bad stuff and
b) let the good stuff through.
You can only do one of those things perfectly. A perfect air filter is a sealed can, but anyone in a sealed can,will die.
There are many businesses much bigger than mine that run an email server that uses a commercial filtering outfit that throws tons of legitimate queries into a spam hole because they apparently follow the rule that says better to block ten sale prospects than let one spammer through. (For instance, some have a rule that says throw away any email that comes from a host that isn't Google or Microsoft or AT&T or..some other big email outfit. on the theory that a small business that runs its own server is up to no good.)
Because I can't afford to block prospects, my approach needs to be more nuanced.. I have tweaked it over several years and I have it to just about as good as it gets,. My server rarely lets any bad stuff past, but it rejects
nothing that is innocent.
Since I have far fewer than 100K SMTP connections a day, the spamhaus zen server is free.
One simple test against that RBL in the check_mail acl of exim.conf stops the vast majoruity of ordinary spam:
Code: Select all
deny log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
dnslists = +defer_unknown : zen.spamhaus.org
Almost all spammer hosts, whether zombie farms, or whatever, get into a zen rbl before they get around to hitting my site, so running the host against zen catches the vast majority before they ever get far enough to send any mail. I can't imagine any small server not using such an amazingly effective free service.
Once an email gets past the dozen or so additional exim configuration tests against various other attacks, SpamAssassin is run against any sent by hosts not on a host whitelist. (I whitelist about 50 host.) Only emails with a VERY high SA score are redirected to webmaster (me under a different account). Those that look like spam but with a lower score get marked as possible spam but are delivered normally. About 99% of emails that SA scans have a zero score. It is a rare week that more than a couple of spam messages are delivered to my inbox and those are typically marked as probables.