APNIC Home APNIC Home
Info & FAQ |  Resource services |  Training |  Meetings |  Membership |  Documents |  Whois & Search |  Internet community

You're here:  Home  Mailing Lists pacnog 


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[pacnog] Re: Black Hole List.. SPAM



Hermann Malpus wrote:
Hi Hervey,

I need to implement the Auto Update access to the sites that list those SPAM emails..
What do I need to to do to have my server scan and do an auto-update so I can reduce the amount of SPAM I get daily..

Would really appreciate you advise on the subject...


Hello Hermann,
Hello Everyone:
I thought this was a very timely question so I asked Hermann if I could respond to this to the entire list. If you install SpamAssassin to run with your MTA (in our case Exim), then by default SpamAssassin will query a set of Realtime Blackhole Lists, i.e. DNS Blocklists to determine if an incoming message is spam. You should read this section of the SpamAssassin documentation to see how you can further configure this option:

http://wiki.apache.org/spamassassin/DnsBlocklists

You don't need to update anything in this case as SpamAssassin is querying services that automatically update themselves. What you should, however, do is run a local, caching nameserver so that the results from these DNS requests are cached on your local network. The SpamAssassin documentation concerning this is here:

http://wiki.apache.org/spamassassin/CachingNameserver

If you wish to use some of the checksum-based systems that are available:

* pyzor       http://pyzor.sourceforge.net/
* dcc:        http://www.rhyolite.com/anti-spam/dcc/
* razor:      http://razor.sourceforge.net/

then you need to download and install each one. The default SpamAssassin build and configuration file checks to see if these are available when you start the spamd (SpamAssassin Server) service. If any/all are found, then SpamAssassin will use them. Remember during the workshop we turned these off during install as they increase overhead on your system. All three of these systems are automatically updated and you do not need to do anything other than install the software that lets SpamAssassin use the services. You can see a summary of this here:

http://wiki.apache.org/spamassassin/NetworkTests

Generally speaking you'll want to install, maybe, one of these at a time to see what affect they have on your mailserver's performance.

If you search this page:

http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html

for "pyzor", "razor", and "dcc" you'll see where and how to set SpamAssassin support for each item in your SpamAssasin configuration file. Under FreeBSD this file resides here:

/usr/local/etc/mail/spamassassin

and is called "local.cf"

The configuration file we created in class turned off everything except the included default SpamAssassin filter rules. Our file looked like this:

use_dcc 0
use_pyzor 0
use_razor2 0
skip_rbl_checks 1
use_bayes 0

The default SpamAssassin filtering rules are here:

http://wiki.apache.org/spamassassin/SpamAssassinRules

In order to update these you need to update your version of SpamAssassin. The reality is that the SpamAssassin filtering rules do not change all that often as creating a good filter set is complex. See this entry in the SpamAssassin Wiki for a quick discussion of this:

http://wiki.apache.org/spamassassin/VirusScannerTypeUpdates?highlight=%28update%29

Finally, an MTA like Exim also has support for checking email against DNS Blocklists (RBLs). To see how you do this read the enabling DNS Blocklists page from the Exim site here:

http://www.exim.org/howto/rbl.html

and, from the Exim manual here's how you would use the results from using DNS blocklists with your Exim Access Control Lists to take action:

http://www.exim.org/exim-html-4.20/doc/html/spec_37.html

But, generally speaking, if you are going to run SpamAssassin, then this is not necessary.

Take a look at our workshop presentation about Handling Unwanted Email here:

http://ws.edu.isoc.org/workshops/2005/PACNOG-I/day1/mail/SpamTalk.pdf

as you go about implementing any of these solutions. A more in-depth discussion about using Exim's DNS Blocklist support and content-filtering can be found here:

http://ws.edu.isoc.org/workshops/2005/PACNOG-I/day1/mail/junkmail-conf.htm

Finally, if you find that your mail server performance begins to lag as you implement some of these solutions take a look at the SpamAssasin pages for suggestions on increasing performance:

http://wiki.apache.org/spamassassin/FasterPerformance

In addition consider your use of Bayesian logic for detecting spam on your system. This is cpu-intesive. See these pages for some discussion:

http://wiki.apache.org/spamassassin/BayesInSpamAssassin?highlight=%28bayes%29
http://wiki.apache.org/spamassassin/BayesFaq

With all of these checks for spam available you may find that not all of them are necessary to reach the level of accuracy you need for your user base. You'll probably need to do some testing, or pay attention to how things are working to configure and tune your mailserver appropriately.

It's a lot of information, but I hope it helps. The critical point here is that if you run SpamAssassin in it's default configuration it will use Bayesian logic tests, DNS Blocklists and checksum systems (razor, pyzor, dcc) if installed. The DNS Blockliss and checksum systems are udpated at their end automatically - you just communicate with them via the SpamAssassin service.

Cheers everyone,
	- Hervey


PS - We have quite a few people with expertise in this area on the list. If anyone has additional suggestions, disagrees with what I've said, or has other tips please speak up.


--
-------------------------------------------------
Hervey Allen      Network Startup Resource Center
hervey@nsrc.org GPG Key Fingerprint:
AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F