Who has an effective anti-spam strategy

[IT_Architect]

I need some thoughts on Spam.

Server: I use SpamAssassin on the server. Some users just junk a lot of the spam that way. However, the problem with that is it is FreeBSD user-specific, not mailbox specific. I'm not interested in knowing Victoria's Secret, and girls don't care about the Binford 8200. Also, some mailbox users use POP3 and others use IMAP, so sending them to a spam directory on the server does no good because POP3 users cannot see that directory. The solution ends up being letting everything through, and handle it in Outlook.

Outlook:
- POPFile is psychic for POP3 accounts. I would be happy as a clam if everyone used POP3, but they don't.
- POPFile has an IMAP module, but it is impractical. It only allows one server, and will only filter one account. Even if you have two IMAP accounts, and they are on different servers, or even the same server but a different URL to it, it will not filter any account. They have to both be on the same URL, and you can only filter one of the accounts. It also works very sporadically or not at all if there are also POP3 accounts. POPFile's IMAP module is not real except under very limited circumstances, where it works very well.
- SpamBayes there is lots of talk about how they worked to refine the Bayesian formulas from POPFile to be better than POPFile's. However, the result of all that work is it is only about 10% as effective as POPFile. It can be trained dozens of times for the same senders and their spam will get it wrong every time. This is not a rare condition, it is common. You can set up huge training directories of spam and ham and it doesn't help in the least, and may be worse than doing it a little at a time.

Are there any good strategies for mailbox level filtering?

 

[websafe]

It's not mailbox level filtering but could help with spam in general - have You tried adding Greylisting with Postgrey?

https://forum.directadmin.com/showthread.php?t=24808


My config below.


In /etc/exim.conf:

######################################################################
#                               ACLs                                 #
######################################################################

begin acl

# ACL that is used after the RCPT command
check_recipient:

  # Greylisting
  .include_if_exists /etc/exim.postgrey.conf

# to block certain wellknown exploits, Deny for local domains if

and in `/etc/exim.postgrey.conf`:

  defer
    log_message = greylisted host $sender_host_address
    #!senders = : postmaster@*
    domains = +local_domains
    #!hosts = /etc/virtual/domains
    !authenticated = *
    verify      = recipient/callout=20s,use_sender,defer_ok
    set acl_m0  = request=smtpd_access_policy\nprotocol_state=RCPT\nprotocol_name=${uc:$received_protocol}\nhelo_name=$sender_helo_name\nclient_address=$sender_host_address\nclient_name=$sender_host_name\nsender=$sender_address\nrecipient=$local_part@$domain\n\n
    set acl_m0  = ${sg{${readsocket{/var/run/postgrey/postgrey.sock}{$acl_m0}{5s}{}{action=DUNNO}}}{action=}{}}
    message     = ${sg{$acl_m0}{^\\w+\\s*}{}}
    condition   = ${if eq{${uc:${substr{0}{5}{$acl_m0}}}}{DEFER}{true}{false}}
  # add "greylisted by ..seconds" header to mail which has successfully
  # passed the greylisting.
  warn
    #!senders = : postmaster@*
    domains = +local_domains
    #!hosts = /etc/virtual/domains
    !authenticated = *
    message = ${sg{$acl_m0}{^\\w+\\s*}{}}
    condition = ${if eq{${uc:${substr_0_7:$acl_m0}}}{PREPEND}{true}{false}}

#
# @see http://www.directadmin.com/forum/showthread.php?t=24891&page=1
# @see http://www.dworaczek.info/index.php?option=com_content&view=article&id=50%3Aexim-konfiguracja-po-instalacji&catid=35%3Aexim&Itemid=64&lang=pl

and my POSTGREY_OPTIONS in `/etc/init.d/postgrey:

POSTGREY_OPTIONS="--syslog-facility=mail \
    --unix=/var/run/postgrey/postgrey.sock \
    --pidfile=$POSTGREY_PIDFILE \
    --user=mail \
    --group=mail \
    --dbdir=/var/spool/postgrey \
    --delay=600 \
    --max-age=365 \
    --privacy \
    --exim \
    --whitelist-clients=/etc/postgrey/whitelist_clients \
    --whitelist-recipients=/etc/postgrey/whitelist_recipients \
    --auto-whitelist-clients=8 \
    --x-greylist-header=\"X-Greylist: delayed %s seconds at %h; %d\" \
    --daemonize"

 

[IT_Architect]

It's not mailbox level filtering but could help with spam in general - have You tried adding Greylisting with Postgrey?

No I haven't, but I will wrap my head around what you have here. I LOVE POPFile. It's psychic, but it only works well on POP mail. I played with some others. While helping someone else who was trying to get something to work with SpamAssassin's Bayes, I wrote something up to automate that and posted it here: HOW-TO enable users to easily train SpamAssassin's Bayesian data

Thanks tons for posting!

 

[IT_Architect]

I'm thinking about trying it.
What percentage would you say does it cut down on your spam load? Did anyone notice the delays?

Thanks!