Postfix Postscreen to Increase Your SPF (Spam Protection Factor)

By Kyle Dent
July 7, 2009

Sadly, the work of a postmaster nowadays is largely about blocking spam and handling spam-related issues. What's surprising is how much spam you can block simply by rejecting mail from badly behaving clients. I always figured it was because spammers have a high enough success rate with their crappy software that they have no motivation to improve it. That might actually be true, but I learned from a visit a while back to Symantec Brightmail in San Francisco that many spammers are much more sophisticated than I was giving them credit for. In fact, if spammer behavior seems odd, don't automatically assume the malefactor is clueless. It turns out that at least one anomaly seems to be an attempt to improve throughput by starting the SMTP conversation too early in the connection.

Whatever the reason, detecting misbehavior continues to be a very effective, low-cost way to block spam with a low rate of false-positive errors. Postfix is about to add a new tool to the anti-spam arsenal called "postscreen" for now, but the name is likely to change before it goes into a production release. Among other things postscreen detects when a client starts talking before it's supposed to. It's a daemon that accepts connections ahead of the current SMTP daemon and provides various types of filtering based on the client connection. It's not a proxy, so it should be efficient and less complicated than a proxy architecture. It simply hands off good connections to the real SMTP daemon and drops the bad ones. It will be especially useful for busy sites that are overwhelmed by botnets trying to send spam. The zombies can be dropped early leaving more slots available for legitimate mail.

Postscreen is available now, but Wietse is calling it unsupported, non-production code. You may want to wait until it gets into a snapshot release, or if you're feeling particularly overwhelmed, give it a try. It's worth keeping an eye on its progress. There is a short overview with slides showing some early results at http://www.porcupine.org/postfix-mirror/wip.html.


You might also be interested in:

News Topics

Recommended for You

Got a Question?