Making Proxmox mail more aggressive help

Jun 18, 2019
4
0
1
42
We are new to proxmox mail gateway and having issues finding how to make the scanner more aggressive. Currently 85% of emails going through are Score 0. This is letting thousands of spam messages through. We are running DNSBL Sites, Greylisting, SPF. Still getting flooded with spam that makes it through. When checking the headers the messages are all showing a score of 0. Didn't know if there was an easy way to adjust or fine tune the scoring process.

Ben
 
I did see this but was hoping for a simple setting options for it like most spamfilters have. I will go through this link and see if we can follow what they have.

Thank you.
 
There are 7 issues you need to check on spam filtering with a great and easy to use Postfix-SpamAssassin-ClamAV setup like PMG:

1. Check, that your mail path is only going through PMG. So take sure, backup MX don't exist or are also protected by their own PMG or a similar anti spam solution. As well take sure, that your destination mail server is only available via PMG, some spammers try to access mail servers directly and ignore any MX records, e.g. if the server hosting your domain has an active and available SMTP server on port 25, some spammers may try to send their mails directly.

2. Find a good set of Pre-Greet reject settings, e.g. check sender addresses, you may check sender clients, however my explanations soften the setting from PMG a bit as if activating usually FCrDNS checks are performed, that may result in some trouble with lame administrators so my explanations only check for reverse DNS. You will also find some additional Pre-Greet optimizations in my thread.

3. Find a good set of RBL, be aware, some are not for commercial usage, some have limits, some are paid ones. You should also find your optional set, e.g. Proxmox recommends to use Barracuda Central as blacklist, which I would never do, as Barracuda lists IP addresses once any Barracuda Appliance Administrator claims a mail as spam. You may use postfix warn_if_reject setting to find your optimal set, you may also use mine on your own risk, be aware, that two lists are just xxxx, as they are paid and I won't provide their hostname, you need to purchase at invaluement and will get the list names. For all list based setups ensure, you run your own DNS server and don't use e.g. Google or any public DNS server because of rate limit.

4. You may optimize your SpamAssassin settings by adding additional rules, lists, services like DCC and Pyzor, again ensure not to violate any license (e.g. DCC), commercial usage etc.

5. You should train the Bayes Database of SpamAssassin by learning ham and spam. You could also use autolearn, but to learn 200 spams and hams automatically it takes a really really long time. My commercial test setup is running now for 1+ year and didn't learn 200 spams yet (129 is the current value). Don't learn any spam or ham databases you can download online as that's "their" spam not "your" spam, so you would make the Bayes Database useless. However, AWL will run beside Bayes Database and already work from the scratch and will get better from time to time. You may also play around with the new fuzzy alternative to AWL, but I have no experience with that.

6. Choose a good antivirus solution. Honestly, ClamAV is not working well, also additional signatures like in my thread are not such useful, I stopped it completely and switched to Avast as it has the best possible integration. Maybe I will have a few on Dr.Web in future, as it seems to be the most affordable solution.

7. There are a few more screws you can adjust, e.g. setup a milter-reject as spammers seem to see a rejecting system as not valuable for their efforts, there are simpler victims, so once you reject very much, you will also see a total decrease of spammers trying to get through your filter.

What's missing:

a. SPF may have been a good idea, but it's broken by design. PMG also doesn't allow you to chose, which option you want to run (if the sender is running a hard fail policy, also PMG will do a hard fail mean while e.g. Plesk allows to adjust). As there are many lame administrators, but also as SPF is not widely adopted, you may always get in trouble with some legit mails, which will get rejected. So let SpamAssassin score on SPF, but don't use PMG SPF setting.

b. Same for Greylisting. The golden ages of Greylisting are long time ago, currently you will only suffer your users because of delayed mails. There is a really intelligent Greylisting setup, which is used by rspamd and hopefully Proxmox will adopt it as well. So delaying some mails may help, if such mails could be spam, but you're unsure, if they are or not. Then delaying such mail would be a great option, as on second try, this mails will already be blacklisted and then be rejected. Proxmox sadly just adopted a Greylisting passthrough once a mail server has a valid SPF record. As mentioned above, I don't recommend to use SPF, also usually worst senders have SPF as well as DKIM rolled out meanwhile legit senders don't have.
 
There are 7 issues you need to check on spam filtering with a great and easy to use Postfix-SpamAssassin-ClamAV setup like PMG:

1. Check, that your mail path is only going through PMG. So take sure, backup MX don't exist or are also protected by their own PMG or a similar anti spam solution. As well take sure, that your destination mail server is only available via PMG, some spammers try to access mail servers directly and ignore any MX records, e.g. if the server hosting your domain has an active and available SMTP server on port 25, some spammers may try to send their mails directly.

2. Find a good set of Pre-Greet reject settings, e.g. check sender addresses, you may check sender clients, however my explanations soften the setting from PMG a bit as if activating usually FCrDNS checks are performed, that may result in some trouble with lame administrators so my explanations only check for reverse DNS. You will also find some additional Pre-Greet optimizations in my thread.

3. Find a good set of RBL, be aware, some are not for commercial usage, some have limits, some are paid ones. You should also find your optional set, e.g. Proxmox recommends to use Barracuda Central as blacklist, which I would never do, as Barracuda lists IP addresses once any Barracuda Appliance Administrator claims a mail as spam. You may use postfix warn_if_reject setting to find your optimal set, you may also use mine on your own risk, be aware, that two lists are just xxxx, as they are paid and I won't provide their hostname, you need to purchase at invaluement and will get the list names. For all list based setups ensure, you run your own DNS server and don't use e.g. Google or any public DNS server because of rate limit.

4. You may optimize your SpamAssassin settings by adding additional rules, lists, services like DCC and Pyzor, again ensure not to violate any license (e.g. DCC), commercial usage etc.

5. You should train the Bayes Database of SpamAssassin by learning ham and spam. You could also use autolearn, but to learn 200 spams and hams automatically it takes a really really long time. My commercial test setup is running now for 1+ year and didn't learn 200 spams yet (129 is the current value). Don't learn any spam or ham databases you can download online as that's "their" spam not "your" spam, so you would make the Bayes Database useless. However, AWL will run beside Bayes Database and already work from the scratch and will get better from time to time. You may also play around with the new fuzzy alternative to AWL, but I have no experience with that.

6. Choose a good antivirus solution. Honestly, ClamAV is not working well, also additional signatures like in my thread are not such useful, I stopped it completely and switched to Avast as it has the best possible integration. Maybe I will have a few on Dr.Web in future, as it seems to be the most affordable solution.

7. There are a few more screws you can adjust, e.g. setup a milter-reject as spammers seem to see a rejecting system as not valuable for their efforts, there are simpler victims, so once you reject very much, you will also see a total decrease of spammers trying to get through your filter.

What's missing:

a. SPF may have been a good idea, but it's broken by design. PMG also doesn't allow you to chose, which option you want to run (if the sender is running a hard fail policy, also PMG will do a hard fail mean while e.g. Plesk allows to adjust). As there are many lame administrators, but also as SPF is not widely adopted, you may always get in trouble with some legit mails, which will get rejected. So let SpamAssassin score on SPF, but don't use PMG SPF setting.

b. Same for Greylisting. The golden ages of Greylisting are long time ago, currently you will only suffer your users because of delayed mails. There is a really intelligent Greylisting setup, which is used by rspamd and hopefully Proxmox will adopt it as well. So delaying some mails may help, if such mails could be spam, but you're unsure, if they are or not. Then delaying such mail would be a great option, as on second try, this mails will already be blacklisted and then be rejected. Proxmox sadly just adopted a Greylisting passthrough once a mail server has a valid SPF record. As mentioned above, I don't recommend to use SPF, also usually worst senders have SPF as well as DKIM rolled out meanwhile legit senders don't have.


Thank you I will go through this. I was just not sure if was overlooking something simple.
 
I'm having similar issues. Looking under Statistics > Spam Scores shows 80% of emails have a score of 0. I've already added some nifty stuff to my proxmox install that should help it be more aggressive: Installed unbound, pyzor, dcc and clamspam definitions from extremeshok. I'm still not seeing near the performance that I saw from my previous spam filter appliance, which was another open source solution (I'm not sure if I'm allowed to say which product).
 
Did you train spamassassin too? After I added thousands of signatures from external files the result was very very surprisingly. More mails then before was marked as spam, and this are no faulty one - all is exactly as I wished. But don't forget to train ham too!

You should check every option you find and try to find out what the option do, if you know this try to find the best way for your setup.
For example I reject non existing mail addresses with 550 instead of 450. My mail server does not accept any mails directly send to him, if the sender is not on the known and allowed network or he is authenticated, so no Spammer is able to get around the gateways. Postfix will add some generic mail addresses like anonymous, try to disable them too. Change all MX Records to your gateways.
 
I'm having similar issues. Looking under Statistics > Spam Scores shows 80% of emails have a score of 0. I've already added some nifty stuff to my proxmox install that should help it be more aggressive: Installed unbound, pyzor, dcc and clamspam definitions from extremeshok. I'm still not seeing near the performance that I saw from my previous spam filter appliance, which was another open source solution (I'm not sure if I'm allowed to say which product).

Try to use my list of adjustments. Pyzor, DCC have really small impact, they have, but not too much (just on content side), Pregreet, RBL as well as Bayes have the deepest impact.

Would be interesting in your recent solution, reason for considering PMG and what’s the difference you recognized. Unsure, if it can be posted here, but usually also such input helps, especially if it’s open source, good behaviors may be rebuilt with/on PMG as well.
 
So what I know is ESVA (now EFA), which is based on MailScanner (as many other solutions). Standard setup use Quarantine very much (I dislike, I prefer tagging) and depends on Greylisting as well (which is somehow history). I learned many things about optimizations, blacklists and content filters there, but the best times are gone.

I also heard a lot about Scrollout F1, however, I like PMG much more in usability, GUI etc. Just one point would be fine to be adopted, which is the honeypot with non-existing addresses. It may help to have something like fail2ban as spam2ban. Would not help against the most spam, but would help to keep the logs clean. There are so much senders, which always retry.

Last I tried rspamd as I heard exciting news about it. However, the fuzzy filter seems not to work for me. Meanwhile it took a while to get PMG running as expected, I never was able to do so with rspamd. However, some great concepts could be adopted like conditional greylisting, spam and ham learning via GUI, sender additional to envelope sender as well as subject been shown in GUI, mobile accessible GUI.
 
Last edited:
Thanks for the replies. I was on vacation all last week.

I have not trained the bayes filter. I accept mail for several different companies, so the types of emails we receive vary fairly drastically. I never used bayes filter with other products and usually had pretty good results without it.

The product I used in the past was MailCleaner Community Edition. The version of MailCleaner I was using went end of life and there was very little activity on their forum for setting up the newer version, so I abandoned it for PMG. PMG appeared to have better support and community activity. Heutger, I used your guide to set up my servers, just leaving out the parts I wouldn't use, so I would think it would be fairly effective... but it's not.

I think a lot of connections are being initially refused due to RBL matches, but then if they make it past RBL checks, SA does very little. I see some KAM rules came with PMG. I think the KAM rules I used with MailCleaner were more extensive. Is anyone else using additional KAM rules or other custom SA rules? Are there any settings in the GUI that are effective but easily overlooked?

Thanks!
 
Thanks for the replies. I was on vacation all last week.

I have not trained the bayes filter. I accept mail for several different companies, so the types of emails we receive vary fairly drastically. I never used bayes filter with other products and usually had pretty good results without it.

The product I used in the past was MailCleaner Community Edition. The version of MailCleaner I was using went end of life and there was very little activity on their forum for setting up the newer version, so I abandoned it for PMG. PMG appeared to have better support and community activity. Heutger, I used your guide to set up my servers, just leaving out the parts I wouldn't use, so I would think it would be fairly effective... but it's not.

I think a lot of connections are being initially refused due to RBL matches, but then if they make it past RBL checks, SA does very little. I see some KAM rules came with PMG. I think the KAM rules I used with MailCleaner were more extensive. Is anyone else using additional KAM rules or other custom SA rules? Are there any settings in the GUI that are effective but easily overlooked?

Thanks!

After RBL and pregreet checks (and milter-reject for the most worse spam) only a few SA adjustments help out: additional rules (KAM comes with PMG) I used, DCC and Pyzor I added, HashBL and some more checks, recently OpenPhish and PhishTank, but the main factor is bayes (and AWL), they both learn over time.

However, if you recently used MailCleaner, I'm unsure, but the version I checked out was another product based on MailScanner. If it's based on MailScanner, it's finally nothing different than PMG inside, it's Postfix, SpamAssassin, ClamAV (just Amavis is additional used with MailScanner which would help to use more AV products, but that's possible with PMG now as well, second thing is the possibility to reject prequeue, which can be rebuilt with milter-reject), so you could check the rules, scores etc. used there and adopt them to PMG. Would be great, if you could report about what you found and adopted to PMG.
 
After RBL and pregreet checks (and milter-reject for the most worse spam) only a few SA adjustments help out: additional rules (KAM comes with PMG) I used, DCC and Pyzor I added, HashBL and some more checks, recently OpenPhish and PhishTank, but the main factor is bayes (and AWL), they both learn over time.

However, if you recently used MailCleaner, I'm unsure, but the version I checked out was another product based on MailScanner. If it's based on MailScanner, it's finally nothing different than PMG inside, it's Postfix, SpamAssassin, ClamAV (just Amavis is additional used with MailScanner which would help to use more AV products, but that's possible with PMG now as well, second thing is the possibility to reject prequeue, which can be rebuilt with milter-reject), so you could check the rules, scores etc. used there and adopt them to PMG. Would be great, if you could report about what you found and adopted to PMG.

Yes, they did appear to be basically the same product "under the hood", which is another reason I was drawn to PMG. I have set up PMG essentially how my old MailCleaner deployment was set up, but am not seeing the same efficiency. I'll stop hijacking this thread... I'll go through your how-to thread again and start my own thread containing the specifics of how I set up my PMG server if I'm still having problems. Thank you again!
 
Yes, they did appear to be basically the same product "under the hood", which is another reason I was drawn to PMG. I have set up PMG essentially how my old MailCleaner deployment was set up, but am not seeing the same efficiency. I'll stop hijacking this thread... I'll go through your how-to thread again and start my own thread containing the specifics of how I set up my PMG server if I'm still having problems. Thank you again!

OK, I will also check MailCleaner for any new insights. Would be great, if you could notify e.g. here once you have a thread about your adjustments. If they are based on mine and just minor adjustments feel welcome to improve my thread.
 
OK, I will also check MailCleaner for any new insights. Would be great, if you could notify e.g. here once you have a thread about your adjustments. If they are based on mine and just minor adjustments feel welcome to improve my thread.

Just a small update: I checked MailCleaner to gain new insights, but beside it seems to use Exim instead of Postfix, nothing really new. Honestly, it's that kind of software I know and why I stopped playing around by myself with Antispam solutions, it's really technical based and looks like been written by a pure technical: You can somehow set up everything in boring textboxes and checkboxes, which is somehow the same, what you would set directly in the configuration files, no help, no design, just purpose-built, really boring. Funny fact, the lists for RBL and URIBL are just one of the few things, which can't be adjusted, you need to choose from the set given. If you like such software, maybe https://github.com/vedetta-com/caesonia is a solution for you. Puristic, but seems to have many things in one solution. Not mine.^^
 
That's not exactly true when it comes to MailCleaner. I had modified my install to add a bunch of RBLs and URIBLs. I do like how PMG gives you a box to enter whatever you like instead of having to modify config files... but URIBLs have to be entered elsewhere, right?
 
That's not exactly true when it comes to MailCleaner. I had modified my install to add a bunch of RBLs and URIBLs. I do like how PMG gives you a box to enter whatever you like instead of having to modify config files... but URIBLs have to be entered elsewhere, right?

PMG is the MacOS of the Antispam filters. It’s no Linux, but also no Windows. What do I mean with that? PMG comes with a nice GUI and the most important setting (options) out of the box, which should fit the most. If you need additional things, you need to use the customization system of template files. If you still need more, you need to do completely by yourself via Shell. MailCleaner is the Linux, not nice, but functional, you’re able but also required to adjust, what you like. Sometimes you’re restricted, but usually not. There are still solutions out there like Windows, you can’t adjust much (without going under the hood) and need to live with what you‘ve been given and others think, what’s good for you.

So back to your question: RBL on postfix level you can enter via GUI. RBL or URIBL on content level you need to do via the template system or custom.cf.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!