Best way to deal with inbound SPAM? In-house Exchange and Barracuda

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,476
Greetings,

We have an in-house Microsoft Exchange 2013 server and Barracuda SPAM & Virus Firewall appliance. Normally, I have been reporting SPAM to SpamCop and adding the domain or full e-mail address (depending on circumstances from where e-mail originated) into the domain blacklist. I have recently stopped adding things to the blacklist after checking out the 'Help' link on the same webpage in the Barracuda appliance. There it says that Barracuda strongly advises against using the blacklist with the reason that it will negatively impact the performance of the appliance the larger the list grows.

So as a result of that, I have only been reporting to SpamCop and Barracuda Central; no more blocking. Then, today, one of my co-workers e-mailed me an article "Why SpamCop is Harmful" (https://help.riseup.net/en/email/scams/spam/spamcop). Now my dilemma is this: what am I suppose to do then?! Tell the user to deal with it (in a nice, professional, customer service-friendly, respectful way) and report to Barracuda Central and that's it??

:(
 
Require HELO
Require FQDN
Require ReverseDNS (and ReverseDNS HELO match - false positives possible)
Verify Sender Address
Check and enforce SPF
Check and enforce DKIM

Spam volume decreased 98% when we took these actions.
 
Require HELO
Require FQDN
Require ReverseDNS (and ReverseDNS HELO match - false positives possible)
Verify Sender Address
Check and enforce SPF
Check and enforce DKIM

Spam volume decreased 98% when we took these actions.

When I first setup postfix on pfsense I was doing the above until you realize that there are too many shitty admins out there that dont setup their email servers correctly. As a result your sales people are constantly bugging you that their leads and customers cannot email them. I understand that is a mentatlity "if they cant setup their email right then they shouldnt be emailing me" but thats not at all viable.

I have almost all of the above checks turned off and use RBL's. Barracuda's is NICE.

EDIT: My RBL's
b.barracudacentral.org, 2.0.0.127.b.barracudacentral.org, zen.spamhaus.org, bl.spamcop.net

EDIT2:

I just re-read your post and you said you're using barracuda. I tried their test VM out before using postfix on pfsense and it work WONDERFULLY. From what I saw Barracuda stopped our spam problem entirely. However the associated cost wasnt worth it, which is what led me to postfix on pfsense. It doesnt do as good a job as barraucda did, but I dont get emails about spam and it stopped our cryptolocker spam we were getting hammered with.
 
Last edited:
When I first setup postfix on pfsense I was doing the above until you realize that there are too many shitty admins out there that dont setup their email servers correctly. As a result your sales people are constantly bugging you that their leads and customers cannot email them. I understand that is a mentatlity "if they cant setup their email right then they shouldnt be emailing me" but thats not at all viable.

I have almost all of the above checks turned off and use RBL's. Barracuda's is NICE.

EDIT: My RBL's
b.barracudacentral.org, 2.0.0.127.b.barracudacentral.org, zen.spamhaus.org, bl.spamcop.net

EDIT2:

I just re-read your post and you said you're using barracuda. I tried their test VM out before using postfix on pfsense and it work WONDERFULLY. From what I saw Barracuda stopped our spam problem entirely. However the associated cost wasnt worth it, which is what led me to postfix on pfsense. It doesnt do as good a job as barraucda did, but I dont get emails about spam and it stopped our cryptolocker spam we were getting hammered with.

I'm still waiting on that damn tutorial for this :p
 
I'm still waiting on that damn tutorial for this :p

:D

I'll make it easy for you. I installed postfix and used the above RBL's and turned off virtually everything else. As I mentioned the HELO checks was blocking "legit" traffic.

Either way, I'm sorry. I shouldnt have made such a promise to make tutorials and not be able to fulfill it. We're deploying some really cool hosted solutions at work while I'm studying for CCNA. I'm crazy busy right now. Not sure if thats a good, or bad thing.
 
mwarps, perhaps you can tell me how you get around things like this (sensitive info changed):

Jun 23 16:58:33 pfsense postfix/smtpd[10480]: NOQUEUE: reject: RCPT from outbound1.customerdomain.com[X.X.249.82]: 550 5.7.1 <ironport1.customerdomain.com>: Helo command rejected: Host not found; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<ironport1.customerdomain.com>
Jun 23 16:58:38 pfsense postfix/smtpd[10480]: warning: connect to private/anvil: No such file or directory
Jun 23 16:58:39 pfsense postfix/smtpd[10480]: warning: connect to private/anvil: No such file or directory
Jun 23 16:58:39 pfsense postfix/smtpd[10480]: warning: problem talking to server private/anvil: No such file or directory
Jun 23 16:58:39 pfsense postfix/smtpd[10480]: disconnect from outbound1.customerdomain.com[X.X.249.82]

Here we have an ip address that has a mail server and a spam filter running behind it. When postfix does a helo back to the IP their spam filter is responding. That spam filter is NOT the same machine that sent the initial email. Thus it fails the HELO check.

I had a couple other instances in which their Baracuda Spam filter would respond instead, which also failed the HELO check.

This is very common and just one instance that made me forgo HELO checks.
 
When I first setup postfix on pfsense I was doing the above until you realize that there are too many shitty admins out there that dont setup their email servers correctly. As a result your sales people are constantly bugging you that their leads and customers cannot email them. I understand that is a mentatlity "if they cant setup their email right then they shouldnt be emailing me" but thats not at all viable.

It's a fair point if you run a sales org, but that's giving shitty admins positive reinforcement in my eyes.

There's a whole philosophical discussion on deliverability that someone should have had, probably 20+ years ago and someone should have done something about it.. too late now!
 
mwarps, perhaps you can tell me how you get around things like this (sensitive info changed):

Jun 23 16:58:33 pfsense postfix/smtpd[10480]: NOQUEUE: reject: RCPT from outbound1.customerdomain.com[X.X.249.82]: 550 5.7.1 <ironport1.customerdomain.com>: Helo command rejected: Host not found; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<ironport1.customerdomain.com>

Here we have an ip address that has a mail server and a spam filter running behind it. When postfix does a helo back to the IP their spam filter is responding. That spam filter is NOT the same machine that sent the initial email. Thus it fails the HELO check.

I had a couple other instances in which their Baracuda Spam filter would respond instead, which also failed the HELO check.

This is very common and just one instance that made me forgo HELO checks.


EDIT:
Your description was right, sorry..

Would be nice if Postfix were a little more granular on this, since it's saying "host not found" which - there could be a host, but it doesn't match reverse or the IP it's coming from.. there are 3 ways it could fail, it should have 3 different failure messages..

reject_unknown_helo_hostname checks name-> IP, IP-> name, and then matches and blows up if they don't match


As for what I'd do? Nothing. You got it spot on in your first response to me.
 
Last edited:
Came up with an awesome way to report SPAM using SpamCop.

Every SpamCop account has a unique e-mail address that SpamCop generates for that user to forward SPAM messages.

This is what I did: I created a Contact in our Exchange "[email protected]" set to forward to my SpamCop e-mail address. From here-on out, any telemarketers or sales/solicitation calls I get I will have them e-mail their wonderful whitepaper to [email protected] so that they report themselves to SpamCop. There's no way around this. They want to send us something, but any e-mail we give them (including any random name we make up for a fake IT Manager) would forward to SpamCop. They have no choice but to screw themselves! :D
 
Back
Top