Cut spam with Postgrey

28 October 2008 » Linux, System administration

I’ve regained control over my inbox (and my BlackBerry) thanks to a nice little utility called Postgrey. A hat tip to Thomas on the NYCBUG list for the pointer.

Postgrey is a policy server for Postfix that employs an RFC compliant technique for handling mail called greylisting. This is roughly equivalent to placing an incoming phone call on hold for a fixed amount of time.

If the caller has legitimate business, she’s more likely to wait around to chat with you. If it’s a telemarketer, he’s more likely to hang up and move on to the next prospect.

Employing the utility on a CentOS server using these simple steps (condensed from the CentOS HowTo) dramatically reduced the spam I receive:

[root@192.168.1.1]# yum install postgrey
[root@192.168.1.1]# vi /etc/postfix/main.cf
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,check_policy_service unix:postgrey/socket,permit
[root@192.168.1.1]# /sbin/service postgrey start
[root@192.168.1.1]# /sbin/service postfix reload
[root@192.168.1.1]# /sbin/chkconfig –levels 345 postgrey on

The war against UCE rages on, but for now, this technique offers much needed respite, saving valuable time and wireless network bandwidth charges.

DHS: Preserving our Freedoms, Protecting America, Sharing Files

21 October 2008 » Music, Politics, Potpourri

I saw this interesting entry in my Web server logs today. It looks like the folks at the Department of Homeland Security may have some time on their hands to share their iTunes libraries among coworkers.

While it’s nice to see they have the spare hardware and bandwidth to set up an enjoyable working environment at the bureau, I worry about the threat posed by a malicious audio file introduced to their internal network.

Lets have a look at something United States Secretary of Homeland Security Michael B. Chertoff said last week, on the occasion National Cyber Security Awareness month:

Question: I just want to ask you what DHS has done to protect the information that the private sector is supplying to DHS through online systems. I am asking this because I am interested in the information that high-risk chemical facilities have submitted to you through your online system and how do we know that that information is secure.

Secretary Chertoff: Generally, we do pay a lot of attention to securing our own systems. I am happy to say a grade that government — I hate it when they grade you, I figured I was done with this in elementary school. It is worse in Washington because people that grade you are often — it is like the parent of your competitor. We do get graded on our security systems and I do think a few years ago we were getting a low grade, two years ago we got a D, last year we got a B+, this year our internal security systems are going to be better than last year’s.

I think we are getting our own house in order, but in a larger sense by reducing the number of entry points to the domains and by putting in a more robust set of protections for detections and prevention, that is going to protect our data.

Of course, this all assumes that the rogue Googler was intending to find instructions on how to set up a system at work, as opposed to doing some personal research for his network at home, but it raises questions nonetheless.

Oh well, at least according to my logs they have their own secure build of Internet Explorer 6…